| Internet-Draft | Mesh Protocol Reference | October 2021 |
| Hallam-Baker | Expires 28 April 2022 | [Page] |
- Workgroup:
- Network Working Group
- Internet-Draft:
- draft-hallambaker-mesh-protocol
- Published:
- Intended Status:
- Informational
- Expires:
Mathematical Mesh 3.0 Part V: Protocol Reference
Abstract
The Mathematical Mesh 'The Mesh' is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. The core protocols of the Mesh are described with examples of common use cases and reference data.¶
[Note to Readers]¶
Discussion of this draft takes place on the MATHMESH mailing list (mathmesh@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=mathmesh.¶
This document is also available online at http://mathmesh.com/Documents/draft-hallambaker-mesh-protocol.html.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 April 2022.¶
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
1. Introduction
This document describes the Mesh Service protocol supported by Mesh Services, an account-based protocol that facilitates exchange of data between devices connected to a Mesh profile and between Mesh accounts.¶
Mesh Service Accounts support the following services:¶
- Provides the master persistence store for the Catalogs and Spools associated with the account.¶
- Enables synchronization of Catalogs and Spools with connected devices.¶
- Enforces access control on inbound Mesh Messages from other users and other Mesh Services.¶
- Authenticates outbound Mesh Messages, certifying that they comply with abuse mitigation policies.¶
A Mesh Profile MAY be bound to multiple Mesh Service Accounts at the same time but only one Mesh Service Account is considered to be authoritative at a time. Users may add or remove Mesh Service Accounts and change the account designated as authoritative at any time.¶
The Mesh Services are build from a very small set of primitives which provide a surprisingly extensive set of capabilities. These primitives are:¶
Hello-
Describes the features and options provided by the service and provides a 'null' transaction which MAY be used to establish an authentication ticket without performing any action,¶
- CreateAccount, DeleteAccount
-
Manage the creation and deletion of accounts at the service.¶
- Status, Download,
Upload -
Support synchronization of Mesh containers between the service (Master) and the connected devices (Replicas).¶
- Connect
-
Initiate the process of connecting a device to a Mesh profile from the device itself.¶
- Post
-
Request that a Mesh Message be transferred to one or more Mesh Accounts.¶
Although these functions could in principle be used to replace many if not most existing Internet application protocols, the principal value of any communication protocol lies in the size of the audience it allows them to communicate with. Thus, while the Mesh Messaging service is designed to support efficient and reliable transfer of messages ranging in size from a few bytes to multiple terabytes, the near-term applications of these services will be to applications that are not adequately supported by existing protocols if at all.¶
2. Definitions
This section presents the related specifications and standard, the terms that are used as terms of art within the documents and the terms used as requirements language.¶
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
2.2. Defined Terms
The terms of art used in this document are described in the Mesh Architecture Guide [draft-hallambaker-mesh-architecture].¶
2.4. Implementation Status
The implementation status of the reference code base is described in the companion document [draft-hallambaker-mesh-developer].¶
3. Mesh Protocols
The Mesh specifies two separate types of protocol interactions:¶
- Mesh Service Protocol
-
A synchronous protocol supporting interactions between devices and a Mesh Service Host and between Mesh Service hosts.¶
- Mesh Messaging Protocol
-
An asynchronous protocol that supports interactions between devices connected to the same account and between accounts.¶
The Mesh Messaging Protocol uses the Mesh Service Protocol as transport. The Mesh Service Protocol in turn makes use of Reliable UDP Datagram (RUD) [draft-hallambaker-mesh-rud] for framing and authentication of individual requests and responses. These RUS packets are in turn exchanged over either HTTPS (i.e. a Web Service) or directly over UDP.¶
Mesh Services MUST support the HTTPS binding and MAY support the UDP binding.¶
4. Mesh Service
A Mesh Service is a minimally trusted service. In particular a user does not need to trust a Mesh service to protect the confidentiality or integrity of most data stored in the account catalogs and spools.¶
Unless the use of the Mesh Service is highly restricted, a user does need to trust the Mesh Service in certain respects:¶
- Data Loss
-
A service could refuse to respond to requests to download data.¶
- Integrity (Stale Data)
-
The use of Merkle Trees limits but does not eliminate the ability of a Mesh Service to respond to requests with stale data.¶
- Messaging
-
A service could reject requests to post messages to or accept messages from other mesh users.¶
This risk is a necessary consequence of the fact that the Mesh Service Provider is accountable to other Mesh Service Providers for abuse originating from their service.¶
- Traffic analysis
-
A Mesh Service has knowledge of the number of Mesh Messages being sent and received by its users and the addresses to which they are being sent to or received from.¶
The need to trust the Mesh Service in these respects is mitigated by accountability and the user's ability to change Mesh Service providers at any time they choose with minimal inconvenience.¶
It is possible that some of these risks will be reduced in future versions of the Mesh Service Protocol but it is highly unlikely that these can be eliminated entirely without compromising practicality or efficiency.¶
4.1. Data Model
The design of the Mesh Service model followed a quasi-formal approach in which the system was reduced to schemas which could in principle be rendered in a formal development method but without construction of proofs.¶
Like the contents of Mesh Accounts, a Mesh Service may be represented by a collection of catalogs and spools, for example:¶
Backup of the service MAY be implemented using the same container synchronization mechanism used to synchronize account catalogs and spools.¶
4.2. Partitioning
Mesh Services supporting a large number of accounts or large activity volume MAY partition the account catalog between one or more hosts using the usual tiered service model in which a front-end server receives traffic for any account hosted at the server and routes the request to the back-end service that provides the persistence store for that account.¶
In addition, the Mesh Service Protocol supports a 'direct connection' partitioning model in which devices are given a DNS name which MAY allow for direct connection to the persistence host or to a front-end service offering service that is in some way specific to that account.¶
5. Protocol Bindings
The protocol binding maps the abstract protocol definition specified in this document to the network protocol format.¶
- Discovery of network services.¶
- Construction of the payload data by serializing request and response messages.¶
- Authentication of the payload data.¶
- Confidentiality controls to protect against traffic analysis¶
Currently only one protocol binding is specified: JSON-BCD Application Binding [draft-hallambaker-jsonbcd] over Reliable User Datagram (RUD) [draft-hallambaker-mesh-rud].¶
JSON-BCD Application Binding specifies the means by which data types such as 'integer' and 'datetime' etc. given in this document are serialized using JSON/JSON-B encoding.¶
Reliable User Datagram offers a presentation layer over a choice of HTTP or UDP transport.¶
6. Mesh Service Operations
The Mesh Service operations are divided into the following functional groups:¶
- Service Description
-
Describes the service.¶
- Account Management
-
Operations used to create, reclaim, and delete accounts.¶
- Persistence Store Management
-
Operations used to synchronize persistence store data across connected devices. [May be replaced in a future revision]¶
- Device Connection
-
Operations used by devices requesting connection to the account.¶
- Publication
-
Operations allowing a watched document to be posted to the service and claims made on the document returned to a device.¶
- Cryptographic
-
Cryptographic operations, including threshold operations performed by the service.¶
- Messaging
-
Exchange of messages between Mesh Services.¶
6.1. Service Description
The Hello transaction is used to determine the features supported by the service and obtain the service profile.¶
The request payload only specifies that is is a request for the service description:¶
{
"HelloRequest":{}}¶
The response payload describes the service and the host providing that service:¶
{
"MeshHelloResponse":{
"Status":201,
"Version":{
"Major":3,
"Minor":0,
"Encodings":[{
"ID":["application/json"
]}
]},
"EnvelopedProfileService":[{
"EnvelopeId":"MD36-Q4SC-S4YZ-KPRP-7W4P-SNR7-QMD2",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRDM2LVE0U0MtUz
RZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZVNlcnZpY2UiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAg
IkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0M1oifQ"},
"ewogICJQcm9maWxlU2VydmljZSI6IHsKICAgICJQcm9maWxlU2lnbmF0dX
JlIjogewogICAgICAiVWRmIjogIk1EMzYtUTRTQy1TNFlaLUtQUlAtN1c0UC1TTlI
3LVFNRDIiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVi
bGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgI
CAgIlB1YmxpYyI6ICJHdWFlT0hOMXE5WDdkMW5PZEJIYTFFdUNSUkY3ZTlCZ0Y4b3
VwdXJDZGpjT1BreUZBTFhRCiAgQWd4c1BKU1FNNWVnQVZQRGtHbWhyNjZBIn19fSw
KICAgICJTZXJ2aWNlQXV0aGVudGljYXRpb24iOiB7CiAgICAgICJVZGYiOiAiTUJH
Wi03U1NULTRIWUstRkxNTS03TjVMLVdWQU0tUDNYNyIsCiAgICAgICJQdWJsaWNQY
XJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgIC
AgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiZW5tcE1WcElONVl
fQ1N0SGZYU21aa1ZueGdYSjZwYkoxQUZuZjNaUVZza19XZG1GaERDagogIGpsbW4y
bEcyWHZyNURFWUlpR0pObUs2QSJ9fX0sCiAgICAiU2VydmljZUVuY3J5cHRpb24iO
iB7CiAgICAgICJVZGYiOiAiTUJCUi1LTEw0LVlSRlgtSzYzRS0yRENULTZVR1EtWj
VKQyIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWN
LZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQ
dWJsaWMiOiAiVzJxaWw2Z1lKcmZOajV6R2pOMGd6U0VCRWd1N2tUaGZrR1NhR0Z5L
UlBVDYzbktBLU12eQogIE5HSElvRTFsanpUaG4zcHpIblBOeVd1QSJ9fX0sCiAgIC
AiU2VydmljZVNpZ25hdHVyZSI6IHsKICAgICAgIlVkZiI6ICJNQUdYLUMzTU4tREh
OVC1ZVVNJLVpZUEgtVlE1Vy1DNVNXIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMi
OiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogI
kVkNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAieXFGOVdhQzlHendYUkxKOFFEVT
RLX0w2UENzVnY1bzVUeHF5SWxHdEFCREgtSXB5RUtzZAogIHl2QWZaWndZRGsxalF
Nb29HZEMxaVVPQSJ9fX19fQ",
{
"signatures":[{
"alg":"S512",
"kid":"MD36-Q4SC-S4YZ-KPRP-7W4P-SNR7-QMD2",
"signature":"M_zW4QfJQFlkOgwxMukD4rrJCSy4O42zNbSmUQV-
-5IUedZeFq3t81SVe_8rpVa43oPKn75yyXkAq2vL86MdD2EW6_5c0qk6_TjetFNA2
W6nMpJrgSVqfAGSov1VpDST98tz8mZPULoXw7uGCuSHcSoA"}
],
"PayloadDigest":"jmeKG0k9DNNN6eJYg_LN13Gh2SwGociO76OVJ6Q5
kG9XCOgTVEO_YXG1DZWSszhG6qXfEUU5QV8WiQXqFsEU9Q"}
]}}¶
The current revision of the specification is designed for small scale deployments in which the service is provided by a single host. The approach will require revision in future versions to fully support a service being provided by multiple hosts with accounts being transferred between the hosts to allow balancing of load.¶
6.2. Account Management
There are three account management operations:¶
- BindAccount
-
Create an account bound to a service address.¶
- UnbindAccount
-
Delete an account bound to a service address¶
- RecoverAccount
-
[TBS] Reclaim an account using a recovered primary secret.¶
The BindAccount operation is used to create User and Group accounts. Currently, these account types are distinct. This may change in future releases.¶
6.2.1. Bind Account
A User Account is bound to a Mesh Service by completing a BindAccount operation with the service.¶
The BindAccount transaction is unique in that it can fail to complete for reasons that are outside the scope of the Mesh specifications. Creation of an account might require payment to be made or authentication of the user's credentials. It is thus quite normal for the result of a CreateRequest to be the account being created in an 'on hold' state which can only be changed out of band.¶
If the request is at least partially successful, a BindResponse message is returned. In the case of partial success, a description of the request status and link to a Web page providing further details MAY be returned.¶
The request payload contains all the information needed to create the account:¶
Since there is no Access Catalog until the account is created, the Bind Account request and subsequent requests used to initialize the access catalog for the account MUST be authenticated by the Account Authentication key.¶
Alice requests creation of the account alice@example.com. The request payload is:¶
{
"BindRequest":{
"AccountAddress":"alice@example.com",
"EnvelopedProfileAccount":[{
"EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0tUV
hKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy
ZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
"ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIj
ogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzLVU
zQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGlj
S2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgI
lB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUkybW
RJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKICA
gICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vy
dmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKI
CAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhRSC
1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ldGV
ycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYi
OiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3FFQ
zNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNSVm
o0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogICA
gICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLAog
ICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNES
CI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIj
ogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwSGd
Cbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbWlu
aXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVFGW
U0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIj
ogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJ
FZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2lN
UjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTBza
V9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsKIC
AgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FIIiw
KICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVD
REgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpY
yI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3OU
5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY2N
vdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILVVK
TjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKI
CAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0ND
giLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhenZ
lNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF84
bC1SaUdBIn19fX19",
{
"signatures":[{
"alg":"S512",
"kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
"signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa8W
Vr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In4R
Z9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"}
],
"PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fPbq
u5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"}
]}}¶
The response payload currently reports the success or failure of the bind operation:¶
{
"BindResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"EnvelopedAccountHostAssignment":[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY2NvdW50SG
9zdEFzc2lnbm1lbnQiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCI
sCiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
"ewogICJBY2NvdW50SG9zdEFzc2lnbm1lbnQiOiB7CiAgICAiQWNjb3VudE
FkZGVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiQWNjZXNzRW5jcnlwdCI
6IHsKICAgICAgIlVkZiI6ICJNQkJSLUtMTDQtWVJGWC1LNjNFLTJEQ1QtNlVHUS1a
NUpDIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY
0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIl
B1YmxpYyI6ICJXMnFpbDZnWUpyZk5qNXpHak4wZ3pTRUJFZ3U3a1RoZmtHU2FHRnk
tSUFUNjNuS0EtTXZ5CiAgTkdISW9FMWxqelRobjNwekhuUE55V3VBIn19fX19"
]}}¶
It is likely that a future revisions of the specification will specify the host(s) to which future account service operations are to be directed. This would allow the account management operations to be separated from the account maintenance operations without requiring the traditional tiered architecture in which every interaction with a service is first routed to a host that cannot perform the required action so that it can be directed to the host that can.¶
6.2.1.1. Bind Group Account
Mesh Group Accounts are created in the same manner as user accounts except that the ProfileGroup is specified.¶
6.2.1.2. Account Recovery
Should all the administration devices be lost, an account MAY be recovered by the process of recovering the profile master secret and using it to access the account through the account authentication key.¶
6.2.2. Unbind Account
An account registration is deleted using the UnbindAccount transaction.¶
>>>> Unfinished ProtocolAccountDelete¶
The request payload:¶
The response payload:¶
6.2.2.1. Account Transfer
Should a user wish to transfer their account to a new service provider, they first use the Bind Account operation to bind the account to the new service provider, then populate the account entry at the new account using the account authentication key.¶
Only after the new account binding has been completed and is ready for use, is the unbind operation used to delete the account entry at the old service provider.¶
Future versions of the protocol will elaborate on this mechanism so that the change of address can be signaled to connected devices and parties sending messages to the account.¶
6.2.3. Account Recovery and Transfer.
Account recovery is necessary in the case that user has lost control of every administration device connected to the account and must re-create the account profile and bind a new set of administrative devices. Account transfer is the process of unbinding an account from one service and rebinding it to a new one.¶
These capabilities are both critical to the long term success of the Mesh but have been deleted from the current revision of the specification as their implementation is interdependent on the architecture of the callsign registry.¶
>>>> Unfinished ProtocolAccountRecover¶
[TBS]¶
6.3. Persistence Store Management
All the state associated with a Mesh profile is stored as a sequence of DARE Messages in a Dare Container. The Mesh Service holding the master copy of the persistence stores and the devices connected to the profile containing complete copies (replicas) or partial copies (redactions).¶
Thus, the only primitive needed to achieve synchronization of the profile state are those required for synchronization of a DARE Container. These steps are:¶
- Obtain the status of the catalogs and spools associated with the account.¶
- Download catalog and spool updates¶
- Upload catalog updates.¶
To ensure a satisfactory user experience, Mesh Messages are intentionally limited in size to 32 KB or less, thus ensuring that an application can retrieve the most recent 100 messages almost instantaneously on a high bandwidth connection and without undue delay on a slower one.¶
6.3.1. Status
The status transaction returns the status of the containers the device is authorized to access for the specified account together with the updated Device Connection Entry if this has been modified since the entry presented to authenticate the request was issued.¶
Alice adds an entry to her bookmark catalog. Before the bookmark can be added, the device synchronizes to the service. The synchronization process begins with a request for the status of all the stores associated with the account that it has access rights for:¶
{
"StatusRequest":{
"CatalogedDeviceDigest":"MDNG-A3QX-657G-UH45-KEKO-DIV2-4Q"}}¶
If the account has a very large number of stores, the device might only ask for the status of specific stores of interest.¶
The response specifies the status of each store specifying the index and Merkle tree apex digest values for each:¶
{
"StatusResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"ContainerStatus":[{
"Container":"MMM_Inbound",
"Index":3},
{
"Container":"MMM_Outbound",
"Index":1,
"Digest":"FEHy24Y6cLModDXWH31kVc2a3TdhjXPooKHpLAb2JbsO1YQ
nJolmowXAYHhkOGY0kg3jrKNTjds0myf4Dw1sdg"},
{
"Container":"MMM_Local",
"Index":2},
{
"Container":"MMM_Access",
"Index":3},
{
"Container":"MMM_Credential",
"Index":4},
{
"Container":"MMM_Device",
"Index":3},
{
"Container":"MMM_Contact",
"Index":2},
{
"Container":"MMM_Application",
"Index":1},
{
"Container":"MMM_Publication",
"Index":1},
{
"Container":"MMM_Bookmark",
"Index":1},
{
"Container":"MMM_Task",
"Index":1}
]}}¶
Bug: The current version of the reference code is only returning the digest values for the outbound store.¶
6.3.2. Download
The download transaction returns a collection of entries from one or more containers associated with the profile.¶
The service MAY limit the number of entries returned in an individual response for performance reasons.¶
The previous status operation has reported that a new envelope has been added to the credential store. The device requests this data from the service:¶
{
"DownloadRequest":{
"Select":[{
"Container":"MMM_Credential",
"IndexMin":3,
"IndexMax":4}
]}}¶
The response contains the requested envelope:¶
{
"DownloadResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"Updates":[{
"Container":"MMM_Credential",
"Envelopes":[[{
"PayloadDigest":"scKJJY0e2llHKRImyYAHL98MSo62-eVSTz
8JkFFaicCDM1Nskxm5JW1WIUy4XhKdhYTYagTRFxNTsbABRAOT7w",
"enc":"A256CBC",
"dig":"S512",
"Salt":"28sn1l7vROY1rqAjTNaxzg",
"recipients":[{
"kid":"MC7F-DLCK-JI67-VFL7-BOHX-T62Q-KCVG",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"lGsU2MtoCW3h7kBLBfm4eN9xXqVSVbR_9
Es_47TEqVo2HYkeSOlkFE1hPNCz98yD-xFx_9omFj4A"}},
"wmk":"tyvbkB9eXzVAFqYyTn12vOcC18vtSIlIfmPR6hpS
LPoAORyeVaD2rg"}
],
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICI6ZnRwLmV4
YW1wbGUuY29tIiwKICAiRXZlbnQiOiAiVXBkYXRlIiwKICAiRmlyc3QiOiAxLAogI
CJQcmV2aW91cyI6IDF9",
"SequenceInfo":{
"Index":3,
"TreePosition":716},
"Received":"2021-10-25T15:48:48Z"},
"GnC2lneENSTxMbQ6W91xcsDRs1Ap9P5PRn7MHvCQ1hEMWiGWw91t
r5llzPtdeZz1-FxF5Cc49FrdanP8dtWZVNMTg4yQMf5bbaRzte4CzUrKihFYdJ3SK
GAm2EC317muijVLb29kqnkJkmdLUJu41yYZ4OLRe1rM_xR1t0VlkaE",
{}
]
]}
]}}¶
Future: The current implementation of the download operation is limited by the capabilities of the HTTP binding of the RUD transport. A future binding allowing operations that consist of a single request followed by a sequence of responses will allow much greater flexibility.¶
Future versions of the protocol may support optional filtering criteria so that the service only returns objects matching specific criteria and/or only return certain parts of the selected messages.¶
6.3.3. Transact
The transact transaction appends envelopes to one or more stores. The operation is atomic, that is either all the changes specified will be made to the stores or none will. This ensures that simultaneous attempts to update a store do not result in race conditions allows Mesh stores to provide ACID (Atomicity, Consistency, Isolation, Durability) properties to the applications they serve.¶
Clients SHOULD check to determine if updates to a container conflict with pending updates on the device waiting to be uploaded. For example, if a contact that the user modified on the device attempting to synchronize was subsequently deleted. The means of resolving such conflicts is not in the scope of this specification.¶
Each update to a catalog or container specifies the expected container index and apex digest. This provides a strong guarantee of consistency. The service MUST verify each update to check that the Merkle Tree values specified are consistent with the store entries and that the signature on the apex value (if specified) is valid and correct.¶
Services MAY impose limits on the size and number of additions performed in response to a TransactRequest message to ensure that processing time does not degrade performance for other users.¶
The request payload specifies the data to be appended to the stores.¶
{
"TransactRequest":{
"Updates":[{
"Container":"MMM_Bookmark",
"Envelopes":[[{
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJTaXRlcy4y
IiwKICAiRXZlbnQiOiAiTmV3In0",
"SequenceInfo":{
"Index":1,
"TreePosition":0}},
"ewogICJDYXRhbG9nZWRCb29rbWFyayI6IHsKICAgICJVcmkiOiAi
aHR0cDovL3d3dy5leGFtcGxlLm5ldCIsCiAgICAiVGl0bGUiOiAic2l0ZTIiLAogI
CAgIlBhdGgiOiAiU2l0ZXMuMiJ9fQ",
{
"PayloadDigest":"gtpamSravs9YkD3Wi6-rIFqFOINwLFj8Q2
eGpMjmbyP-_TRCgRs9Hqpo3bJPhoRSgUmfIUsQTDNeiT414W56eA",
"TreeDigest":"TpXg14cDEx_-1Qe-h1qiryihslO0MrUCLW0L7
wvq-YLCEWZfAIrp9FmBwNE0se8UN1nFY4h1aqXbN3yBuKfg9w"}
]
]}
]}}¶
The response reports successful completion:¶
{
"TransactResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully"}}¶
6.4. Device Connection
In order to support the wide range of affordances supported by devices, four device connection interactions are currently specified. The use of these mechanisms is described in [draft-hallambaker-mesh-architecture] and the interactions themselves are described in section ??? following.¶
Device connection operations are always issued by a device requesting connection to a Mesh account and must therefore be authenticated under the device profile rather than the account profile. Two device connection operations are currently defined:¶
- Connect
-
Requests connection to the account.¶
- Complete
-
Polls for completion of a connection request.¶
Since the second operation is merely polling for completion of the transaction requested by the first, it is likely that these will be combined in a future revision of the specification.¶
6.4.1. Connect
If the connection request is initiated by the device being connected, the device constructs a RequestConnection message which is posted to the Mesh Service using the Connect operation.¶
If the Connect operation is accepted (i.e. the service determines it is not abuse), the service constructs an AcknowledgeConnection message which is forwarded to the inbound spool of the account to which connection is requested. The requesting device receives a copy of the AcknowledgeConnection message and the profile of the account it is requesting connection to.¶
As described in the following section, the AcknowledgeConnection message contains the request details presented by the device and a nonce value generated by the service. This nonce value is used to compute the witness value that will be used for mutual authentication of the device and account.¶
The connect request is made to the service, not the account. The payload contains the enveloped connection request:¶
{
"ConnectRequest":{
"EnvelopedRequestConnection":[{
"EnvelopeId":"MDKW-3KOD-ZTW6-MRIB-AARK-UACM-PDOZ",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQTQ2LUhTVkctTj
VOVS1FWEtaLTRYN0ctR1NGNy1EVVdTIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowMloifQ"},
"ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOi
AiTkE0Ni1IU1ZHLU41TlUtRVhLWi00WDdHLUdTRjctRFVXUyIsCiAgICAiQXV0aGV
udGljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1DVk4tWExM
VC1MTE5XLVU0SFItQk9NRy1SQTZaLVVXUlIiLAogICAgICAgICJkaWciOiAiUzUxM
iIsCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKWk
NJNklDSk5RMVpPTFZoTVRGUXRURXhPVnkxCiAgVk5FaFNMVUpQVFVjdFVrRTJXaTF
WVjFKU0lpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxk
bWxqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV
04wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJeExURXdMVEkxVkRFMU9qUT
VPakF5V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V
3b2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNK
VlpHWWlPaUFpVFVOV1RpMVlURXhVTFV4TVRsY3RWCiAgVFJJVWkxQ1QwMUhMVkpCT
mxvdFZWZFNVaUlzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KIC
BnZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0F
nSUNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmli
R2xqSWpvZ0ltUXpNbGcxYjNOSE1VdFBSVFZ2YldaCiAgV1RVWnFSRXMwTUY4NGVHS
jVSVE5yWmxWM1QzZFVZbEJYTVhaSmVXOHpRME5PZGtvS0lDQTVhWEJzZVRGQk0KIC
BsZzRUalZNZWpoWFNYUlRXbWwzUzBFaWZYMTlMQW9nSUNBZ0lrVnVZM0o1Y0hScGI
yNGlPaUI3Q2lBZ0lDQQogIGdJQ0pWWkdZaU9pQWlUVVJOVnkxWFEwbFNMVVpLVFU4
dE4xcElOaTFEVGpOS0xVdFZXa3d0VWt4QldDSXNDCiAgaUFnSUNBZ0lDSlFkV0pzY
VdOUVlYSmhiV1YwWlhKeklqb2dld29nSUNBZ0lDQWdJQ0pRZFdKc2FXTkxaWGwKIC
BGUTBSSUlqb2dld29nSUNBZ0lDQWdJQ0FnSW1OeWRpSTZJQ0pZTkRRNElpd0tJQ0F
nSUNBZ0lDQWdJQ0pRZAogIFdKc2FXTWlPaUFpYm5SZmNIVTBXVkppZVhJd1dVeE5Z
MUpYZG1sTkxYSlVXbGhYWmxCMVVWaFdhMWgwVFdkCiAgdWQyaHdlVVZYZGpCSFVtc
HNhQW9nSURsVmNuQlBjMjFqVlRJM0xXeHRlbmhKVDNkVFdHcEJRU0o5Zlgwc0MKIC
BpQWdJQ0FpVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ01
sVXROa2ROTnkxUVNFawogIHpMVE5WVlU0dFRFbGFOaTFWVlVkS0xVbFhOVkVpTEFv
Z0lDQWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljCiAgeUk2SUhzS0lDQWdJQ0FnS
UNBaVVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjblkKIC
BpT2lBaVJXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSlZibWs
yTlVWWVkwUllZbVZYYQogIFcxUmJGazVPWGhoU0c1U1dtcGlTRnBCUzJsVU5tUmxa
RFIwTVdwMlRHcEZWbWhNYjNsWUNpQWdWbEZyYVdSCiAgb1oxbHNWMjFmUkhNMk9EZ
FBkVXBvWDFWQkluMTlmU3dLSUNBZ0lDSkJkWFJvWlc1MGFXTmhkR2x2YmlJNkkKIC
BIc0tJQ0FnSUNBZ0lsVmtaaUk2SUNKTlFrbERMVUl5UzBRdFFrSlNXQzFITkZCRUx
UUkpNazh0VUUxRVRpMQogIFhUMWRCSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21G
dFpYUmxjbk1pT2lCN0NpQWdJQ0FnSUNBZ0lsQjFZCiAgbXhwWTB0bGVVVkRSRWdpT
2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJQ0EKIC
BnSUNBZ0lsQjFZbXhwWXlJNklDSjVjR0pUVjFablNIRXdiMjVvVDJ0VVQxRjRNVU5
rWjNkSVJWUlFURWxTVAogIFZRMWFXMVNTMHBmTUdvelZ6Qktabmt0Vms1dUNpQWdP
VEptVHpaclNGbDBNMmRUYjBoWFNtMDRUWFpXTkhkCiAgQkluMTlmWDE5IiwKICAgI
CAgewogICAgICAgICJzaWduYXR1cmVzIjogW3sKICAgICAgICAgICAgImFsZyI6IC
JTNTEyIiwKICAgICAgICAgICAgImtpZCI6ICJNQ1ZOLVhMTFQtTExOVy1VNEhSLUJ
PTUctUkE2Wi1VV1JSIiwKICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJGUGpjQ3py
N3MwRmJVSHJaT09oVUd1ZXNVTkJKT05YOUZlLUNfXzg3ZXlrSFc1VU95CiAgbExob
mZ4ZmtVTFFWUklZM2dkRmdmTFNKNW1BTFlRM3Y5UkxKdGhkUGhNcHhEZnV5SWlEM1
Z0LWNobzJRR2EKICBTcTdpbU8tWmxLWkxQX2p3TzQ4QW5xY05abkp3Y2RLTUZoa3p
aRGprQSJ9XSwKICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJIZ0tJNVZjY3psUmkw
X0g5bUVlYnlfWWxrOHpDVGxlTG1oemVXVm9ma1djY2YKICBncENsSTFoUkgzZm5fS
lVBSlpxYXU3Nm8yQWFVVFB1My1EZXU5VFhhdyJ9XSwKICAgICJDbGllbnROb25jZS
I6ICItcHl1a0E4S0pxZHZWX2hlUElLRlpRIiwKICAgICJQaW5JZCI6ICJBQVBPLVB
VQ0stQUlZWi1GU09YLU9CSTUtWVpaQi1SVlQyIiwKICAgICJQaW5XaXRuZXNzIjog
IndWMDRjckJhZjdoLTVmY2xWQUdNSXN5NVpVWm5LY3FiUFhEVWJ1WmZYWW96dUk5W
gogIEItZW1ld25xMmF3dnB3Nmk3b0Z2Z1ktb1cwalFyVVlxSlNUV0RnIiwKICAgIC
JBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSJ9fQ"
]}}¶
The response payload contains the information the device requires to compute the witness value and to poll for completion. This is a copy of the request acknowledgement and a copy of the profile of the account the device has requested connection to:¶
{
"ConnectResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"EnvelopedAcknowledgeConnection":[{
"EnvelopeId":"MBQD-SAOO-FLPI-PKWI-WYR6-PNVY-VTC4",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICIyV1pQLUtOWkYtSk
1LTy1SUVNVLVdZVEgtVVUzNS1OV1hWIiwKICAiTWVzc2FnZVR5cGUiOiAiQWNrbm9
3bGVkZ2VDb25uZWN0aW9uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmpl
Y3QiLAogICJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDJaIn0"},
"ewogICJBY2tub3dsZWRnZUNvbm5lY3Rpb24iOiB7CiAgICAiTWVzc2FnZU
lkIjogIjJXWlAtS05aRi1KTUtPLVJRU1UtV1lUSC1VVTM1LU5XWFYiLAogICAgIkV
udmVsb3BlZFJlcXVlc3RDb25uZWN0aW9uIjogW3sKICAgICAgICAiRW52ZWxvcGVJ
ZCI6ICJNREtXLTNLT0QtWlRXNi1NUklCLUFBUkstVUFDTS1QRE9aIiwKICAgICAgI
CAiQ29udGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpaQ0k2SUNKT1FUUT
JMVWhUVmtjdFRqVk9WUzEKICBGV0V0YUxUUllOMGN0UjFOR055MUVWVmRUSWl3S0l
DQWlUV1Z6YzJGblpWUjVjR1VpT2lBaVVtVnhkV1Z6ZAogIEVOdmJtNWxZM1JwYjI0
aUxBb2dJQ0pqZEhraU9pQWlZWEJ3YkdsallYUnBiMjR2YlcxdEwyOWlhbVZqZENJC
iAgc0NpQWdJa055WldGMFpXUWlPaUFpTWpBeU1TMHhNQzB5TlZReE5UbzBPVG93TW
xvaWZRIn0sCiAgICAgICJld29nSUNKU1pYRjFaWE4wUTI5dWJtVmpkR2x2YmlJNkl
Ic0tJQ0FnSUNKCiAgTlpYTnpZV2RsU1dRaU9pQWlUa0UwTmkxSVUxWkhMVTQxVGxV
dFJWaExXaTAwV0RkSExVZFRSamN0UkZWWFUKICB5SXNDaUFnSUNBaVFYVjBhR1Z1Z
EdsallYUmxaRVJoZEdFaU9pQmJld29nSUNBZ0lDQWdJQ0pGYm5abGJHOQogIHdaVW
xrSWpvZ0lrMURWazR0V0V4TVZDMU1URTVYTFZVMFNGSXRRazlOUnkxU1FUWmFMVlZ
YVWxJaUxBb2dJCiAgQ0FnSUNBZ0lDSmthV2NpT2lBaVV6VXhNaUlzQ2lBZ0lDQWdJ
Q0FnSWtOdmJuUmxiblJOWlhSaFJHRjBZU0kKICA2SUNKbGQyOW5TVU5LVm1KdGJIa
GtWMVpLV2tOSk5rbERTazVSTVZwUFRGWm9UVlJHVVhSVVJYaFBWbmt4QwogIGlBZ1
ZrNUZhRk5NVlVwUVZGVmpkRlZyUlRKWGFURldWakZLVTBscGQwdEpRMEZwVkZkV2V
tTXlSbTVhVmxJCiAgMVkwZFZhVTlwUVdsVlNFcDJXbTFzYzFvS0lDQlZVbXhrYld4
cVdsTkpjME5wUVdkSmJVNHdaVk5KTmtsRFMKICBtaGpTRUp6WVZkT2FHUkhiSFppY
VRsMFlsY3dkbUl5U25GYVYwNHdTV2wzUzBsRFFRb2dJR2xSTTBwc1dWaAogIFNiRn
BEU1RaSlEwbDVUVVJKZUV4VVJYZE1WRWt4VmtSRk1VOXFVVFZQYWtGNVYybEtPU0o
5TEFvZ0lDQWdJCiAgQ0FpWlhkdlowbERTbEZqYlRsdFlWZDRiRkpIVmpKaFYwNXNT
V3B2WjJWM2IyZEpRMEZuU1d4Q2VXSXlXZ28KICBnSUhCaVIxWlVZVmRrZFZsWVVqR
mpiVlZwVDJsQ04wTnBRV2RKUTBGblNVTktWbHBIV1dsUGFVRnBWRlZPVgogIDFScE
1WbFVSWGhWVEZWNFRWUnNZM1JXQ2lBZ1ZGSkpWV2t4UTFRd01VaE1Wa3BDVG14dmR
GWldaRk5WYVVsCiAgelEybEJaMGxEUVdkSlEwcFJaRmRLYzJGWFRsRlpXRXBvWWxk
V01GcFlTbnBKYW04S0lDQm5aWGR2WjBsRFEKICBXZEpRMEZuU1VOS1VXUlhTbk5oV
jA1TVdsaHNSbEV3VWtsSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbAogIHRUbm
xrYVVrMlNRb2dJRU5LUmxwRVVUQlBRMGx6UTJsQlowbERRV2RKUTBGblNVTkJhVlZ
JVm1saVIyeHFTCiAgV3B2WjBsdFVYcE5iR2N4WWpOT1NFMVZkRkJTVkZaMllsZGFD
aUFnVjFSVlduRlNSWE13VFVZNE5HVkhTalYKICBTVkU1eVdteFdNMVF6WkZWWmJFS
llUVmhhU21WWE9IcFJNRTVQWkd0dlMwbERRVFZoV0VKelpWUkdRazBLSQogIENCc1
p6UlVhbFpOWldwb1dGTllVbFJYYld3elV6QkZhV1pZTVRsTVFXOW5TVU5CWjBsclZ
uVlpNMG8xWTBoCiAgU2NHSXlOR2xQYVVJM1EybEJaMGxEUVFvZ0lHZEpRMHBXV2tk
WmFVOXBRV2xVVlZKT1Zua3hXRkV3YkZOTVYKICBWcExWRlU0ZEU0eGNFbE9hVEZFV
kdwT1MweFZkRlpYYTNkMFZXdDRRbGREU1hORENpQWdhVUZuU1VOQlowbAogIERTbE
ZrVjBwellWZE9VVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2R
KUTBwUlpGZEtjCiAgMkZYVGt4YVdHd0tJQ0JHVVRCU1NVbHFiMmRsZDI5blNVTkJa
MGxEUVdkSlEwRm5TVzFPZVdScFNUWkpRMHAKICBaVGtSUk5FbHBkMHRKUTBGblNVT
kJaMGxEUVdkSlEwcFJaQW9nSUZkS2MyRlhUV2xQYVVGcFltNVNabU5JVgogIFRCWF
ZrcHBaVmhKZDFkVmVFNVpNVXBZWkcxc1RreFlTbFZYYkdoWVdteENNVlZXYUZkaE1
XZ3dWRmRrQ2lBCiAgZ2RXUXlhSGRsVlZaWVpHcENTRlZ0Y0hOaFFXOW5TVVJzVm1O
dVFsQmpNakZxVmxSSk0weFhlSFJsYm1oS1YKICBETmtWRmRIY0VKUlUwbzVabGd3Y
zBNS0lDQnBRV2RKUTBGcFZUSnNibUp0UmpCa1dFcHNTV3B2WjJWM2IyZAogIEpRME
ZuU1VOQmFWWlhVbTFKYW05blNXc3hRMDFzVlhST2EyUk9Ubmt4VVZORmF3b2dJSHB
NVkU1V1ZsVTBkCiAgRlJGYkdGT2FURldWbFZrUzB4VmJGaE9Wa1ZwVEVGdlowbERR
V2RKUTBGcFZVaFdhV0pIYkdwVlIwWjVXVmMKICB4YkdSSFZubGpDaUFnZVVrMlNVa
HpTMGxEUVdkSlEwRm5TVU5CYVZWSVZtbGlSMnhxVXpKV05WSlZUa1ZUUQogIDBrMl
NVaHpTMGxEUVdkSlEwRm5TVU5CWjBsRFNtcGpibGtLSUNCcFQybEJhVkpYVVRCT1J
HZHBURUZ2WjBsCiAgRFFXZEpRMEZuU1VOQlowbHNRakZaYlhod1dYbEpOa2xEU2xa
aWJXc3lUbFZXV1Zrd1VsbFpiVlpZWVFvZ0kKICBGY3hVbUpHYXpWUFdHaG9VMGMxV
TFkdGNHbFRSbkJDVXpKc1ZVNXRVbXhhUkZJd1RWZHdNbFJIY0VaV2JXaAogIE5Zak
5zV1VOcFFXZFdiRVp5WVZkU0NpQWdiMW94YkhOV01qRm1Va2hOTWs5RVpGQmtWWEJ
2V0RGV1FrbHVNCiAgVGxtVTNkTFNVTkJaMGxEU2tKa1dGSnZXbGMxTUdGWFRtaGtS
MngyWW1sSk5ra0tJQ0JJYzB0SlEwRm5TVU4KICBCWjBsc1ZtdGFhVWsyU1VOS1RsR
nJiRVJNVlVsNVV6QlJkRkZyU2xOWFF6RklUa1pDUlV4VVVrcE5hemgwVgogIFVVeF
JWUnBNUW9nSUZoVU1XUkNTV2wzUzBsRFFXZEpRMEZuU1d4Q01WbHRlSEJaTVVKb1k
yMUdkRnBZVW14CiAgamJrMXBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHNRakZaQ2lB
Z2JYaHdXVEIwYkdWVlZrUlNSV2RwVDJsQ04KICAwTnBRV2RKUTBGblNVTkJaMGxEU
VdsWk0wb3lTV3B2WjBsc1p6Qk9SR2RwVEVGdlowbERRV2RKUTBFS0lDQgogIG5TVU
5CWjBsc1FqRlpiWGh3V1hsSk5rbERTalZqUjBwVVZqRmFibE5JUlhkaU1qVnZWREo
wVlZReFJqUk5WCiAgVTVyV2pOa1NWSldVbEZVUld4VFZBb2dJRlpSTVdGWE1WTlRN
SEJtVFVkdmVsWjZRa3RhYm10MFZtczFkVU4KICBwUVdkUFZFcHRWSHBhY2xOR2JEQ
k5NbVJVWWpCb1dGTnRNRFJVV0ZwWFRraGtDaUFnUWtsdU1UbG1XREU1SQogIGl3S0
lDQWdJQ0FnZXdvZ0lDQWdJQ0FnSUNKemFXZHVZWFIxY21Weklqb2dXM3NLSUNBZ0l
DQWdJQ0FnSUNBCiAgZ0ltRnNaeUk2SUNKVE5URXlJaXdLSUNBZ0lDQWdJQ0FnSUNB
Z0ltdHBaQ0k2SUNKTlExWk9MVmhNVEZRdFQKICBFeE9WeTFWTkVoU0xVSlBUVWN0V
WtFMldpMVZWMUpTSWl3S0lDQWdJQ0FnSUNBZ0lDQWdJbk5wWjI1aGRIVgogIHlaU0
k2SUNKR1VHcGpRM3B5TjNNd1JtSlZTSEphVDA5b1ZVZDFaWE5WVGtKS1QwNVlPVVp
sTFVOZlh6ZzNaCiAgWGxyU0ZjMVZVOTVDaUFnYkV4b2JtWjRabXRWVEZGV1VrbFpN
MmRrUm1kbVRGTktOVzFCVEZsUk0zWTVVa3gKICBLZEdoa1VHaE5jSGhFWm5WNVNXb
EVNMVowTFdOb2J6SlJSMkVLSUNCVGNUZHBiVTh0V214TFdreFFYMnAzVAogIHpRNF
FXNXhZMDVhYmtwM1kyUkxUVVpvYTNwYVJHcHJRU0o5WFN3S0lDQWdJQ0FnSUNBaVV
HRjViRzloWkVSCiAgcFoyVnpkQ0k2SUNKSVowdEpOVlpqWTNwc1Vta3dYMGc1YlVW
bFlubGZXV3hyT0hwRFZHeGxURzFvZW1WWFYKICBtOW1hMWRqWTJZS0lDQm5jRU5zU
1RGb1VrZ3pabTVmU2xWQlNscHhZWFUzTm04eVFXRlZWRkIxTXkxRVpYVQogIDVWRm
hoZHlKOVhTd0tJQ0FnSUNKRGJHbGxiblJPYjI1alpTSTZJQ0l0Y0hsMWEwRTRTMHB
4WkhaV1gyaGxVCiAgRWxMUmxwUklpd0tJQ0FnSUNKUWFXNUpaQ0k2SUNKQlFWQlBM
VkJWUTBzdFFVbFpXaTFHVTA5WUxVOUNTVFUKICB0V1ZwYVFpMVNWbFF5SWl3S0lDQ
WdJQ0pRYVc1WGFYUnVaWE56SWpvZ0luZFdNRFJqY2tKaFpqZG9MVFZtWQogIDJ4V1
FVZE5TWE41TlZwVldtNUxZM0ZpVUZoRVZXSjFXbVpZV1c5NmRVazVXZ29nSUVJdFp
XMWxkMjV4TW1GCiAgM2RuQjNObWszYjBaMloxa3RiMWN3YWxGeVZWbHhTbE5VVjBS
bklpd0tJQ0FnSUNKQlkyTnZkVzUwUVdSa2MKICBtVnpjeUk2SUNKaGJHbGpaVUJsZ
UdGdGNHeGxMbU52YlNKOWZRIl0sCiAgICAiU2VydmVyTm9uY2UiOiAicU85UjNvVD
I0RURPNUdDWWxZQ0JzZyIsCiAgICAiV2l0bmVzcyI6ICIyV1pQLUtOWkYtSk1LTy1
SUVNVLVdZVEgtVVUzNS1OV1hWIn19"
],
"EnvelopedProfileAccount":[{
"EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0tUV
hKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy
ZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
"ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIj
ogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzLVU
zQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGlj
S2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgI
lB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUkybW
RJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKICA
gICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vy
dmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKI
CAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhRSC
1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ldGV
ycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYi
OiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3FFQ
zNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNSVm
o0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogICA
gICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLAog
ICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNES
CI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIj
ogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwSGd
Cbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbWlu
aXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVFGW
U0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIj
ogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJ
FZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2lN
UjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTBza
V9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsKIC
AgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FIIiw
KICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVD
REgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpY
yI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3OU
5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY2N
vdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILVVK
TjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKI
CAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0ND
giLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhenZ
lNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF84
bC1SaUdBIn19fX19",
{
"signatures":[{
"alg":"S512",
"kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
"signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa8W
Vr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In4R
Z9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"}
],
"PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fPbq
u5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"}
]}}¶
6.4.2. Complete
The complete operation is used to complete the binding of a device to the account regardless of whether the operation is initiated by the administration device or the connecting device.¶
The complete request is made to the service, not the account. The payload specifies the account the device is requesting completion for and the identifier of the completion message.¶
{
"CompleteRequest":{
"AccountAddress":"alice@example.com",
"ResponseID":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW"}}¶
The response payload:¶
{
"CompleteResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"EnvelopedRespondConnection":[{
"EnvelopeId":"MA5F-7LDW-G2AQ-N4PQ-N7XJ-243G-CH4B",
"enc":"A256CBC",
"Salt":"5N4XeR89WnRUPeNN9eehLw",
"recipients":[{
"kid":"MDMW-WCIR-FJMO-7ZH6-CN3J-KUZL-RLAX",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"x4NzHBx1XxAiMAvIgZh2htXH9is-DGf71wwvqJh
jlWZcZds2vBOGHhXCRI85oGRbSWr-rXRNSuYA"}},
"wmk":"DRB_GkoKIfvQZ7RTrJHrYxj5e82Npx6MPiXeae-tIrWhmP
rA025oPw"}
],
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRFQzLVRNNjItRz
NYTy1FU1lPLVdRWlgtSVIyQi1ZTkhXIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVzcG9
uZENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowM1oifQ",
"SequenceInfo":{
"Index":3,
"TreePosition":426},
"Received":"2021-10-25T15:49:03Z"},
"T1FrG5eIYXEffmfCQyyc6gUWlbLLzDyAboglNpOO6M8qoFT2MPW8xwZoqc
sEOOl4nHsPbxOeFfs9VCOoS78oZBDxayLqSImKNQc6xs6thMCvRbnGyZ30TSj0DI9
-aKyr52FcC47d4ZUPS2u1-egzr3LUUHX623rBjbtz9eIu3jWaqBT2G2Fwa6AE7ekX
R06xPsRK7exnHVTJZV2P-KMa4fSA11i5SZTgxnX7uIMbTmn4fA-alK7z-EalQ63wR
L28xpqw5ajQp-1P8F4gXclo_MLZHRFtEvZC-dkhr_5iaB53UJH9tjxPRzgdiKy6nH
saifrqReQcTrgkGDgUKcN2USIN33wUwIEnmr7dwiJIdFWxqFWMbE-8niOLL4PEkyp
SNieWNxW1G4ED2sjcFL8wHjD1k892F7Qh6w2D9YlUCNNuoa6-f6o6i1f7h-2IgoVG
B56yOYHYP7omRCaYk2-l8w-hqITzdsoj1xU1uqYBFF7rapyGAGS1FMHq4_wDI3YSF
pRckLGEV_MzHPM6WKgXRYlRi-lPPooBDmr6PRerM7kI_EKx68r6XV0q43_dOFoMa6
VgEvu-kIXdlJLAN5ky-dNrdELfwgF8HFvshwNLvsMfXx9y93DzA8rRNqeJ9BCnsE9
pSAVzJ5S3eL6AKYsdQ6gJDtfD_Tfcxf0SEBq0w8gcO2Q6uIkRq2YOSVIR_LuqZSEC
wTpWr8_VcK3iHXcCaoLrFf3_x92QSR5HcrRImBMY9CUCTGLJ45ry-G0Je0ZM8C7WQ
MvufGTIKE-4z0YnrZKYwfgWmIMdKXv-G54QRHSM_sAxxEd7NF8r6bzuu_kwTJnjkZ
zR5tDy6Bgsc6wf6Os-QlkJ52VpdBMxKzBDCchH_2JNv2k4rV7F5aQzYnLBP4jWsxh
pwMXtYTTsvEeg3UTatSxeh04XuvhFeFtiqH9o6JJonJUq0KLw0TiULFnlGXqXIzxv
PX5PzXfjbtbEFVlaadHX9K7k6ebzRmVSpwWn4h4io78elFkdyLjJR23_ID53IbEtB
Vl4KqevNyuXLKy3WVZW9jWR1DggON-xG6h1WwyTq9JFBCPj6qkzjI6wz6wTUTiNxt
PZoh_Rj8PbouzWD62ZmOCqFr9c9-9EHJZcMSMPQAilH0FROao9NiWUOYa_ye2helB
CFgf8zTBTlL_kZXbpkvm1Qf0YaJUddkSkJRIASLBtreLhJF9QT-9ln42oEl_r61Y6
mv6hSG6nMBDkI7jlua_HbTq7c0dPfbC3wJki-oj0J_hHO7IuqtgrMDeHih8dsonhk
mYKahV8k0-J_t02kI92h1iDYbNzAftM5FbfwbzMsu7E1xtMxKdhHemHUZzIlhI--G
oipVdXUfoUtK4TQ31Q6X5afpnvZ_wBr9OUpWOrKUabQ1DRocie-pf6g_M337csJqN
lLDpwXeItNuD9beZvjpT71K9HAI2uqDbZwwUXFquDbK_ZsU3N7NYFYRi1_CxgS5IO
XyJNRI05H6_no9GGUy8rOpoP2gpEDKO1VKJlU90ztjHldc_tEG1iRuFrr8bfAvoW1
HLrijGIEXQDC7J8Dax_zJj1uRcH3PBhuNYOqQ-Ipa60PIQY-hwC5ylfBuB3bSMcua
FYWKCmMQt0BX6Q4-JxvD-uYmyslXq3iQBA2VFaR8wCfZrahuUWdH1mmQSBikyk2i2
KD6AiuaS7RaOm0eHEx9n3dMzOGsL1OpfOUWHqGvLp7lwmpsHDOaYe6fpjVF3Rb4dn
naGq6nzNH8AGqLglIB2GFf-GPqCaQp2y6fyjeIKFMWEZYpxiJ2fgkGMInN_1Q8WeI
vUCEzJc-xqLEaVsyblYNKv8YXk8dd-Jw1qoia16YP0W7_aMMm-_wHDYMkU8W6q0GT
ZVZZHXtZKVnESRC5RsI5wJBrUo-e2-0RO_5AUDKBdpJ1LJBAyF1nhkXA0beha07fa
fEGLUS8b46pGxDiZs17mwF1PRmnR8bFyXPbs8lGBMYMOvR5NiDZE00kRbEMTbE_nM
_HzyYAmzClyP4dPtpH3nDXT0hjkf81bxKJ6hMOHP-fX1jXciYqKJg-fJrWkCDLXRU
k_Yh8G6Vzoh2lEKHhLdw_uHV8ivo4Ur8D1UY1DYsWhab3K2U6a1lFC6P5PSIHy00M
3GR3egXb56woJROsyiOx7zA1185Bk-2BQkMvlZcTtZOnmuK64yJBchHc0rFR4780p
4BXdhAfcuNy0q9dtY7Yw2s2NlJ9sbRgnqMfRRkOWChOZ8eDCgq-u5PoTdHAwek43S
RV7jHn6LluvKl76_EaivyWwgwIKd67lqlvzw8o8yxeDiq3KScT1vDtC1-oYLmQ3Wc
pqgs_PMbXTebtGgjKCengZ2ZxYPPkJLqU_O5tvFP-kI3SY0OzG73YeICbhAWfTEZ7
AwbZwxE210OWkJvNMWOsWv3bPfCaaYs63F0TqLz9tb0ASj3glOsWlJALJy-N033Vh
FvzaUqETHNAAr12o5Zr3kPNtaQ2GtT9zDA2UGlFK0oDs5Z5GDzCRlmOmjfeAq7ITm
dGBvn1vSjF3R9kX78vELK6JtUXVYTrDzdJbKRKoQFaxXKYFwxKnwaaYLEVafVThW_
Tis2G_9CVEvYx3oizzK3nn_jJZiCW7z7ajEcLTIJDEC3mPZZKIhb51yWA-aKQ_fbK
5iJVZbolQGZNmJvYDkpafNMcg49HQ8Nz-b3cYVzoMIEEIjlBDVwc_Xx60N6wjlYUA
JA-Nnz1YrX2AvOyh5qeaYG6__9qdNTO0h1HXH2AtVJJ1wzvE2jQwFuU1ii__gYE5I
6RVcNM0sTM-JNNtQDhw2Z_utcWj-7xbCRuqzLqQ-lkKVzMoO63N7L7uPB3jOHCpN5
N3__lA12d-yeQR47b5JEWHYadeUO0kPSdmIwaEDoGZ7nHhNQhV4q23EOPQ4xYr315
7hXwtc0sJR7EcuNi-dXt6Mi1-08QxEiedGDORZbMzqhNIsiVL74gfK7YMuPQbwcTo
MMvzydfSDWa0MZzjHVr-7_uP6fkGpGijB2sYnKzMIKYSneExdRuABNXEgESc0jKsS
KGDpevK8iyOAqYCyHXXWjzWrrEUhLx8OZXsPTJlHu_IYTo5Ui_2Txgg-9Dp7YPuYi
yXyl4GXrmmAFrUB0MMBIlt4o32MTugKlfQs6xnCUQLnbPj_vDLJkD4Sb21Jf40H4p
uF3z8EvPQEOX32zUaL7ztDK4r8qs-BaeD6NaiMG5quE1kktKYPfYTrLWkV5pUTtI8
YJrZ2lqsTHQB9iaEaPSNaDExpfyiFpM3SdlAaUXoUXMUWm8BrTEf1QWAEWaP3Wrdh
3PhEUKjuE52zemrctLB5nQupLQzPK8nvODafjMZaIkypj53MORFh3Us8sHxRoauk4
9QwEg7Uhw-gDTirMIpW-xlUYzoG72AY01k7GgJOpr3F8ZxeBAzKN-Yv0DipnINAcc
0QnDtoRSnScQsrUWmn_KRyPg-zit6k1DQPNQc7-28nRkWqczMxqyK9O4ORdE-3cpF
Wbc4N7Kd2iuQawPRRDmcCLd_JzmfowdL3UaLGzUTaxdKbvTirtPtgaGyi95V5lsq1
0yvI1B8d4VROuvFVwAl6TEYVeFhvtJyWQyWSLMwOG_8aVCyxI35rMSB2f8bjwxAiF
LO50tSUen9waUV_wTIuax80VOjy4w5inXSF6BOSdXAJso4KJB9j42eW__ATXfQivf
Bdz5bgvUXucQPS2GJTF-qkLUQ9nDnr7uSzB2hl8D9DCYtid5ahTDGUEsSAzjMk_KK
qVw4fp3GMoTxhoXs1p708VFl6tjnqPhH6-EC1X3pmglW95raBZAEhc2TZTgjrD_Qj
pPcWAsEqlouVbU3Q8dusGPGIx-WJfpGi0ZHznFoTqDoMvFfSu-UBeha7gHzudU_hQ
FoOyvFBUij94F72hx8vVKbc-iLGXmw_tSicy3kHfCXBOTsoUaxKYowKMl-SsGHDbG
jPFYU7XWD9DIXrYXwFgdqQ_bWh2lXLFi-Vvn0JxUEN6Psb6hYAA17vAg_P47NiAo5
0zkAPaoSh2BZLqQlYnAsFmy9zMOW2SceEIPhiqwkn9e1H5cSYnr_a3KSgaLxV-M6A
Smr73KUzb-kdeHf4Yx-Hxm8inKhwkFNbIyudnyS-V7Wa80mvlgY8th-psFBqtGgpk
Mpkj7pOM1-FoX5-E121Z95Zdw581VQ1iYg6V1MQXPk17qBbX7xUYPWgQcq5XxyTq3
zGKo_OIHNXaorhj3eDoUwso7YQeJhsONcxmrU5jiFM2JKVsLWxlsWaAjsJt07Coan
kQCXZ2h8XS5jB-pKcPx-072s4chxwFEY48cEA4zadPJeqZ9DcUr5OQhfgVhdQrEt9
u7N4PbP0xuH7xINQ4hkgjfH-oRzPM96uRbEiDAFl1L62dV95JdKPr4NP9k2JN7QOq
n1AoFLZB2Apz_nU1oT8EiJb1DzocQZ6e-xHQgdbUx5rz4fIREZSpQo5l_swknavfk
wF52a2GZKk409OjBnrNKMA43iDA5gdmG_sMzKB9-0e1clj7hwaVOTamV06KNDzvnp
fG6h_1nCoGubSxNurRmaNYfD5peV1D8icPOcDOtTJ7RpzmSqp8OAFWIZ7NU3cNsNd
9E_AowNSmL5kCfHz47vSgRGSnILJAxDlC9A-0cDl3q9vroUXggVU2nJztC8ngtL71
Yy3VIDhMjDmOV9aeCpLhKuzS9qjKLCrF_SexHWX6AfpgjoKvf9A88doKWapx6tgsi
i4y9ms0YGgphjNgzDW-mXR5wW9QRH3iMYWw-lu6yUKTeg5pkZGEhMu12Ppql2ebej
vgFYTWdGhT_2lwZbIFOOBhH5Gnn-bmqR3Ow7K0KhXb9XJtQUOgSkmW50OSQlT6ZNT
01OxGtLuROdMjj-DopqD2gJVKmWCPtjdsuVyv_HZKtgrce8bOCxS7OnsWDL05JdVu
uel0wOsya3HwQScwaZRt7OQnEw6r1gYJ11hxlL1AKK2ZzyRSSVBl6WPfXjQnl39j0
mPooM5Q5NfdQaFkjIqjOlu0cMJCAMMeY7B80R3evBHGTV7oYvarbhtoDVDYfB9g-b
O_5eICs9EDtD-vs7-VGW4TQNQOxuRmSzvYgIGZlXH8R1HWT7x6I62fBM0Kb0L2jMo
4G2WLGuhey_TK3yNb1G9ozxrMm-xZVrul20vkKmJu5AJZLGSUir4vm1aueDqC4pDh
IbmVRPLk0NHDfib6ffUcgEpNhKpfaO4yr5Tzkajg6pIMZ6wrwZBaySRvNM8qhhHZK
la1s2peaQ-ym2OIW4M_TDGiqj0E0rwCTsr3mLcMjRSUajHsNFtRhqmjsR6eQxdIJr
Kjdk6rrKCzNYD_hg_oBb1Cn-NyLR-zUh0fyqBNr_OET1tr2HkO8rCqrItZdEheQSe
q9of4XWcJE-VgW-VeGwlGQIHj4FVVGYaSr5OAJSJ6a84Tf4iizbBPzEfdqFpyvm0L
N710E5_wdzwQZgXgSEnR3PXvecjIyg_gS47QBZc9k06rCnW6dgXK1lnYqsQqRt5bK
vCzDVkXFjkcDieHv0D3z2XPyw2CM4wCaotLTD5puJzLwp2uweCq7HtfPulksyjnFD
VoU0fM0FvH8rJaAoOMV-rnX4-MHcDwZmMK0RrmVZfFrJ0TJcR8Ar35PRAwh1F1Ur5
2XTtF74Fi2vhJOuc3_pO9AGrmobfd5zfkCtVXr0wM4dTvI87xVmFW1tgzMtgGOQzp
BEZ6P20oJ7zr9ZxfYknis5bV7k-cF4ZEwO6fTtFl78heHTZY13uAk2vnKdMGmpDs9
cc8ulCDc0AOg0wQyyIxRL2WVPGJCpSNlib8e9eAtXLffYAiQZ4bb1ZlIUoH-G2QBs
NL9tL8Gz85EB1fZU05TRF6X6pI8vgGgOcEQl0-9Lnwin0YLhr23iCwNOvQnh2WSnw
vgcMsUup-FlX0OVrX1atcTBffJDCYNc3rZsTA2Qs3Qkl-JthYvZgAEIQXzxE_EMoS
rIRpRbcKDFQnQ998yCh3dbJfQA3rayL6ZSqONhuWf_SqL17NOZCVPzPvGE3GOnSAa
yCd0Uor3NZyXOdULkv3Tpi440CD6nOatAV97Hq40nnpI-K4vIWt6xIfBO-Tidshxi
JgXwZQlwcKvzShL3WAUInFCPM4AF1UKqTuKdTQs1DXQuIoZZxFf4MkCt037zfdSR7
C_UQFbVdsGkEcRgpL2JE3WE8XTqN_LfBX4X0VspT-rJUXNKQDoFZChLFizNasAGyx
n0DzzR7m-LLwHZY3-rnpwpiUKKRNT3a7VQtCAsIQazmh2sqM1QyCuaDisNl9_JIpl
32rMBYwvs6iMGVvPwyA6joKdUNBzMkLrIoK0e8MAEeCkk8DV-TNyYgNIEm8MRwA0N
YHJ17fu9xlcjGiyMt9_g27mCgY3oBimsdRb1KEjGSGT3WHDrKCJNGpM77cp6KqyDm
63oKN5qLlt1vCDS8Ni9jtRIZbUn0PIDmTTgj-VKdLvUarNFnisyIZhxoNy8emjpsz
ct3zCpLpQ8UU3rskSPBuJu02yQZimLiM9wGnhrlvADdxKY6k1VZIFeONv6U3676BZ
eMzVUADZsIceBAzIpPf-uqCxFnpjWf8QyN5tg5n99NIvsVflwQUYp5hnVqdUBFg2_
8jKWv3xJ9hLWnNigEvzrW4s3FuludlZkNdjs6i9sqeYvwSRyGZyjC-XtWhdALlsMU
O_C4UhrS0vmLCpzGEvIUx3aUYQUOOvH_-_4t72mQIeNpZFEo-SMUxWxc4AUpte2fV
Dpn30NvRNCIa5m7SyH08A92Yv5KusVeYYxUd98U5F-3YRh-9G_LFFbiyvc5-R3EIY
sEIqJnT9op7o2ClRo12HnO6D13Q1tv1Qsu6AMDiAlU4BboteV1dzLpyaxwk_cy7Am
lcuE2Jx6BQGH6n8oz-iGxXUNGy1-Q_kA0DtwvSL6yTEoL_KfmKNL2lSS1KEGeq-fQ
-L9_FW8UjXvizNWDBTByGEMtxM6hE-3jJBGMvbgkp3oBF_jrlGB2Jyb0QpsFRTGDk
2x1mx1G7WGDL4c5-G1J4L_KpgazJ3D9FNJkKbCdKRxeHUTVgusv1LiXw1EN2pohyx
U7Cnn8cYymTUWa2iF4t1d4HBfiRdWWzjTQjxYgYJh14xUPcPBfttqyNlFW-_32m50
Zo6N8LauuQjmAk-YMc-EEbL8rNrkCk5_aRV1icV2bpkPSR1EYAkF00ATbdVgGcnZE
bJQaJHUFQYkfzSimhSs83rcNHHIz6_3gMJfZADdRMFuq5OfjrgttFehf00Cbo8glS
EAtpAnaLKEUL9xzFiJE55Bkunn35LvhfZc0VhXZhhJXaNASwMxMIClJG-mT2nLFmy
lVBwHncEdiMa6m8MXdGPCFAD9k_ndE78vBzdcy3RvQB1kqrkDWupPmEyr4Y36jidn
rGmKeQTEQXB3h1m2N3X7nWW5hHNDSE22qZ_TK-_5zYnwtfRiDK6oQP0HX9jovPszG
35neiY40tiaK4Fac88te4haHretD-4lwnulNWK20LiGKKVLIogoy8rW4mtxu1gp9b
zDV6ETbJ_QlswnIGpksy5lmyA9H80HrxXgzsV_Buf5vtE0y_hVDn5vmrL7wzVOjqU
L4Co4M_E-jMvGDB1cgfVu91yY3VVC-MFp1ashLuFUdrzrwiHPwnCKB6wC4BmNgrrM
UBvrV1gtevVXX1iKoZFHBOF4yk-LvRWejr7QNw6nsdjJiv9hN3vp0vAUsz4I_lMlT
LYKfB9q6C825XytaXQ33_K66ds--4RNNGgz5Ua7EgCtTJhJO3xrlV3fmSLH2IDPzh
2aMnWpJb7AHZeeH56lJQAbrf8SlKdHwp0VM0i-6IpLrSO8g-5LJ20lM1ybZv6izem
V70_785ejdrEby2CH_aYp_2JXHG5REbTTdi2-ckSMswsiR8FZfhYoRjpQjbauxGId
4SXU-phA94wiUqRnS6VryqwuLpjOna53E88ohyG6Dr_K9GeiXbd8vaL_zobZt1m2m
O0V5J1pdxdOHmUwOZoVHPvDQSDeDR4s83lLDpsFUHJqkMZ2YTNGf3EsB8hFvqwaiB
Aqu-G5o19dodlajRfcUkTemyqYpTEOq8hzhejYNWRt54f60vrK5GVqyoJIdnfXxcp
0cItIAuWh0dIyTtKJvdO2zm9Xg0lgvCkd7GhMeeMUxPe6_0TdpHT2c89WC5LnV3V6
xhPS1eJjY66OzGu-9XCxNLntyWXWqESHNOTg7ZMDA3qWr09pk2gBka1Jozi3UsH8i
mnt4YKrLJ_jjnDtF1W7No2SuWpSYXnw2-7YflNtLluf-Hl95Ts82HY7QuCvDbCemW
GBFppe1hsKQg8Xii-5O6AiiYO-XDsPxijzRACm2P_A_SBsYanrgQwz2-E3jGnfnMm
DxTq0mWHWEc2k7Jm8fy3P8F_UWSL7rPr07VrEK6tS7UQOUiSnbd_B_ZSjtV3a0jeS
T-t3v7irfzfVRkhlQiUIX-aDiBpNM1I99aT7iVFw1nxm_uQdOXGHqFPRGjTHxRqtd
ogXXhbK2fqoVBk73eaDZAR7J-g-B15CnTxnIAoZEB3azd_Dp3At2PMpBuFiGmAqHj
2DgoJx1RWrQPPpX-ndBxlm7YVL0RI7FfNPSdXtd3prr33gw2v_tciuLLjaE8A8gpD
oGKtgS2mvXnM2yDzwNQeZVtBmWOqEMnkXu3XbQjWWdptVFrl3K78KYvnaY8o4viJk
D0eRQxGXq0JPD1u3g3uTjVkbkcvOmZXpBPhcNq91b5Cuvu7SjOx5ANy8Wh41Y9nBF
JAllGKdeWyjKLZhWfBhGxEIimHFj32nJHYds2WJDmSAXAqQ_F32YF6UT9ZAegeGQs
bLbX2ccyZLo-3RVDDZ2_1UGZYbx3wEH4M9XqOLf6RtGFfgW1_3PLF3v1N17-wJ6jb
qt4CGrvIcEdXWsfw9PKcauH36081jFEQnh9khDoZ-1BWQnjDBFBEHQjwR1ivgwryS
Y8YCTSWUhiSBreJ6fAgal5J2k-PrjIa913qIuOInZ-irBfG2zMtpPuN5p647VpRT4
lMl-NM-SV31gzE3va4vE17T1nZX4joqG55ASER1gtZKN2oS4OqiWvpr8dJ3b7IUPL
CYYaRZEGXdAw38n68t7PyWvzFdWv8yUXQxiYHJRcF24ROGJeDBxjwkKTDJEzdapmI
YKhXaElgzD0islRK8O5cQVwv1yvE4MY_cbnLMvcs4lVcQEiQqT6VuIrCiq3rrXvMA
C3woX-bhn1-cT3BZIBKjlx0_wat7hm3ZGyNVE_jcuLoihgXBZ1PMNQFJGQED3PVhd
xjqIxPy8b5wy6IEX37uL1PwY7jk0qawfizmn-sH6Nou-6QY-tqQCTjFG5BXZlkzaK
hWKIaYd7CC965r_f1786rzLrLkY46Fz5wLS6qVbiKvcAGTbdkNhwAf8eVYWqbWOO4
2pgfQ8YYuTEJRZtULsVIzTaQTonW3dG_AwH_bUsRz3mrNPXImv22OPZsoqcrnETea
2hx7gVSWN3f0SJNHjvi4Tls2QLmO_nuCvgIlz7aK--PFT8u6DqYgtAF-dnHF0J_22
9_oSbXPasJlno4ajosMs3nE6lpJidLH-rOEaLlVmQJU8rGYaH4oqu6etg5dAkoHdT
nLy_gNHGkArhPMqUQ8_eTg1GFw0SGZDWmmI-X50xyIJ0OMVVO_Ohr4ogphvZWunCG
2VB4FM_mn6VsmtiMrcy9o8swKi0kbS9hJqAC0dmIiDSCNougEReLmtxf-yRZnqxtl
u9qwURK4EKHq8m1M2JiN-H9-HzQjEj8g7jZziv75l8gdwDrMM3uBSqtarni0VFs7F
MRbg5YYofnZHy0VQH_zyH6wrRrjfpgbrU4yy7pAy3zFXraSHff1eHiBsikTzm9sBT
HZrjJ8iiwtfIFiqUIEIUm_HCCcGG_wwMSsL42RpAQd40y0bFNlPUquQWf96Hb93ld
MUJZHvSRoBvlVMdVdgcmbQpK1kYoxGf4MdupEwYXrNQnE67uu6ry3WHu66bhz6W4F
bLutQXKzVpyjCiyOP94LmeKLSe5r6zHUT4wRqEEVNY2o3wA4R1cKIApCIknCRjDXK
sw6WDkoO-FWgWKKMEGBwW8PizFKujnwPN6l_FGDgAS3pXiiGhd9NR3LQCKDYc1yGi
m6quL-DXu3BGRq9f1BqILOw2Ibm_9XG_PaGspQPFCY6Y-5WjK3jODDzW2q-xnUw6Z
7MIphoX-GGICwQmybh47MqJlFVTsxna0xIi4q-ONBxKtmk2VRPE99KYZq3NkcHA2E
3F2Cfar2LZ7Hp648b8yBDG-GTuczVzSpMhPNnfYhYzCbjtXrni6DkVd-jQgy1rXW-
-Ti5S-SxrMWLGo1S9zf0G-T8o1lEjCx1s7miY2Asf3R8GpU98DfIibJBj57B9xLFy
latdfdR_oYIlHCQlaKVowF5qmOLeua2vCH4YqQpO8NeV4D1XdJSdMY1nq3XFSbyGe
wLQnJ4UFEvvRiMcCCp4qPWWnFqwrNmJwKo5X2fy0eQaMXQf5SY6gxNCZG5reHjAzM
uUrgs5czDZ54YAhUZDJ-1FWJAKY6g09X5byDGoISNKMzWqVOxCKUQJeIBreVk5fmp
ZwkZPpYOC-uL8hGw-fvyzGBQ_sksLgrB6wkpPbwReDN2xlDx4WnzwA3CDY8IF6EzS
YzDrVc0LwLfX3iTkSy6zh31cbvPZzEb_yPSMyUkC0bBLckrOTIizdRa6khtqTJmqI
AM7YmeQF81MsquZfxD68o-op0Z77GQxapVADOjy_h6ZURpilVx-rUjW7ipeAjGplk
VRJvuSkSf2KNywiwbcsZ62lJi6LKLrB_3-_wvI3VreBaZ_P3sNySMyi1Sqm7mirBe
lAzIctYI4H9ajp0U17xLF4fLQFFj4YVlIrh9ObUFcQIG8OMbw0L-C_89kjaT_Mj7J
AgrYhL_LHrVgE9LEW86H4f5n03vOlYw5eeunM-FGIjr46Kj0MdP9v2i6VlzFXm0jN
fPmepOVPXBEqK1YHmXZCRXFm_ujfvsMXuuJs3Yx79OVdOIN-vQ16YOJu3F2v_p8BV
UD-UQLhclrCanwPZhtpkkJp-XdwOLRNRicPPkbnxFL7nkatsYigWoQZGcaw8T2Nv_
NQ3UAzc_HsUvtYFW8C-xkIk8fdwDzBcLD1yAKnv2dQ-tw-9UtH45tri9r9t-Q1Wfg
ugiHDEo69KNOLdNMdmjTSq3rNlO0IDCiWhYYvMQb6Ew9px7ALvBBT36sk8dJU1hby
fO-_IdXYDMD_GdSIaEWlylBpasMpe0bFtUIpPDn-MKX0OLlBVkflUCF55y0fNC4zY
a29oey0BNd3bCmvXXz7e1FZ_vy3s5wwYtIyYi460oU1QgMwaxVxRWUwQuH0VAhS4J
F2FDYYAZJWxbAfSphYlYt4NuRgA-wadDq0DI8tShOICdIy4vB-_qgtSGjUzQbHYdh
DzN-tMC5OzOlQCoCjO13f_045qAMnzE5MwOBehatGLyaPEmq4mDXZl3zjitJoMeph
L7P-WX-ttlH0DdQEq9hhVtazd7Gd74oEZGTHsqJ6dBalpvIbdzzkWyb1D6zEvrY0-
S4Pf9f6yK959m8MzLj6seBcME1Wwsu5Z9P_fncjs_EBqLs7ndJ6nzTqXC69I153ED
L44kPXOT2k4FhU8T5IbWwiIzeE0WY1Z131ZrnWxHrxpn2pTlmeGSD-37hH3uJFFFQ
Z2yvo2oFdlN6Pr7MNw40xNRNhO8DWnToh6PewUMk1_SsHyGjePhIIyuM7eoPtacwG
_2isR8Kd_EMh22wJuPHmqOK6j-nh9FSt197E3Kmy7j3kBOTctm0RJVAKznNy5ymp1
jai901f7UrYgumRU-GjR2lovJqP5ooF8FAE_oeT9oc9z58o2qzLPBQdqGoZRUbbSL
Q5KAlKDXUWLZVBUpGiFSV4qTpH9LIYtjao3egQHtpfcPZVYEsFn52y82zFs3s2t_5
IquRVJxYXHayR0JYzl45WGOS0TQrUI4SE3UsoEdRZHLsWO2WoRGDitx7u4GjvGgvz
ROISFKGQHZDSw1m-ZzTaWNDLhD9qqnsOkswNG7cQA3MUh1hqo_uHKhdKhkiR9pvrl
fuF-Ik8kSvQyYcqBMp4MFXQkadhYbFXRpMMxCO9ShqwLyQgkFGbiVc2RwKoz2XA7F
hhNBK5PI7F4_z0sTcGYRFMYSuvL_uV9yCdweXblPpf5JkyTwRaPClYR_jJNeIRJ9a
iYEvXbvQDigTQPMvC3rqu8JIGaB1G0O8wg0IHK-5--GOUKi1aeawbZ0mgFpqmFJp0
2W2L7kleUKBNT1LlHFVHOHZYNavKfgRf63uO1lI_hsONpm4QED_Og6xhq6jHqp7a1
0WdCSbzDpBpqzsPj5BNxO9nubaqVT8L81JUQrPxvMcVoXKwf8nFlI20zzad7yGnav
Yye9eFJH-72gBCSZaXa-cJAx2Q6JTMbMeuFoCB_a9L0ENTzJG-aklTd3yiKILQpKn
PCmCQm52LzKKdGsbT6eqdnAFYiDbWKoHV5f8KqfrdSwB3RmvuvQiW3W2j0Ycdbctz
GxImGXCRNrteBbLCpr0k5pVxo0OdF_AFPhtL7t_Wg-xhjfg-u_Wy3uY5CnUGc1u7X
nNEg00hhnc_8L2icwlIb_enrluwV2MgCEGP5IHXmdkILlLFatBWuZ7LO5Gp4F5Nxy
sBPf_ESk5zyVMT9R01sXdjj8mfl5HKcyM3_orH5VPi25MBHAx9m9HW6lmKP6oz13E
rhJEWFOTKLRwg4rAfKypXMATRO4ve9BcvIESoXwS3FI8pCy0zaaiEaH4kBU8at4fy
uV4Ph7Guydy6brlZS0jOGGhNQ2LLlZ1SfN7Ye-q_MC9svxsbXwcxQXsWQQsWPKBYa
0TTCX0QYu3Jk3Oi8xAdCmTtssqvEKYSe9Sm_axauAQlISZDPsT53h1iiKbPRE7SCT
ULWA5S2M9X_IAoZWj3NVTR-nD-A6ntO-hOdhhaZRth8OX_ZO9bXW8hp_-B0aF3-dM
ArCboXMa2eOx3R11sQgnvRsQNeeT6mJutjdeEl7AnOj-cAUze5QEJc8EEHYWQyVnD
ZSA4kGkC4hxdd1OCgKSg4hKEV8y8AyNYSHrKhrubPKLqeYg4-ye2niK57PH25uqir
p6nnhLusFWnCZKNAWKGqWq5MgO5YUCbvTrJi9u5dy2Bv7mcGUdCIJyX8P9Fzcdj20
-XcdeoMMOygqOhWb29wqBnQtMzRHSFiIv9yMwxiNsJoWuoqMTWSkJosDy-vKul3Et
mNjPSkEeyyo_MdMq17dJFE3kRlRluWypBFsa9FjzDwlAn7ztGkwyZpYACrwPkry7e
dAmUQGyfAL7G68j8faRrVGHKsboal5ipZVX5pDOAmis7hUa5BEKvPEYqakm3T386O
a_X3UKd9zPNgKEqghqM4SMm8GhTuR3rP3UaEgoIVj98JBz7Np2n3coAnUxertKFcv
JZqadvj7_BTSVdKk4eEY4im5h1KJapIks0bFHzK9Pgt8cAzJOEYy2UCa4xvLY3VGk
WYioBrNpdIWWCdMTGJrm4Q_bMWNbn_bcQL6osNxjLCs4Ra21yR6opbwZj4hiZQ0m4
ZjJQs92prkkNUR_dYjttHPCzaqMOhS2oBYZFaOvI3xhkgrYI8EIhxAiUaPvSy2g7i
wfeF8fcUrTvA7nRLhJWsokj5GnDyZ4rK7a91zW4oaCvN1yLcFXvoJiXHPOAS5vB3H
1q5nqQkMMEP2dnxOlaNGkbNxcwfsU_D1jpJu92FL5N5wufAPHrD8gKjBOBRJAKj9-
3D_CWIexFq8CKM8bzWAUketQEBuML_6hLKLnECo8CD_0a6yoxlF6E_OhG8oI3PT2Z
vh3T3PznbLJzquKV_h_nkDFHNJCtljLcTtckTj6KAlYrrI-nZHiXj3siK0N07tOuJ
CorPLhy8XTMxawSzQ0OHLxjvKOhdg7XyATii39RNocazHl8kT9dtwWhkZrWFAYFGW
Hb6_pwfWoziHPOQg_HLT-5l_xbM_4xVTFvfT4IRs8sQReM56Qn-jjb6xgFZu-6Wus
2sVX5YOxkBma_eQj-D5iR2KMyft5XX_JEtV-9tiGKamy5-I2RNK9DICNzYMysj99p
WS4dduKlR9bd4c0zmHhODDo7iGXa94nliWSuNJoQhM6FghGlhYKuzRbv0JIF0WNgE
ZLBJob8zoKh5K8zMuW_8ThFTjBeRIeGCR46tOaFmSau4cdzo5y0ojci8zNN_XYvTD
CMoB5jUXJQTi2zHCgv7X0V7Zk2ZK8vzVCq705GiHJYOVsV2EEg7e7MYHEczt23Ek0
ar7uJV9Lo5XpeAT4tRjkETupu-EVePJEdrzDP5rZehRlfJ3GhmPiJFtEzkrXKhzcC
c7PvU5BaQgoEtmMs36Kfrpxc4qj6x1UiJc_4yuA-8AQFmynmyN1D9LCFbY08DsOJ6
zxQa1hGZdRsDbhaqQqMozUovOd8UtIlIJAM1SsIHXseZpaDJ9Oke80g9Mxosn1cCC
eb3Jn66Tuwe4zeMBJhPloIYLOCx-90LjIReXNtEc2RxTaQnUmIrRu6-RWJcH5_xjM
7zK-rkqCY1rPpZrJdQzWpaCKjYpdzZO0qhUBAzs2M63GjS19rwuyNSlaBYD6KOgRB
KOCv3g5-SsLlmP-YKr4olIVUOQPiNtDONcYnvCgVj1Bv4V6noAxI0rdzMKy5YJlgN
38HyhpUHCG-RNM4nMshBLUGS9I3Eq7EbucH3Y17TOpGPryfCALnyL31DAzGc92ApI
l-ByI1M2ZgIivCUIdDxwaSJSfgdUweELFx6ZnIdz3ZfctxPs5Enh-BBVa2KrI59Sn
jjafNHosP-XFMM6lh3RmvtfuPTOIjxnsab7p9ybEiCDuF1ysG98vfk4uTgyCN4AvL
sXlSFLUIkqwl2INBUqwJEP2KyZ0Xrp1MQXjkJ4E1PVI1jZ9EsOLL0O_0uCUPkhx9c
f9OY6rpZRMvtTTuA5Sl4w2Ukp6QBkVI8q33BqWmhBYw4rtf5fWGDWRCy4_A1CVAPA
WOx5bgecflHFQujVtzczrIJCOMqbJI2PsmOK8EyX7hi6sILpAcWqHE3n_LXekkde-
OHgkSahJLrz9LvPkwgujTb4QFF9RSjClKvHVhtdQPRIlUmpPZ-mAbS99v_ddKY6ED
c_ZC9VFuVtNsbyvlEXEzdUVVmXx0MDw4zHRDrXTaGUN7SbbxYYxRS_nrjk49ZpJ3D
CWQ4ciyFFRXjkHWNbuWXQiVHM5pDBd7y93A6QsUQuc6ZhogLpGAXy_SQU49JtLFSg
REVS5Ln_J1RLA2AAzIUaKNRKgcIVgFiBhtmj330UN0qxXb7tF43CZo5WhoFTjRfPX
VySnHyClLNnaWkruZbtFzPDs3j8iti55s0xaYpS-DTuH_7vwN2N7AX8SuuLL7DSEs
Nkux3o862Sk3xWSAnWuI02VO_YnkW0mvLwwlqUg9bD3oVxd8KWECiVCI-MRDZOu3L
WSKXC2tptETrE-0evg0txQ7AN8pr-6Pc5ASY-kBQViCcszIdS358_pEUgzAntiEs4
jzmsYUwUrfQsGP6Wg7Y7K0pdK56UXxQQOvKulzGD0EK39T0GogXu3rY_5lNWi2tpu
6Yv7NHninziVhxBo-gAyQHqBuZgxNpV_7fH_JjW3aC6cxtigBMpW9orcG5PnuDUyy
mFI6KQUYUqQbC4cSFU8KxC98xlF8aPtOxEPhasDE2jmmKlL7NPQkN1dRG026h9ZUY
vaVexhl4zTca9b5mI6S3_AtdLzl2H_5-tm_3m0Kca_LxE4gzQjNKb-A4inLR4RWpA
0Dek6-X32cTP5_8RcsH1NCfjV5R0c-l7a2TaBAczfuIWIJZurNmuglDO1alZWYVT6
0rr6bU1N__gCkpaduRppzkQD5ED4TB7_OPcFYCu7l-qZVERsA91ZD2IYyKrKmjGpX
n-ktC1S-FYObif7i0ixm_aKdX0AD1kL1O-nyn-bcb-pFuyj9u4iemuQHm13T4k_TX
fSVh2wGp6Bwi4CUzlo_Cy_mA2nERQfPh5FST0nfQHU0A8L28bv87XXU7rPelhOZIn
WOXRSlBh-y8SvvDKohTH5f4EFCg575K73iDTSa-Z_T-NzlD0zPK5mQPGULfnJafml
AWZIaXdN8bOpK02iNO_iWUi6QOh1q2VNOnMgs2NYW3ieKk6gw9X-7E5CNxa4OGbBk
snsWjdNLCELYUA7K-L4rNpGQHVrrMcmYeAe2dRyS3NykupS9fLNZuCr8QsiwnmYPM
yivq50W3jTYpIjbx2iJHOA10yIMQsUrvQrTN7jEnhkaQMumsZnm53Jc51Udt976Nv
RdArZKSd3elj5ceVAIDI1Nxs8Nsm9n4k3VtwvnaDBphcJk37djWWA4MyFpxODv5ee
D-8uAPs3k3187x3LCP-gpeuXXLaCinb2BNvueJAvFkYG44arX42Xi4a7Adtq9zu26
KVt4jfYz0dTz_PbIEJM-zdyaBLkVcAfU7g_UqVo120BVblAKRoA8ZC6NE14823Xp6
-ch-B0B5OL-qRo5Ngi51qoXT5SKjwuykt3PYPu51ocpBO8UI8w_-lrUfMsRi7tjTG
byUz3uO8dJhihSMAVQlhoPmP6i-_8gkl4jL4dOEAOImFxU-W6iq-a5EN2t7mifuIH
D_2pX234jCmANNYqIlzKo_wzxJItaULf0006Y1eC_5a_vU2DfY4d8E-Uo7eYDCLQw
et-oxcGsUJEuVyjru0VSeeTSOTdbCx6-7e9u_-n4P0lxIwnZmKlF5kAo4jrg9lXlT
Sbfyq-wvW0uE35eTS2XEPAg-k6_4_CL-n11Pq8crBcDndaOfokp9qRIl7DePhh4lG
hK9-f-qA9jg2oixToVxKzwceXxcC0vQYBd4fJhD0laLD_1uFZuxckvjUy9EifFmCm
45K_WtSJZ1POqgx-Wn2pPHPHLLU_CY_NDBaHHdyYZWwi13yntEN8-p0J_1lvjyM4j
nb_hDNFJHeZaCigzwxbGOWLjBkqwdt9XALil87XrXff3CwGBlq_yteYIe4oEIXUrx
Rm_58GEuZJ-qSC4QPZyKZ0aAZsw5e3BkvQpzdrP3yP3wc-bWDhpwjfwTMz0Ck3k5o
ARWH_8iSEV6oYi_pT6lyOMyABg4Rp_IzYyK0kATghyxmjWr19E56bl32wJg207Aa6
IaMFggaagQ6LiD64nfmoUYQPOC2CQtIZQIl8OYfd9zZL9_zvAc9LlV6BTsd6IDpxl
bs67SzUznVV9981fguO-uW55gK1mOvZFz_C4yd_IAKFWP_9VF90Tn7dJTzYVX-pkB
rPylilg6iyM236GAFGoaOcvg1u6rRLZ_WO_I2T4idyzTdZp_QmCFsQ5kMdEsmlXxw
ugU09uh8v2NPXy8jUbXwCZ1RGIan8d8QS91dXpHIcrD2mGcB1CggX-ujrjlRwO4Pq
A8ssdnbBpIkW60Q9D32ojB5MlytqGvHdRkWAv8qgwV6EpyVsd90Bj24H6wAoH0Z8V
795lPw5bIzgsKuKmkbzEjtS5H0ltxqhaIvLRvaIYyDDdcCQHHkSOIwjwRw5QUnpat
M6z-AhpWGeT3VDvqmDcXD0dVummwB_sc4k5UddrgTKGQ3I1jar2D0H5foB4fk-aBT
VpCkRw2fbdUvE2Stu8mdcgq7k4w9f0g3VWTODglG_0auhijOpw7EkKX5l8l1N-9lE
Bq0siez6TR9gWhquG8xvlZHCPKN0hVhvBw9jW_YX2jzaUgEsmoSJJcFOonM7Z9Dce
MWLRfDgmYk1h5TCtOu7mqoITK5FSgP8FkUb040-49W99HakCgRxtKj-R3hT2Exyxx
aGFBbc2bD6Rqhf6R4tWjxMwM3kSE8rV3saJUR6DKY19kXTmD1AHThs3a-1sE1JveD
RzkzOWDhOop1TwSeTxoiqlU5VYGYSPvgpP-l5MUMjkDLh9_4EGs8B-Wm7keroEuVS
NzAmaRL6BY2HaJIPeH5HiDFG-iui5-zfBI2Drq-l1Sfytp_EqMKY24uVsqx6bAstH
YYfjvAhmLf7SEbGgAFMl2ezIIN7-N58kybi-Z4IoUtCHrtVhm-SXancjjxYsYMYS5
VXPfdj_KtHgildtUBdcnuXzrgsvfSXNx2KhZABn22yqBWefWOBBNmbi0s0_1qK-OE
mZAjGeq09Kzxq7WpeuAIWVv597yUGEXqPJn80w0mXg_3jT2Wp3K8scZIiV3fWzTuc
aw5v76paDewDPTVNjDk9IHDYEjBgwExZXHdHqQyvufGbwdKEWxzE0pfK2thHfDmSP
7apEwqZrJ-0szRR7P0MHDZAjj3qqS2hNQu_Owz_9oc-6pENXkQUg77HIjlTN13jPa
z_E4fcofC8Gbcxycf0hhG-mZa2p33ld-Birz8hqF2iyspysRw_L_Kgx7POTYwT4o2
OmM-bHwPeiXayBm-H4Tv_iJpAhRVTIQ1Cgt8QbxA9kApyPg4LWRxcCe5vCByD_2PT
nooHNDIbc9wlKpqxNFx6i7SczlCawCk5gBFakXiBiA5ZtwVXObPG3a82zKWHe-nxc
F7BxfbDdiY0DOS9YBztYyfNTsR8cFASiVYNb-5f6vzjQn7CV_M-GDC6snSRJsUvKB
OswpJ3JZMJNaXvXZtw3Mzix-pr0Wfw1T3wqBiAJcSwm57hqySotR1e4KDNJdmoQwO
JNZ7KBLvV-ljF9acwvk4WeOBxXez8TnCOt1eIyptQqG7sJpFrlox6pS9nWFIAiRwk
zA47udjY82O50vtupxBvQt-qkzS0u-Vm2X-ETG3tjPke5cuYi4IHmpCNmqVHvNdwW
j2Yx3Zi6imLoxYmI69hm1bW6D61nRA6-TnzTfH9BsDx_-7p2-O6Q_yxwCJbEvwBEO
JvU-XGu1b9C0XJQLV4hgT-ldl6OzUNOcYMAUWAvYoNKzqtO-NMzVk2j3GR_VKA23x
A_iE9P9fnhzF_JazqeuCC_mX-03Zt8qRDYUdi3ht0WFrC3qxloD7Hc-_9iQqUOOw_
FvtmYls8qreZwzke6kA9-6EycwdTaAHFMVRcL9UnX3KPPP4IGXPuEpaWGxEPxdkdo
_MdR9j3XLgOe5cjO16HOKPr9s50DbAyzzuYK4JyS1pUEurYp3cGf3sHLkdN-pWoig
fTkqgCIRNtv3ivusjQ2AJtGSLemdooadQZJUJZtSXmZXZ7hY-pHwQCvvH6KzJQWsi
czhy0zEREktO3qz7ea8V9UjW9wUisQGTczNSrl0NNgI2BQf34KtGJmh8cuZ3XQe3a
2gWH8u3pk3cgqYklfCn1Q2kZM5GpMFqyZWv0hak071fzA-dzQtSupBoItL0YuDLRb
Lid03Y2kFkB10t3448hdArKJDEL8D7Alb2ljh6ZDzg051GaCdoPPMBmyF4WJCaP7g
22dNqMowYDrjHdF2hA_adeTswg4tZimUntRL4j8BwdA3lAiHFpAUt-gCk2i6e_RKQ
p-6Umi3pwi6hLoU2V911jopD59AuKQtjm93O9RpR9OadrpOmfYsiGmlkn6BBLojDv
RxouNaaEZzZXIDkGyk97ryHo2Dhh3ENHG6HSTtMIOV6gTTS6FgAzzC_rixtpkRyjl
oPtkdkurpfRWw40r1l3xwAwZ80p1-csUnUJnCR5b00hgg9_stkU1OQzsLzYgYS7uH
iRg5mDJhDS3X-tJ3FndPMT7W5_SrcsYMYJHYRymodF-cVn6E-94B5ynUUpaj8HCRQ
U3uvQg2xMnKmZ9ExvWwNucbTwU80P2uJEoODctCc6c8FWifwBYcik9ObmYEGVs2YT
9zAI5PqiMvbdaT35O6zvXneKIOfeAfaorexf30BxITsqNGrFn39ZdZSCbuqZAzmnq
BO2weQADlxfflsuJ3hycP8umq52IS9756t32l2baMA49mJC3wriCb4byFlpaVq5cb
tCZRPV1Uss0k8QJdUbg5Myita30Mg2JvpRrpi2J7NPEjWwSkDUEQMXwMcKHlfKyb6
qW7WcK0c4lr0g3yHhuAGG5xYIq_Ej2xh947CwCTdG8X86MiL4Yx4-isn9y2TNhLpv
Nd-B8tZ-imYRwsOsXBSzFVvcTtnUMSFlsNP6-h2RWn76Z-iBNNuofiH5Rgu_OnjXM
PwLZD3HWsdidp0V75u_stzW6WE1KQ1drhQpjlJBqp59iRe5kN9KtIj9UFHEcVltRD
dvXov0sn47la1fWIK-53Sd-LWZB1DV8T28lxW7LEYmb2OB9j2nSKTY6bJax7ezdm2
vsUmQwO7qVBlaWZpOneYjvz0NLPCqUc0PKWlwpBlXs8RBYYdbVmLxZ3-0J_1VUtHs
wCzVouz_jI9ldpR65jDqK3v32DDRZzM-XIgFO1Vb4IsYkcKijEarjk1hMPjmHSmGm
NxxePVwvtQBoeUzfA8bfotSYIZPhVQmUTGAGFppyCf6gXILPA0lxbVRe06TTnVwre
kBQ5who1YyNJAyRgDzt7gYDhzFR2EjAlZon3rD_B7b4lT-5W-WpqQsP8h-Nq_Y_x2
EwyV1JzjEdaO4RZQVJgmGsQdF7gIuVc9pQx5_RvXVhGta2Dqn1bf9DcqHMlr6jdJ2
Eroga-e3rj1MNfxbQs5q6pJ8bOEfHPkTjsPO2OQXY9Jh4INahe31pLa5LDKD0CkD6
ABNOLQFGhB4RWJU9-vqY2CgYaihF1V-7wn_g_r3TXM4qSQ3x6ra3K_rNTiDx__sp-
Fq4KitNqqe3wEQ9rf57_sbkG65bKBUHbjpIMemAzRGybyFVcrd4iVHuEktC0sWCO0
73YeOjyCbf1D0l8mCbgNjP0331Lqj-h-vP6Bnk81xEvlDS7-rxBcxlCSOdyn9g3yH
qpJVb0ODoN2r8Ha99Zoqm1RX-ghuXKoCk5WLN64rOPddT0Phw88yihCfwrCxQDLrF
MWWxZoGDIu76DQKOIQSi5I-P6cT0_a1QkAaPYEs5sJWjy1dg4lCjzqZm4XwPjbuGG
hv2Q4gRuaZEjC2K7qIYEylP9lN5hBn0ygb-z5ugdmwbwXmBRbySxUhCgAETahk-DD
jWBHgzz81dueke12tvEnvc338fHqzd7N4lJdrLq94WlkfI2y-mQkOX3vG1yiTQ4qS
tNdF4Q5fztHkqBKH7XQp9SHjJl_XUymA7Otrmm7GXJXMIEoPU2z4rPqKirqGGuCkd
XN1-ONv6ccb5eP2mrC81nld9MFiQkWz_pGGrpALYrlOtIpqmqb6yJiayZux0Jvigl
YWe7cYbWV4DhLQrJoM5HrORSBiybLxoG5dOgT59luFhkMR1gzs1eZXvTTx6xWOYF8
OxP5QTC47uqPOfEEQVNElABEqoNBk1GtZ77gUAQdLXOxHc60lKQ7aY-V4v_iQ8e7v
oN4FI_02gnUbMLqYLndAZqhR8De_PXk2XWOCQMqtx4r9cl-LvTCWSonN_5jvbk-uL
s-hcl90BtMIOWeikJCU0VCJfC58mH5RSgpVP0DTJE1TpFzrq23bA8q721ub1TequL
oJK0dFb0k6XEL3OJelKXPGk4kuyhelSqhGdgaa_knZ69E5ysKRurw2NDN0PCJsOlI
HRN5k-R7t32ykbi5bBfsJuXtWbDdrImgbL-J6YOZk2yHzjAbfFqrbqE1Phly2FBjy
U6UGrkr_xzE0FKbmCSVb16N6NUTf_tJ_M8hDx3w40I8njHo07uyzq0sRf-j4REEw9
gXawrKzPBYyq-RnritGh1lPUFh18i9cE321Tl9ltL3PYrWYcdAwrbTH8wieypVoX5
LzPQ4c_sp_6-U-lhDAEEBV7C6yMLKeLVtX9sBvWEl7PDXwbEh66eTLzg5Mv_Hr6CJ
K0e90wTyp3bl5vIQsxedT2ojbjAM6d9H2Ny0TVPSeCVpDtDPZa9a2NZNfKHhuisLC
EhYxn2LQudzBlEzV1vTS-ajSeQclhna0_KeHugQl8COtsL7A7AtBm3uw5sQjw2X8E
XhhVzOjxFwj2WRnYF8qgiTv2i6BFY1U_6hQCi4-711j_K8h84Fgxv6UWQKtqh1FWa
5oe-2Az6eJb4iNWR-S5RuRlSFAxSxLamTOv317CFMZ2E1AGXITfeifDL8I-jPYPoy
bED4QpuPFl2kTA5MyvocDrrpXVhIC9z6-v7N72knS8s0W7UTM6Zj4Ii6dHpJ4NjSm
N66MGp81uyPPlRU4R4CjkPPoaF5j8JpB3jA_iyI6Vru6NJKNPB70yqnlV8sbrMl9k
y10Vn-Ro_ODcLCeIRgzkSQ3kjTevbHiHc5RrufK36ZxU2QpmTX8-PWCcHpx_3cIdl
-SWtjfq5RIQndpz36Ho0S1XgQSmjsa2TDkTz4ICivGJN0DAwnYghWdTXzbTkG7gRz
e2x8MlcGNvkk1t-r8TaWmeAOs7gmwYrQZyEVhuRRMxQty-w9_wTchoagKZt15u7gm
IqaL1O86xYTRfJ2pZipTNHbA2ZtNEuuDnM5Wp8t4NPTSnhlLBw8bVwcZmLQSAapwa
VkhbQC9V-EMmIUcJgKEpG_T6cFogE3mCiwfHM2NZtiEsIaKkUnCgZMurS-gN3jlZY
uxTAcIaT8gpxIZK-j0fZ9lqsmTC9EsM4FR6w-8hsCLueBW-acpa9TC104AIUjYFzz
NdhGrhO0630uTR62O7JzglQTF67pZy-1z-AYxA7xPdNCX297dXqoo5HYFD2t0T-xA
wkCm-xCk5JLf3OE45O2TONfmqRXOt7iJ9h7oY-ejzq7byB8Mw2R56Y4esasg7k-hO
CHcrbLT8IN9JVljStiOoKfrnImJwlj8iv_wAdyGrMS6-H_xGh1rJmqIO0Xl0pDuVd
Mv2lHXmIrvTfOqSbDPb1002S0knx8uljjPu2ZqaEi2oy2NtQogxnTKImsWZS-v_B7
U_rOnioTdMgOf9vgFOZdSaPp1TjyVBqW97oHeAno-2EUuRTBf5SFVtyQdJFODvLdG
2eN7DktRwzI4Dm1GFWtxrIcLmh8EBu3CjbE6_KLhC2w0Fdc11OminR-Kx6pV5aCzq
pWj5NCrZm2V9MY9CstwOcDNGkMp7QhrQD_q0MI9l8nqAYx6a2Q-ALJWxfoO68ae5-
YxIe9S0kmj_q5_XaBlWxlIXy9g8lYuyd_OX0AeyZEyhUub-2ePkpY3ES3RiEh9DCM
bGAE98deGm4Z2Y2xQRN8swGxgLIhpSDwlMDSztFU0XHeYrRiu0FpnSsBz9fus3E6K
Y0HjLLZesKAdt54MKO1pfMUdQXmq6uxHGo3L3fb_E9mPTpaeOl4zFNFaEpBktZm0S
23lSGbgA0WOBEeWbUKkPUoZ5X76GnWu17S0j9jpgIwO1iNFM52BPxQ_okg2aFx3jY
UG4AnehcHPu3mk6IWnUYOl-0mfEvZoLNUAHJF996Z5IKn8waBhAqV8UoF1FhVL_iA
ll94xp75wqaP-pffhKMLJlOGj9FYZro75neIk6mEZvew0YSphrfEUZI0ZcdPWkQHq
yfeyaOyRxEYy36hGr2M6dFYWUaVJWXxdKu26yDXVEViZyMEzT_scplDeGytX4i44S
z8uR2CiC18_MjnedM5F1LC7B-F6mE9yf77wdWMlcTnvDbboX2ZDgPZi5GC2WbNAoc
IPIp8IWVcCwf4BhFRuRqHJn5osJ-XSVG0fChle5wZH-Zn56aRroe8S4z1Bkv5tjmr
-IXpCvdWO5VyXCudjc6qUbVMDSha0WogDlPrTSFbc5exmr0V-_oEu6dZMMmInOmPq
SQtkFzc-yHSK059WPQWJadWHK1GBC4yjqBMAyVfhTWNtv-qAvMA_143jld_ybrXyo
NEb4tY_RnOLyNsc4BptXwLbKlhLSppgiXlQb52N4AcaoHT_3QVyi6jwrd5HyBhkQC
YnF7YGoy3TqA3RyAbItFXhK6LvZx6WIl1eKc6WAnwVMLJIP35jAo1ECr95KOsRIbt
DStpQhJMxn7HZrEc3cYzejBx2gkifsrA96NJ7eeW1gDDCg_QcvQozcKhSValBl6z5
jtHeTsVMbsPk73Z_u2Rxyg05mc3vD1hTNWaJCXYNGK1jY4U4oIZK0RpmU0jBuqS01
RDwR_Pa0Nwhv9-OCymYZ4kYr6_6z4FDRiss-g1DeMvKJir-ljHhU3MRYlczXGWMM6
FRJjxiIkRwlRhYflcUYN2mZyaMq1A38GkKANhXRqE_FHbMzoq8DE-xiQBmSJUQb5-
3Uux_0eiMA_bzOHvROMTfEUqwWbnZer5NvDhmd1VVv0dH_lxFONcJHkvYU1-XC8sk
Kmk8E_fs2y9QQVcnNNL4t6U0CbfiaUpx5SDKSM794YhfRylSdr6QUHr5PZX0GKtJS
CKPYrpOLhRT9rgheOhVVHWn0XB2ydYJa6L7xHeSy-yx3vS-8Sk2FfNgdakS8vukQK
y9TV8XhN1ggwA144dGueprz-eqY89G-wIh6oa_-1tGFls4eoh9EMDqhK46Bl2Q3Cw
58cdvBsiH_P2I3Lj2dsD7l9stOduskd0FDpfEcK3NX8sIG95ZopptHZhQCCyxHVXa
AQt0oLpA8T7NP6aNoPMGcQYw2_WGWgPgyMan4rqF-13zBnWpo3hYY547WXnRoaJuo
rYmoLeg25ZYhcTCNlC4U6rZu_W6lM3Rg_p3DwI4bSUzDRMLRJHW3YrLE4CFM8BWqA
3tdv4CZpIZQjeb51EGHg9Whwcf0_nBurdN8KZCJSI6-F1iL6j8GMr7kD_FN0TKqc8
mBKWBkLfwY4iAv8xxVcpOiEhyx-v9Iq2CumiXclG0GSrBtzVf2pXZDUomkaMSv4n8
SlrCZyvntuXJwi9jGEn8PpJtV84rZ_2hIt5g1xxtynwe_4v5T6DYhuChMg9S1Fo1T
TTdnG1Wa78Irh7v5LsqE5CaLpGSeuopb0O1VjHPmtLxnuE5QFX5mTVp3YYyAwQ_W-
gaN8AC9pmanTmPrxIHEu28fk2rSkWA53hRyvrGPENaJeioS0ec04iFcIlJFeU2S6Q
pZqze2emOw2yruTSM1dEdGViUezcPQ5Bc4x7XuPJLIywXVLW3mOWlpdjkm7cOlGIv
Pp_uPU2Byv1wnSxgd8xhqqT-ZMCcGF1G4jAqDH5wJ0NW_wdEIjHMmEpQlKd7ULTN1
oybhZlXx-JJgk0pbgF1ebs_LYUjq_nfgZEUzoEaNqRs3I6qTa6_KSAE0YyPMKyq1u
rjKLYwxkHdcFMDXKYCWqjrccaKHaT3MrYd1t6hTy6JPoAB_bO8-_4KGg5yRf5opPU
xzZ_mHeL2Fv8fOLSYoNYRWy40xw8Ep6eoNtnFMu7ECnJ_MtBoXTv4UEON_5ZORGKB
4QEqtMh2LwKN474u84ohHArgRLxFDCah_DESxG4xiNIgpT4x4408dE0-gdE6wp_GS
kzrRCXgVi4yr1GNZLDo5roCEj38Mh5QxhgVPi3xl3tDYjCtjUPpcgE8N0nFKr5fi7
BuPMaNZrg7qaGT8KQAb5vSC27JOmHMePXvKkbqNx18tyqiOGBVnffzkLqJcS6IQwy
mefiOv3rg9bz35bV6OhIB63CWba2VDaBceIrAgpul1G8Bz0AL0dGD_Hj3RIednYhe
DNxlzUrLJ-Diz8aBsuszyt7J6No1LAsswuXZuDpyKNchhrLljgpDmDogm-qn7_qXz
6vKZVvw8HItLDLtVmF3_l0gFInOOC9vF2P8DMvlwdbW0tlqO9OpoZw1XFoA-lGjY7
gp_WAztAxykHwbKWmoWbpfrFu8Ii4kuLhAzxI0tk_CrELcU8qjAB_UXgdEJAKeZxi
nvCqQ0E1ri-7Hcuui0VKidKQXBaEpg00DiEKZwmVe4YrG7uzdVPX0BxIabNnx2goJ
3wT9_DybwAjgOAtaYtRfQljRfsNVUy45LVn_WJzRw-CvSJPdxOdeIrwANNRM93L_O
1kWpDrp_YmlZMpNU8RvGVWm_f_rJLxNfpYFJ4ZE5Ydmf9QQ8jXwvsa6IlKO58jZwf
SPNQjxnrZ0zcV8wlZTCQh7RD_BQeZK9yE1eOxup_3fTp1u9hwsQFSTH4dQ19oH6Ps
NLfdI91BnRdpaOZbV4No0WAMTQdrF_sRxRwBJ3xod2dMCcNBtWdgopkRtLTnH4ndP
k7tzjnE384ZN2iQVBgFlApWeK56Hzo-bjHFU-YjA2wdMX-uAIX63MM8kOy8j8H9IA
UhzAL4wog10X_cRb5OnCL_7vkEjFKbUr-RL1kiANwGyA4OZk5zy_J5nmc6_nnacFg
aFN2StnzIt13IAGM84tctObu43go1_rpmWCUSnMgLcvdOsLAroYUwUKWEkC3UhopS
M9YpFtxWgcWjxYW2rYsoV7AOgDAwCFO1b-ZTjD-K00d56a-PC0Gu2s-2nKl-jY5q6
hNW2AHDTp1eWydGUQfNn9LKD0ihVwMlmjiBDkwBwlitMKPalsfUAg9lCYd5pMYo55
58lFdJMWJ4TScr2pUvTiYgVBT05sPz4ILOsCYn0eEIMPFRfiTSniarO1cRKv2O4EW
qY3BY8DjfTdp9zuAH-eBdoQWy1tx1ilZwbe1ysLaR4Nx1DuSA8cCSA85xDpAknhHz
4Dop4Pt_hOLoYN6WxzJo9NcGxVjgrkfnZVfEQTjPlicP2kcsv8fi14VOfkuSBBEJP
ClPrEfAwZRlcadElMGvZFTrfRc7ncDXRfGYcq801Xsuqo1OJnOfklxC_GXW1eudy1
2scazCBUD_DmSm2eVbMw7fbWojBhd1rmjtLDNZftTjXBdjHblUBbrh3cNahb9W1oP
QPU-zT1LOYw5-cflPVaV6_RLFGd-ZYlcvu82S7WZgTTgMJi24xuaHUBTWRFrME5Xq
R5ISpsAc0VmKRHlM0BgxL4BZR0dRGbcTOD-bZ1fgpjlQ7ctTnt4KVh4Nep7Jit3pe
k-OxKzSKs5BZoVuz6IekbWC_89d_N7ljkY1JqnaFMQpL7DU9tkRlHzKhx2RNozrbB
SDtmtqKGEsNIubTG3xxqQPwz--Po4HoIn4hMR4YQY71Ps-wU3MRbptyLzL2-C67BI
pjACGMPRvhUhDm8H6YHlhTxp5ZqEtpj-OYn1mhVfIjE6pmRHrDcdqX6bICX-z6c_4
XSunM-46Mclkt6M1ebP7Rpwyj7chpnn2BMteyq-gFiyockWbciHlYaRpdhvuD_2M0
fNUYiJ8JPw--0YBj3eqIxCqdg8OS1-U6tACkIQXLqlbIMW6tnHqP_Fdf82pyjS19B
QLOf-65Y345n-beHTmIeJViMheboaVmyt-mkGlQIElHN10h1Tmusg-NKaYU1LOkAz
5b5Izf5gdp-7YmeHXbNGpxKVDBs1ULOvadY3TboXPbbJIpNX2UNnlC8Bj9hAmG9O0
bRo5qYBUaGvitAl11DZ5tyifgj4aPGWoQpRHqXhqoa6T1OSmV02t4hgHHHcKC3u0-
LrvpOyJLz0aIrCxtnroiEsEyc8F8UaMgqOHOXzilWlUFA5ShCGmSKFL8NPY2O7Ci5
kJMeqyJTOndVT6XQTkHNwvrbV3sTFu75ik7VUcS9cWShzYsgIVjfGBzHTqJI60QRz
wS08bSIgi7oOuZ_ZQf9xTEOC6bbpTUMZGeZeZz1FC-3WqNIDIwdyVj4T4lRNzYIp-
b49laGDtBplWZswn4mvi8n76eFLKSMs5Y6AfKwoUSWQRIkExkT80yHbPt8FGYyy4T
ZSZd6euWeMl7tkT1egnovstgASeN3JO",
{}
]}}¶
6.5. Publication
[Future: Consider eliminating this mechanism entirely and instead using messaging flows. The means of achieving this should become better apparent when the problem of publishing large messages via a pull mechanism is considered.]¶
The Publication mechanism allows content to be published through a Mesh Account and retrieved by means of the EARL mechanism described in Uniform Data Fingerprint [draft-hallambaker-mesh-udf]. This mechanism is used in certain flows supported by the Mesh Device Connection and Contact Exchange functions. There are two operations:¶
Content is published by appending an entry to an account's Publication catalog by means of a Transact operation. The content may then be retrieved by issuing a claim to the account specifying the publication identifier that is authenticated under the value specified in the EARL.¶
Use of the Publication catalog to post content necessarily requires that the content be smaller than the maximum message size imposed by the Mesh Service so that it can be uploaded to the service by means of a Transact transaction.¶
Publication of large data items will require modification of the protocol to support use of a detached message body. Transfer of a detached message body is outside the scope of this document.¶
6.5.1. Claim Transaction
The claim transaction is used to post a claim to a document published by means of an EARL. The claim interaction is used in the Static QR Code connection interaction but MAY be used for other purposes as required by Mesh applications.¶
A claim is made by sending a ClaimRequest message to the service to which the publication is posted. The service responds with a ClaimRespose message specifying the success or failure of the claim.¶
A device is preconfigured during manufacture and a Device Description published to the EARL:¶
The client claiming the publication creates a claim message specifying the resource being claimed and the address of the Mesh account making the claim.¶
{
"MessageClaim":{
"MessageId":"NCWK-7ON4-VB2S-3JOX-6QYI-EE5V-QIHM",
"Sender":"alice@example.com",
"Recipient":"maker@example.com",
"PublicationId":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
"ServiceAuthenticate":"ADQX-SBRA-6ACX-ZGGB-IU3L-2TZS-TIKZ",
"DeviceAuthenticate":"ADNB-SNE2-GEL5-GQQS-JBUB-TY32-JGCC"}}¶
The message is signed by the claimant to make a RequestClaim to the service:¶
{
"ClaimRequest":{
"EnvelopedMessageClaim":[{
"EnvelopeId":"MAKC-IPPQ-POEQ-P2EL-N2FV-OLED-GPIH",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQ1dLLTdPTjQtVk
IyUy0zSk9YLTZRWUktRUU1Vi1RSUhNIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F
nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD
cmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDhaIn0"},
"ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiTWVzc2FnZUlkIjogIk5DV0
stN09ONC1WQjJTLTNKT1gtNlFZSS1FRTVWLVFJSE0iLAogICAgIlNlbmRlciI6ICJ
hbGljZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogIm1ha2VyQGV4YW1w
bGUuY29tIiwKICAgICJQdWJsaWNhdGlvbklkIjogIkVCUUstTFUzUC1WSkxULVpQR
zctQjY2Ny1MNTNMLU1CRU4iLAogICAgIlNlcnZpY2VBdXRoZW50aWNhdGUiOiAiQU
RRWC1TQlJBLTZBQ1gtWkdHQi1JVTNMLTJUWlMtVElLWiIsCiAgICAiRGV2aWNlQXV
0aGVudGljYXRlIjogIkFETkItU05FMi1HRUw1LUdRUVMtSkJVQi1UWTMyLUpHQ0Mi
fX0",
{
"signatures":[{
"alg":"S512",
"kid":"MBUX-YI5W-NTAH-UJN2-4FFC-4PAY-NI73",
"signature":"fxh1PHK56aMoB9Qkbx3Kcv4UrPQkfGRCd9LwW4Un
3EcR_EqxpWaxZjcXFqdX6d4j9lEStBR2QxKAE_GCYpaXVOLOAVTbb4pwaV9fLDo8r
FtlKfnFFoBZMslOfqcKsJrAnc4AQsT2H5nu6xZ0dq927jYA"}
],
"PayloadDigest":"wMSgIvLpoj69Rw_P_YJ7yXYvo18eCvgU3Hd8DgJ_
07Jv0nqIkC4sZMGFGW6Ntl_3PVwk7bAj51GVrPwqzZ12sg"}
]}}¶
The publication is found and the claim is accepted, the publication is returned in the response.¶
{
"ClaimResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"CatalogedPublication":{
"Id":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
"Authenticator":"EAYS-MGDB-YH2G-DWVI-TTWV-4Z6P-UVLM-FENY-Z7MP
-7ZYV-35EA-6GQK-CHBN-K",
"EnvelopedData":[{
"enc":"A256CBC",
"kid":"EBQA-ZKEC-3A4N-DSSH-TQMT-6GON-M6G3",
"Salt":"9PKNerq6mIRxK2feTIUJ9g",
"recipients":[{
"kid":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
"wmk":"W-lDFznmpNx2ZcN6_eWCG0ja0VHFV25k5TVdBMMYbAPc
ZGPZvLjlww"}
]},
"I01c378amieTGSky6lqXoT8infXsu_EwVamZ6Lp3Q_Ent97vfxdOY8m1
g_eUVW7ui1Ede6raopIeC7ZWHdZOlfHDV7agFF6-X_5CmpIDCTl10ouL-PIVkXJik
2FB2KOQGwVqMHPrPu6HpeK4mIro0OpJmGJksPiBezVxEq0NGzDw8nbANsxr9tSdsO
4sJuApk7IJUZGZ1mSaOdqUF8byioqACRFXDie0-ox23XItR7IOwZf--HUIHnPEtnv
_cxEwCKdAiYus1x3n3WdAxZc9_rqAY-FgXic0qZetde6uHOapnUeCTdnHS3-x84DG
1XaBqthhHMhlwFz0CqftYsB85EjorNKIjw_mwqMmX2QnVSVkhLKW9NdA3w5_mzfd_
nJk0SisY97xeuIsl6-imXTM8LEdyQpuiilK7R5qr7ZaYFya9SCje6UiOmbL8dVqjF
zvDTMQRQ2qnYJKAGDI_Z7P8ehqHkpRB2ZDF-5WQh3JnvnYyW5GTJwNgg1ig2iW2pS
QqIXd-Oe_DCLITFgq8ncfM7mEhaXcJUQe01Fj_c4a3oOlhfmv2ts3iK9dieba65Kd
LOWaHaU2P0TivQQImMg-3WhCWfU4MbpQlQ_3yEZ51QPGVeUIV0bj3kc1QbaBAlJaB
ch0_E54A9TRWz2xmakyjrEuvSi5aPVd_s-U8DrSDR_YqXSedhMwSBdGqcW7nybFMK
gOxomDZyHnEbNYvwN43vHFDuOyvQWs_dRRe97ylx27VTcAw7AhAt2s3rMZeBwJYfS
rJptABHFEeXPE52g6oSuzrHrG3P_ryAalSh9YuoKEYV4UXG8_9B4d8sOD8s5O3j04
-7Ix1LhqIrSDVYBmn8l6l4nJzSs9_9sbBWtAUIozPNL8LqhbDd1-qOGNjNyt9sQqV
QX76qD8HB6EtdrrZsoBewmwohlLIatHJH_909ANUD7tFJONkcyQAXaU64B-j9Z6rF
4vh-9UxYlbbHrOhi9C0kpbnsAsAUzltg8_IvnH8JSTZI4J13WYWkYTx4BUjggX8cV
ekob4ZZupdcfS0UnNjKNqGDjQ8IJqrMWfqLllnnBQWpSxsRoRp-ernxQ_Ax8pnWtG
oMXA8yc0WwAr4_S_YQQ0TVxA5KRdQZqF-NC7NX8tacAS8CdPfJwPhjebhDgKwJv0P
ccyjqJ8HFtV9YsHxfQQjyxYyA4QT8bvgI4JtJsa_YQ5Zw92tyhb-SwKHNiwnhVrz3
_z6vQPfPdQJUfMtz6GC13eihC19_0vM3IPATyJcenZnQz3rLOm-cFseviCxoLgN5a
LZGCrvlWrwtfN5-evHZF66guRy2fF3BSM4eUi71r2ehU0kYJ8vIjx6NVWzjL-Q2zX
1WHL_bJOaLp0yHV6_2jOTBnaj6QT69Dp0ikXwEEtVzpxVUKLHbmpje2EXXIzNVlFn
MM65KPT4OzxyKONsq32-xxIi5sxS-woyXxtDv8atRbbE0KPLtLfgianqok9rx2WuN
JpjjpGcIwKk8O_1MqFotKIlhVPwCPza688bi4lESyruslT917HfyVyqfKrDyTjAMK
mYAGkVaa3ASVudNyhJP8rQWwwc_qxruMMQrCe51JvKh7FwsIL14dT6HFnaNcLXSDE
LU7u0_jcViwpu-EysogSeXJ0Z31yG34ve0G_h3K5dN_hk_6PgfK-Soe1dhReVrOb1
JWM3oUmKUv0Kx-XYvsWB_KiuJWRqKePmIhWo9_uZaybh21PoJ75Ct5b3Qk9u49RKf
_x17YE11VQBMdgsV7TS2Qpw0olk4yNg_J9ZjTu1d9UBjabTG0FqdYkeEscDPyIoIq
7DreogM3Y650nqLSpdvJRnueJI5r1a_J9UAVzmk2TAr33fA1VlgmpHptd_tl5i2KV
TvMWkL1wmSncGcX-krfCQAIH9ZBmjyVwgurfR9Q6UwuDJYKiRgLLE14ZJmz9hn_j8
ki253lZaYCEYR5F7-nqQpj9lVrYzb476McYISLHzl2SDQkC7vkVo0OZWcsWBjrcWF
MK9LPJMLu8EO6TCf_7rRwZ6SmoDOupGVCWikGuAczW7lvCtKty-r_oC1YNGeOxyqG
9lTij6EzXDdGS7CHRRolDtYnB6LDLdY8hYQ1cncW3A5g6RHrafChrEihem_0NLplw
2yPofZGIzhj_gMcHx7Sg_ExP_0cS32hU1LYX-Hcc0dK8bWQll4a7xsU8dHt8TNbLA
5VuP_bPAv95fTFQvW_Lj6-GGyh7gH2bO5QffpusKAddsisiIdGvjr-hNVF99EjsJF
FetvlCP1CFipmCuxo8WgXiayK-_b32Rvav_BxZ4YIcZGRsrH5oI6JywKyg3O9TAwz
f7853NMhqsvnmLyhGC6Ezs7tQ__WgYqNcfJfo0YG8y78nMvDN2np_pDLw7NRGFhJj
FrVjtdsj7E2gCorPC52JdKJ9jUrQCYpSglZU06CGTRQHnQvMk-H2ftQ4AFVEBJrjO
6527KYwSylkZGMV2WBsrDsYu70Rs1SqI6e-u8pL_VdYPALWvD7SRVPCb90YoPX8lh
gZR0BeCp_kNN6C30B9P9yWRR4JdTsG-LcWtK6iCs_igIOCjfelbsUBXTs7nxI0m1P
mzlvPzkN3Acwrxa6HUEA_tOLulovb7i04IeDb8nKZgiO2Dyohi4aWoyFY2ExsQmgF
qQLExsWPbYJiZEc5BM3idhRDzvjnON7aPkvqq568y-e3d3OsRXV9uKikFJghh89j5
HHZ3HhTeIHAQAfDKVx7vPUls_5-mleI2v_ZkSag3vXRb23XLfI3x33l_ZxW9MC7YX
_kdJgEqQiJu64AvYWKiA-Fd8uEQMfaUpHamNDlO4GFQ8uLWJ7cKkuDbbbiOfiT5z-
77DQAMUiIjJ3mQ_kmileeTNb_qu2jEdJGzx-JQagB7ZIZxn0wZpBSCthhG0uXsERa
XMFamXWLYZtWdWyUSL6AUzcgRf0RRmcvk7yvH-T3dGiIJn4TXOnDp0DBW-MByTeHv
Wrk5k24lpPq07QI6WCdj4b2qSsY0L_eW6zbI9f7Aq8868WMxQ"
]}}}¶
The device waiting to be connected uses the PollClaim transaction to receive notification of a claim having been posted.¶
6.5.2. PollClaim Transaction
The PollClaim transaction is used to discover if a claim has been posted to a published document.¶
When an authenticated, authorized request is made, the service responds with the latest claim posted to the publication.¶
The device in the example above periodically polls the service to which the device description is published to find if a claim has been registered.¶
The PollClaimRequest contains the account to which the document is published and the publication ID:¶
{
"PollClaimRequest":{
"PublicationId":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
"TargetAccountAddress":"maker@example.com"}}¶
The response returns the latest claim made as signed message:¶
{
"PollClaimResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"EnvelopedMessage":[{
"PayloadDigest":"wMSgIvLpoj69Rw_P_YJ7yXYvo18eCvgU3Hd8DgJ_
07Jv0nqIkC4sZMGFGW6Ntl_3PVwk7bAj51GVrPwqzZ12sg",
"EnvelopeId":"MBQG-HNR6-TNS7-5N2M-BN4R-ECNA-6ETO",
"dig":"S512",
"signatures":[{
"alg":"S512",
"kid":"MBUX-YI5W-NTAH-UJN2-4FFC-4PAY-NI73",
"signature":"fxh1PHK56aMoB9Qkbx3Kcv4UrPQkfGRCd9LwW4Un
3EcR_EqxpWaxZjcXFqdX6d4j9lEStBR2QxKAE_GCYpaXVOLOAVTbb4pwaV9fLDo8r
FtlKfnFFoBZMslOfqcKsJrAnc4AQsT2H5nu6xZ0dq927jYA"}
],
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQ1dLLTdPTjQtVk
IyUy0zSk9YLTZRWUktRUU1Vi1RSUhNIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F
nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD
cmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDhaIn0",
"SequenceInfo":{
"Index":1,
"TreePosition":0},
"Received":"2021-10-25T15:49:08Z"},
"ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiTWVzc2FnZUlkIjogIk5DV0
stN09ONC1WQjJTLTNKT1gtNlFZSS1FRTVWLVFJSE0iLAogICAgIlNlbmRlciI6ICJ
hbGljZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogIm1ha2VyQGV4YW1w
bGUuY29tIiwKICAgICJQdWJsaWNhdGlvbklkIjogIkVCUUstTFUzUC1WSkxULVpQR
zctQjY2Ny1MNTNMLU1CRU4iLAogICAgIlNlcnZpY2VBdXRoZW50aWNhdGUiOiAiQU
RRWC1TQlJBLTZBQ1gtWkdHQi1JVTNMLTJUWlMtVElLWiIsCiAgICAiRGV2aWNlQXV
0aGVudGljYXRlIjogIkFETkItU05FMi1HRUw1LUdRUVMtSkJVQi1UWTMyLUpHQ0Mi
fX0",
{}
]}}¶
6.6. Cryptographic
The Operate transaction is used to perform one or more cryptographic operations using private key material recorded in the Threshold Catalog. Such operations typically represent one part of a threshold key operation divided between the service and a device connected to an account.¶
As with all operations involving the Access catalog, the request MUST meet the authentication criteria specified by the catalog entry. These typically include the request being authenticated by a specific key.Key Agreement¶
CryptographicOperationKeyAgreement is used to request a threshold key agreement operation on a specified public key.¶
Alice added Bob to groupw@example.com as a member. This resulted in Bob receiving the invitation described in section ??? and the following access entry being added to the Access catalog of the group account:¶
{
"CatalogedAccess":{
"Capability":{
"CapabilityDecryptServiced":{
"Id":"MD6W-KDFX-PSF7-5NBQ-WFJE-34PL-7JWQ",
"Active":true,
"GranteeUdf":"bob@example.com",
"EnvelopedKeyShare":[{
"enc":"A256CBC",
"kid":"EBQL-CGOH-LPTR-WNYL-RXDU-7LK4-G4GZ",
"Salt":"xUeBS0V_Z4GJV9s2N3OAPw",
"recipients":[{
"kid":"MBBR-KLL4-YRFX-K63E-2DCT-6UGQ-Z5JC",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"2hYs3byJFTbFtPgYaBplYVgtBJOuYjMSvi8
BcCEFoOy8JRaOWg37ygj8m4hUjoZhPlC6bZ-MQEoA"}},
"wmk":"9iJlp63lB9Og5mog603Of1NJtrVsTFCC2GzUKDLv-P
Hb3Dn9tNTepw"}
],
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJLZXlEYX
RhIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmVhdGV
kIjogIjIwMjEtMTAtMjVUMTU6NDk6MDBaIn0"},
"hY6vVvnbC6y-a5ULJNUh0aVv_YEIu1BRiTDS-gBY6nKX7tqs_oIMFR
Qipj8bUHdtE46dYu2Ud0ue88CMOX3qsLTDP_5d7UgqKUk5yfr3nlSJzlKU7u3W7YF
b9tOW-svw3sE4UncLN7vJ5V90bF9DUS_xek8s9SxnyeZxWY5z5GvCTJr0TxCO5hFh
FR6Bwv2cwqG9eqyFhWCu4GrrgLUk-fk5rOdF9KTZW6g0wqg0xTUFDuY4tfTTwzp4N
iffzB2rj88nOkvvW-6SwVVrExLY5E4l-7ClfnlBH-20Zz-z8faYy85gDl6zVGDyYd
JelTPlRmlbM_tsW2NRyKNz4WCAreq_QZx3XBBqoKNi1CA4GdO2qiMOOE6NigTKB9C
Rlc4EzUtwCU8Zdw6yUWxxCEtHoXVh8OpvWixTdmznouCLyDUVsvfx1dM-PIrSfbEl
_K2v9IHZrtcgh5vahoaWY60ELJYLnARsvnWchyfZCgZMNbknDYiAyNAwxI_Wgm3xo
7vyTkF0ARe0-RWofxYlyzDcFk2yA6-edTAq0PHiOFSl3j90hVmcaWC903uI_keNGU
4egZ370UCWrFUz-O5woKJDllJu-GubgpJ5YTc628m-_6ASaVEw9G4uGiIx0oCcSqR
SENXe9tnD90HkaZCCZhz2Cscfm8uRAVG9wasFrDjaKxUwf6N3nVjOmFVJwBl_G14i
go4PmNHI2dgJBLqxlof76g"
]}}}}¶
The private key (in this case a key share) is encrypted under the service key.¶
To make use of the access entry, a request is made that specifies the key share to be operated on and the public key parameters to perform the agreement with.¶
The request payload:¶
{
"OperateRequest":{
"AccountAddress":"groupw@example.com",
"Operations":[{
"CryptographicOperationKeyAgreement":{
"KeyId":"MD6W-KDFX-PSF7-5NBQ-WFJE-34PL-7JWQ",
"PublicKey":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"mNrpSHZmFqcMBHYAwEyp0tUshHkBafWjCe3mDMcoV
PIuqBhrbj5ZIpQdgfcS1BWgb5cwGXmIEPcA"}}}}
]}}¶
The service checks to see if the request is authorized and if so, performs the operation and returns the result:¶
{
"OperateResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully",
"Results":[{
"CryptographicResultKeyAgreement":{
"KeyAgreement":{
"KeyAgreementECDH":{
"Curve":"X448",
"Result":"JmEGQN2398IzXNI4j1CG4ZWtLVk1u8P8SnBw1_cEQ
Os5INanZUEewbDxEQp5ocl_QP0EnBoSdUMA"}}}}
]}}¶
Future: Currently, the access catalog is encrypted under the service encryption key. It would be better to encrypt the catalog under an encryption key specified by the service during the process of account binding. This would allow a service to assign a unique encryption key to each account and limit access to that key to the hosts servicing that specific account.¶
6.6.2. Threshold Sign
Threshold signature is planned but not currently supported.¶
6.7. Messaging
Mesh Messaging is an asynchronous messaging service that allows exchange of information between devices connected to a Mesh account and between Mesh users.¶
To enable effective abuse mitigation, Mesh Messaging enforces a four-corner communication model in which all outbound and inbound messages pass through a Mesh Service which accredits and authorizes the messages on the user's behalf.¶
The Post transaction is only used to exchange messages between services. The client sends and receives messages through interactions with the outbound and inbound spools of the account.¶
6.7.1. Sender.
To send a message, the client creates the Mesh Message structure, encapsulates it in a DARE Message and appends the message to the Outbound spool of the account using the Transact operation..¶
The DARE Message MUST be signed under the account signature key.¶
The Mesh Service receiving the message from the user's device MAY attempt immediate retransmission or queue it to be sent at a future time. Mesh Services SHOULD forward messages without undue delay.¶
6.7.2. Outbound Service
The Post transaction forwarding the message to the destination service carries the same payload as the original request but is authenticated by the service forwarding it. This authentication MAY be my means of either profile or ticket authentication.¶
>>>> Unfinished ProtocolPostServiceService¶
[Not Yet Implemented]¶
After the message has been sent, the service updates the message status on the outbound spool.¶
Services SHOULD implement Denial of Service mitigation strategies including limiting the maximum time taken to complete a transaction and refusing connections from clients that engage in patterns of behavior consistent with abuse.¶
The limitation in message size allows Mesh Services to aggressively time out connections that take too long to complete a transaction. A Mesh Service that hosted on a 10Mb/s link should be able to transfer 20 messages a second. If the service is taking more than 5 seconds to complete a transaction, either the source or the destination service is overloaded or the message itself is an attack.¶
Imposing hard constraints on Mesh Service performance requires deployments to scale and apply resources appropriately. If a service is attempting to transfer 100 messages simultaneously and 40% are taking 4 seconds or more, this indicates that the number of simultaneous transfers being attempted should be reduced. Contrawise, if 90% are completed in less than a second, the number of threads allocated to sending outbound messages might be increased.¶
6.7.3. Inbound Service
The inbound service MUST subject inbound messages to Access Control according to the credentials presented in the DARE Message payload.¶
After verifying the signature and checking that the key is properly accredited in accordance with site policy, the service applies authorization controls taking account of:¶
7. Access Control
[This section to be expanded in future drafts]¶
Access control is effected through the usual division of authentication and authorization.¶
Authentication of operation requests is performed by the RUD layer [draft-hallambaker-mesh-rud] .¶
7.2. Access Catalog authentication
If the authentication key presented has a matching Access Catalog entry, the device is authorized to perform operations as specified in that entry.¶
8. Message Interactions
Message interactions are asynchronous interactions that occur between devices connected to the same account or between accounts.¶
All messages are signed by the sender and encrypted under the encryption key of the recipient if this is known to the sender.¶
8.1. Message PIN Interaction
The Message PIN Interaction is used to register and validate PIN codes used to authenticate certain transactions. This interaction allows a PIN code issued by one device to be consumed by another allowing for greater convenience in managing devices or contact exchange.¶
For example, Alice might delegate the PIN code issue privilege to her mobile device without delegating the administration privilege to that device. This would allow Alice to use her mobile device to initiate the connection of a large number of devices to her Mesh as her house is being built and approve them later using her administrative device.¶
Use of the Message PIN interaction is optional. An application that issues a PIN code to authenticate a message MAY store the PIN value within the application without persisting it to external storage.¶
Derivation of the SaltedPin, MessageId and Witness values from their respective inputs is described in the Schema Reference [draft-hallambaker-mesh-schema].¶
8.1.1. Registration
To register a PIN code to an Account, a device:¶
- Generates the
PINcode value¶ - Calculates the
SaltedPinvalue for the specifiedAction¶ - Calculates the
PinIdbinding the specifiedSaltedPinto theAccount.¶ - Creates and signs
MessagePincontaining theSaltedPin,ActionandAccountvalues with theMessageIdvaluePinId.¶ - Appends the
MessagePinvalue to theAdministrationSpool of theAccount.¶
Note that this construction provides limited protection against forgery attacks by a party with access to the MessagePin. A party with such access can use it to construct the witness value required to authenticate a request.¶
PIN Code values consist of an opaque sequence of octets represented as a UDF nonce value. Codes are presented in canonical UDF form, i.e. Base32 encoding separated into groups of 4 characters. The PIN value is converted to binary form for calculation of the SaltedPin, thus ensuring that the canonical form of the PIN value is used.¶
8.1.2. Authentication
The PIN Code value is passed out of band to a user who will enter it into a device to authenticate a request made to the issuer.¶
A request that MAY be validated by means of a PIN is a subclass of MessagePinValidated and contains the following fields:¶
- AuthenticatedData
-
A DARE Envelope containing the data that is authenticated.¶
- ClientNonce
-
A nonce value used to prevent certain replay attacks.¶
- PinId
-
Digest value binding the
SaltedPinto theAccount.¶ - PinWitness
-
Witness value calculated as KDF (Device.UDF + AccountAddress, ClientNonce)¶
The device uses the PIN code and Action identifier corresponding to the desired request to calculate the SaltedPin value in the same manner as during registration. This value is then used to calculate the PinId and PinWitness values.¶
8.1.3. Validation
The PIN code is validated by performing the steps of:¶
- Calculating the
SaltedPinvalue from the PIN code andAction¶ - Calculating
PinIdfromSaltedPinandAccount¶ - Retrieving a
MessagePinfrom the Administration spool with theMessageIdPinId.¶ - Calculating the
PinWitnessvalue fromSaltedPin,ClientNonceandAuthenticatedDataand checking this matches the value specified in the message.¶ - Performing the requested action.¶
- Posting a
Completemessage to theAdministrationSpool of theAccountmarking the PIN code as used.¶
This process can fail at multiple points resulting in different error results:¶
PinInvalid-
No PIN code is specified, the Pin code indicates an unsupported algorithm or the calculated
PinWitnessdoes not match the one specified by the request.¶ PinUsed-
The PIN code has been used previously.¶
PinExpired-
The PIN code is no longer valid.¶
Note that in the case that an attempt is made to reuse a PIN, it is not automatically the case that the first use of the PIN was the one that was valid and only the second attempt was invalid. Implementations SHOULD alert the user to the attempted re-use so that this possibility can be considered and appropriate action taken.¶
8.1.4. Example
Alice connects a device using a QR code presented by her administrative device.¶
The administration device creates a PIN code and records it to the Local spool. The message specifies the salted pin value used to verify attempts to use the PIN, the action for which it is authorized. Since this PIN has been issued to authorize a device connection, the roles for which the device are authorized as well. This allows the connection request to be accepted without asking for further input from the user.¶
{
"MessagePin":{
"MessageId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2",
"Account":"alice@example.com",
"Expires":"2021-10-26T15:49:02Z",
"Automatic":true,
"SaltedPin":"ADL6-MGFR-DK2V-XMCH-Y4VK-FG4R-AIDL",
"Action":"Device",
"Roles":["threshold"
]}}¶
8.2. Completion Interaction
Completion messages are dummy messages that are added to a Mesh Spool to mark a change the status of messages previously posted. Any message that is in the inbound spool and has not been erased or redacted MAY be marked as read, unread or deleted. Any message in the outbound spool MAY be marked as sent, received or deleted.¶
Services MAY erase or redact messages in accordance with local site policy. Since messages are not removed from the spool on being marked deleted, they may be undeleted by marking them as read or unread. Marking a message deleted MAY make it more likely that the message will be removed if the sequence is subsequently purged.¶
After using the PIN code to authenticate connection of a device in the previous example, the corresponding MessagePin is marked as having been used by appending a completion message to the Local spool.¶
{
"MessageComplete":{
"MessageId":"NCGB-6PXA-YG6T-GSC3-37HF-5QG2-SC43",
"References":[{
"MessageId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2",
"ResponseId":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW",
"Relationship":"Closed"}
]}}¶
The completion message is added to the spool in the same upload transaction that adds the device to the device catalog. This ensures that both operations occur or neither occurs.¶
8.3. Contact Exchange Interaction
The contact exchange interaction is used to support unilateral or mutual exchange of contact information. Contact exchange has three functions in the Mesh:¶
- To exchange public key information to allow encryption of messages sent to and verification of signatures on messages sent from the contact subject.¶
- To exchange contact information allowing use of other communication protocols (e.g. telephone, SMS, xmpp, SMTP, OpenPGP, S/MIME, etc).¶
- To request that the recipient grant privileges to accept certain types of messages from the contact subject.¶
Registration of the subject's contact information in a registry service eliminates the need for the first of these functions but not the other two. To prevent abuse, every Mesh Message is subject to access control and a Mesh service will only accept a message from a sender if there is an entry in the Threshold Catalog of the account that expressly permits delivery of messages of the specified type that are authenticated by an authorized signature key.¶
The communication of unsolicited information afforded by the contact exchange interaction is deliberately limited so that a majority of users can accept contact exchange requests without prior authorization. It is however likely that some users will receive a considerable volume of requests forcing them to require contact requests be authorized through some form of third party accreditation.¶
8.3.1. Remote
The Remote Contact Exchange transaction consists of a sequence of MessageContact messages sent from the initiator to the responder, responder to the initiator, etc. While there is in principle no limit on the number of messages exchanged, most exchanges will be completed in three exchanges or less:¶
- Initiator to Responder
-
Contains Initiator contact data without authentication context from the exchange.¶
- Responder to Initiator (optional)
-
Contains Responder contact data authenticated under a PIN challenge presented in the previous message.¶
- Initiator to Responder (optional)
-
Contains Initiator contact data authenticated under a PIN challenge presented in the previous message.¶
Each message provides the recipient with additional information which MAY motivate the recipient to provide additional contact information to the sender.¶
{
"MessageContact":{
"MessageId":"NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT",
"Sender":"bob@example.com",
"Recipient":"alice@example.com",
"AuthenticatedData":[{
"dig":"S512",
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb250YWN0UG
Vyc29uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmV
hdGVkIjogIjIwMjEtMTAtMjVUMTU6NDg6NTJaIn0"},
"ewogICJDb250YWN0UGVyc29uIjogewogICAgIkFuY2hvcnMiOiBbewogIC
AgICAgICJVZGYiOiAiTUJYVy1OUFdWLVY3SlEtUVI3Ri1GUDVLLVA1U0EtSkI0SCI
sCiAgICAgICAgIlZhbGlkYXRpb24iOiAiU2VsZiJ9XSwKICAgICJOZXR3b3JrQWRk
cmVzc2VzIjogW3sKICAgICAgICAiQWRkcmVzcyI6ICJib2JAZXhhbXBsZS5jb20iL
AogICAgICAgICJFbnZlbG9wZWRQcm9maWxlQWNjb3VudCI6IFt7CiAgICAgICAgIC
AgICJFbnZlbG9wZUlkIjogIk1CWFctTlBXVi1WN0pRLVFSN0YtRlA1Sy1QNVNBLUp
CNEgiLAogICAgICAgICAgICAiZGlnIjogIlM1MTIiLAogICAgICAgICAgICAiQ29u
dGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpaQ0k2SUNKTlFsaFhMVTVRV
jFZdFZqZEtVUzEKICBSVWpkR0xVWlFOVXN0VURWVFFTMUtRalJJSWl3S0lDQWlUV1
Z6YzJGblpWUjVjR1VpT2lBaVVISnZabWxzWgogIFZWelpYSWlMQW9nSUNKamRIa2l
PaUFpWVhCd2JHbGpZWFJwYjI0dmJXMXRMMjlpYW1WamRDSXNDaUFnSWtOCiAgeVpX
RjBaV1FpT2lBaU1qQXlNUzB4TUMweU5WUXhOVG8wT0RvMU1sb2lmUSJ9LAogICAgI
CAgICAgImV3b2dJQ0pRY205bWFXeGxWWE5sY2lJNklIc0tJQ0FnSUNKUWNtOW1hV3
gKICBsVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ1dGY3R
UbEJYVmkxV04wcFJMVkZTTgogIDBZdFJsQTFTeTFRTlZOQkxVcENORWdpTEFvZ0lD
QWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzCiAgS0lDQWdJQ0FnSUNBa
VVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaV
IKICBXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSmZXR2RaY21
WdGJFUnBiVU5JTjB3d1kxcAogIE9jREkzUW10NlFsSXdZalJYTVVaa01GSlNjbG8y
YUZaNmFtSjFRbnBWY0hWaUNpQWdUVlZFUzJWa2FraFhZCiAgblY1TVVWMmMzcG5ib
U5CWmsxQkluMTlmU3dLSUNBZ0lDSkJZMk52ZFc1MFFXUmtjbVZ6Y3lJNklDSmliMk
oKICBBWlhoaGJYQnNaUzVqYjIwaUxBb2dJQ0FnSWxObGNuWnBZMlZWWkdZaU9pQWl
UVVF6TmkxUk5GTkRMVk0wVwogIFZvdFMxQlNVQzAzVnpSUUxWTk9VamN0VVUxRU1p
SXNDaUFnSUNBaVJYTmpjbTkzUlc1amNubHdkR2x2YmlJCiAgNklIc0tJQ0FnSUNBZ
0lsVmtaaUk2SUNKTlFWZFZMVXBQTlZNdFVWVk5VUzFJUkROUExVaFZUa3d0VHpkSF
UKICBTMUpTMFJLSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21GdFpYUmxjbk1pT2l
CN0NpQWdJQ0FnSUNBZ0lsQgogIDFZbXhwWTB0bGVVVkRSRWdpT2lCN0NpQWdJQ0Fn
SUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJCiAgQ0FnSUNBZ0lsQjFZb
XhwWXlJNklDSnpjaTF0U0dKQkxWWTVWV0ZqVjNkcE1sZElNVTh4UkhaT1dtMUhNam
QKICBUUWpkSU4yWXRiRUpGTmpaWWJtWnNWRWRMT1dKTkNpQWdObXhCWDFKRmRFa3l
VSGQ1VkVKeVkwNXdZbXRmYQogIEdWQkluMTlmU3dLSUNBZ0lDSkJZMk52ZFc1MFJX
NWpjbmx3ZEdsdmJpSTZJSHNLSUNBZ0lDQWdJbFZrWmlJCiAgNklDSk5RMFJSTFVKV
1Z6VXRVazVTVmkxR1ZFTlpMVWhHVlRZdFVVbFBNaTFIUkZkUUlpd0tJQ0FnSUNBZ0
kKICBsQjFZbXhwWTFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW1
4cFkwdGxlVVZEUkVnaU9pQgogIDdDaUFnSUNBZ0lDQWdJQ0FpWTNKMklqb2dJbGcw
TkRnaUxBb2dJQ0FnSUNBZ0lDQWdJbEIxWW14cFl5STZJCiAgQ0p1WjNaMlpXcFhVM
Ws1V0hwNVVFTkdibkpIVFVwSldFNXlVelF0UzJWMFZIbHhTemhOVW5nek1FVmpiMl
IKICB1VFU5a1QyVm1DaUFnVm1WMVpscFZNMGhNV2tkT1NrTnJhbEZpUkZrMWRGVkJ
JbjE5ZlN3S0lDQWdJQ0pCWgogIEcxcGJtbHpkSEpoZEc5eVUybG5ibUYwZFhKbElq
b2dld29nSUNBZ0lDQWlWV1JtSWpvZ0lrMUJUelF0VlU5CiAgRk5DMU5TalpGTFZsV
FVFTXRVMVpFVVMxTlJqUTNMVXBHUzBzaUxBb2dJQ0FnSUNBaVVIVmliR2xqVUdGeV
kKICBXMWxkR1Z5Y3lJNklIc0tJQ0FnSUNBZ0lDQWlVSFZpYkdsalMyVjVSVU5FU0N
JNklIc0tJQ0FnSUNBZ0lDQQogIGdJQ0pqY25ZaU9pQWlSV1EwTkRnaUxBb2dJQ0Fn
SUNBZ0lDQWdJbEIxWW14cFl5STZJQ0kxVDJwMVRqazNTCiAgVlpwY0VGTlYyNVVlR
2gyU21VNWVIZFNiSFl0VEVOSVlUSXdWVlpCTmxKU1ZWWXpXbXAzWVZsbFpXNWxDaU
EKICBnTTBweVdERkJNMTlLYzFwTU16SldRVUp3WWtSTlRWZEJJbjE5ZlN3S0lDQWd
JQ0pCWTJOdmRXNTBRWFYwYQogIEdWdWRHbGpZWFJwYjI0aU9pQjdDaUFnSUNBZ0lD
SlZaR1lpT2lBaVRVRktOUzFLVGtwTExUVkJXRFV0V0VGCiAgVlJ5MVhUVFJPTFZVM
VRGWXRXa0pKU2lJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ2
UKICB3b2dJQ0FnSUNBZ0lDSlFkV0pzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUN
BZ0lDQWdJbU55ZGlJNklDSgogIFlORFE0SWl3S0lDQWdJQ0FnSUNBZ0lDSlFkV0pz
YVdNaU9pQWlTbEIzVVZZdFJVNWpSR05UTXpCNWFXNXRUCiAgV0ZpVUVKQlFuZ3hUV
Gx4V0dvMFJVcHBOekJaVlVJMlJsUjBZMU42YTBadVl3b2dJRVp6VmpOeWVHRlVaMl
YKICBNV2xwTWVEUm9SRE5DUjFwbFFTSjlmWDBzQ2lBZ0lDQWlRV05qYjNWdWRGTnB
aMjVoZEhWeVpTSTZJSHNLSQogIENBZ0lDQWdJbFZrWmlJNklDSk5RbFZhTFRSTVUx
Z3RRVWRTUmkwMFZVWldMVUZSVlRJdFZGRkJSeTFXV0V4CiAgRklpd0tJQ0FnSUNBZ
0lsQjFZbXhwWTFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW14cF
kKICAwdGxlVVZEUkVnaU9pQjdDaUFnSUNBZ0lDQWdJQ0FpWTNKMklqb2dJa1ZrTkR
RNElpd0tJQ0FnSUNBZ0lDQQogIGdJQ0pRZFdKc2FXTWlPaUFpYjFCQlNXOVZNWFZU
TFhvME9GRmFPVjkwV2xCMk4yeHlSR3RvUTBOd1NYQk9kCiAgV1JLYjFOS2JXbDRkV
1JTZURCeVEwNVdXQW9nSUc1WVMzUmZUR2xHVG5WbVUySnBjMDF3WWxRNFowTTRRU0
oKICA5ZlgxOWZRIiwKICAgICAgICAgIHsKICAgICAgICAgICAgInNpZ25hdHVyZXM
iOiBbewogICAgICAgICAgICAgICAgImFsZyI6ICJTNTEyIiwKICAgICAgICAgICAg
ICAgICJraWQiOiAiTUJYVy1OUFdWLVY3SlEtUVI3Ri1GUDVLLVA1U0EtSkI0SCIsC
iAgICAgICAgICAgICAgICAic2lnbmF0dXJlIjogIjNISnlVall2MWQyVXlIMGlIUE
9rTEdXWHZ6UFZBR1Fwak5FZEkyc2k3Tl9nTXZCeTgKICBLVFJWLV80ZnptZ2tvWkw
0NnlOdGhCRHkyU0F2ZFVLdFVWUTc0c0NsQlY1aDFLSFpkcm41Wl84ekk3d0lGbAog
IHM3MTZVUnFOa0tvdlV0OWhkQnN0emw2WURfZllWWjhSUExkMDlQQjhBIn1dLAogI
CAgICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJDUDMxdlhrdUtFQS0tNUdaWWJ1TV
VMZHV4dFdmZmYyZEs3RUFCLVRZX0RCSzEKICB0ZnB2Z2FiMm5zRjh4Y3JYRGZDRUp
KQllFamd4TzFXbHJGMWl6amV2QSJ9XSwKICAgICAgICAiUHJvdG9jb2xzIjogW3sK
ICAgICAgICAgICAgIlByb3RvY29sIjogIm1tbSJ9XX1dfX0",
{
"signatures":[{
"alg":"S512",
"kid":"MBUZ-4LSX-AGRF-4UFV-AQU2-TQAG-VXLE",
"signature":"DbnBy9SoZHXD9EUbFvBpQW7KEKnNm-EUKMdvNE_b
J6QU-8gVevRj1BQbnnnTt8EtA6WiTl-vMQ2ATfDuFXt8r9FtataQKWOSBq_zWqXBY
KQiQtP0ROgYAr7b8VavWhXpJbScrFg_RDrdVo8PIPdsmDkA"}
],
"PayloadDigest":"ZFUZc0MO__xinLcbyzTF33GyMZ3pqFe1WQhimoDJ
YCGrwEvyBnsMTV4LDG3oYbwYJQQzyEF2LRC3pD76R4AcrQ"}
],
"Reply":true,
"Subject":"alice@example.com",
"PIN":"AAIE-IVI5-54XO-5PHG-VE62-FFS7-62GQ"}}¶
The Mesh Contact Exchange transaction does not provide for validation of the contact information beyond the binding to the Mesh Account Address used to perform the exchange.¶
8.3.2. PIN
Contact exchange requests MAY be authenticated by a PIN code. Initial contact exchange requests SHOULD include a PIN code value that can be used to authenticate a response (if given). PIN codes MAY also be exchanged out of band.¶
A MessageContact authenticated by means of a PIN code is authenticated as described in the PIN Interaction section above.¶
8.4. Group Invitation
The GroupInvitation interaction is used to invite a recipient to join a Mesh Group. The interaction is essentially a form of contact exchange except that a sender SHOULD NOT send group invitations unless there is an existing relationship. Thus the 'first trust' issues intrinsic to the contact exchange interaction do not apply.¶
The message specifies the group name and the contact entry for the group. The contact entry includes the CapabilityDecryptServiced used to decrypt messages sent to the group when combined with information provided by the threshold service for the group.¶
Receipt of a GroupInvitation message does not require a response.¶
>>>> Unfinished ProtocolGroupInvite¶
Missing example 3¶
8.5. Confirmation Interaction
The confirmation interaction consists of a RequestConfirmation message from the initiator followed by a ResponseConfirmation from the responder.¶
The RequestConfirmation message specifies the action that is requested.¶
The ResponseConfirmation message contains the enveloped RequestConfirmation message signed by the initiator and the disposition of the responder, Accept = true if the request is accepted and Accept = false otherwise.¶
The service sends out the following request:¶
{
"RequestConfirmation":{
"MessageId":"NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ",
"Sender":"console@example.com",
"Recipient":"alice@example.com",
"Text":"start"}}¶
Alice accepts the request and returns the following response:¶
{
"ResponseConfirmation":{
"MessageId":"MCT4-SVZ2-BL5Y-DR5B-TF4S-WIGH-CJTM",
"Sender":"alice@example.com",
"Recipient":"console@example.com",
"Request":[{
"EnvelopeId":"MDVA-HSIH-UJBT-PEVO-GZNQ-JF3O-YHTM",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOREFELUtMSlktQz
VKTy1KR1hMLVZVV0ctWTZQUC1QU0ZKIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
zdENvbmZpcm1hdGlvbiIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0
IiwKICAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ4OjU3WiJ9",
"SequenceInfo":{
"Index":4,
"TreePosition":6201},
"Received":"2021-10-25T15:48:57Z"},
"ewogICJSZXF1ZXN0Q29uZmlybWF0aW9uIjogewogICAgIk1lc3NhZ2VJZC
I6ICJOREFELUtMSlktQzVKTy1KR1hMLVZVV0ctWTZQUC1QU0ZKIiwKICAgICJTZW5
kZXIiOiAiY29uc29sZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogImFs
aWNlQGV4YW1wbGUuY29tIiwKICAgICJUZXh0IjogInN0YXJ0In19",
{}
],
"Accept":true}}¶
9. Device Connection Interactions
Connection of a device to a Mesh Account combines synchronous and asynchronous elements and therefore uses a combination of Mesh Service Protocol and Mesh Messaging interactions.¶
Four connection interactions are currently defined support connection of devices with different affordances:¶
- Witness Authenticated
-
For connecting devices that provide data entry and display affordances and are connected to a network. The account the device is to be connected to is entered into the device which displays a witness code. This code is then compared with a code displayed on the administration device to authenticate the request, after which both devices can complete the interaction.¶
- PIN Authenticated
-
A variation of the Witness Authenticated interaction in which the connection process is initiated by creating a PIN value which is communicated to the device by some out of band means and used to authenticate the connection request.¶
- Dynamic QR Code (PIN) Authenticated
-
For connecting devices that provide a camera affordance. The user sets the administration device into 'add device' mode, causing a QR code to be displayed. The QR code is scanned by the device being connected after which both devices can complete the interaction. Implementation of this mechanism is identical to the PIN authenticated scheme except that the PIN code is presented to the connecting device by means of a QR code.¶
- Preconfigured (Static QR Code Authenticated)
-
For connecting devices that have been preconfigured with a device profile identified by means of a QR Code containing an EARL. The QR code is scanned by the administration device after which both devices can complete the interaction.¶
Each of these interactions provide strong mutual authentication with minimal user effort.¶
The witness authenticated connection interaction is intended for use in cases in which the device is already connected to a network. The QR code interactions are intended to provide support for acquisition of networking capabilities as part of the connection process. These functions are not currently specified. The Static QR Code Authenticated interaction is intended to support Internet of Things (IoT) devices which provide minimal interaction affordances.¶
In each case, the objectives of the device connection interaction are the same:¶
- Mutually authenticate the onboarding device and the Mesh such that the connection interaction only completes if both sides acquire the authentic profile of the other.¶
- To provision the onboarding device with the Mesh ProfileAccount, and an ActivationDevice and ConnectionDevice record allowing the device to interact as a member of the Mesh with the set of rights specified by the user.¶
- To create a CataloguedDevice record and append it to the Device catalog of the account to allow the device to be managed within that account.¶
- (optional) to acquire networking capabilities to allow the above to be completed.¶
The connection of the device to the Mesh Account is achieved through the creation of the ActivationDevice, ConnectionDevice and CataloguedDevice records described in [draft-hallambaker-mesh-schema]. These are created by the administration device in the third phase of each of the connection interactions described below and acquired by the onboarding device in the fourth phase.¶
9.1. Witness/PIN Authenticated
The witness authenticated, PIN authenticated, and Dynamic QR code interactions all follow a common interaction pattern.¶
The Dynamic QR Code (PIN) Authenticated interaction comprises four phases as follows:¶
- Phase 1: Issue of PIN credential (PIN and Dynamic QR code only)
-
A PIN code is created and registered with the PIN Registration interaction described earlier and transmitted to the user by an out of band communication. In the case of the Dynamic QR code interaction, this is a QR code that is scanned by the connecting device.¶
- Phase 2: Onboarding Device Request to Service
-
The onboarding device creates a RequestConnect message. In the PIN authenticated and Dynamic QR Code interactions, the RequestConnect is authenticated by the Device Authentication key and the PIN issued earlier. In the Witness Authenticated interaction, it is authenticated by the Device Authentication key alone.¶
The onboarding device presents the RequestConnect message to the service by means of a Connect operation to the service servicing the account. This results in the exchange of the account and device profiles and the computation of a witness value from the two profile fingerprints and two nonce values specified by the onboarding device and the service. An AcknowledgeConnection message is posted to the Inbound spool of the account and returned to the connecting device.¶
- Phase 3: Administration Device Acceptance
-
The account holder authenticates RequestConnect message and uses an administrative device to accept or reject the connection request.¶
If the RequestConnect message has been authenticated by a PIN code, the connection request can be accepted automatically without additional user interaction.¶
- Phase 4: Onboarding Device Completion
-
The onboarding device periodically polls the service for acceptance of the request by the administration device using the Complete transaction.¶
The use of the PIN code to authenticate the request message is shown in $$$$.¶
The PIN code MAY be presented to the onboarding device in any format accepted by the device. Administration MAY support presentation of the account address PIN code as a URI code. Administration devices SHOULD support presentation of the account address PIN code as a QR code containing the corresponding URI.¶
9.1.1. Phase 1:
Alice> account pin /threshold PIN=ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM (Expires=2021-10-26T15:49:02Z)¶
The registration of this PIN value was shown earlier in section $$$¶
The URI containing the account address and PIN is:¶
mcu://alice@example.com/ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM¶
9.1.2. Phase 2:
The onboarding device scans the QR code to obtain the account address and PIN code. The PIN code is used to authenticate a connection request:¶
Alice3> device request alice@example.com /pin ^
ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM
Device UDF = MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR
Witness value = 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV
¶
The device generates a RequestConnect message as follows:¶
{
"RequestConnection":{
"MessageId":"NA46-HSVG-N5NU-EXKZ-4X7G-GSF7-DUWS",
"AuthenticatedData":[{
"EnvelopeId":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQ1ZOLVhMTFQtTE
xOVy1VNEhSLUJPTUctUkE2Wi1VV1JSIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi
Q3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAyWiJ9"},
"ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1cm
UiOiB7CiAgICAgICJVZGYiOiAiTUNWTi1YTExULUxMTlctVTRIUi1CT01HLVJBNlo
tVVdSUiIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJs
aWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgI
CAiUHVibGljIjogImQzMlg1b3NHMUtPRTVvbWZWTUZqREs0MF84eGJ5RTNrZlV3T3
dUYlBXMXZJeW8zQ0NOdkoKICA5aXBseTFBMlg4TjVMejhXSXRTWml3S0EifX19LAo
gICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTURNVy1XQ0lSLUZKTU8t
N1pINi1DTjNKLUtVWkwtUkxBWCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjoge
wogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYND
Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAibnRfcHU0WVJieXIwWUxNY1JXdmlNLXJ
UWlhXZlB1UVhWa1h0TWdud2hweUVXdjBHUmpsaAogIDlVcnBPc21jVTI3LWxtenhJ
T3dTWGpBQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CM
lUtNkdNNy1QSEkzLTNVVU4tTElaNi1VVUdKLUlXNVEiLAogICAgICAiUHVibGljUG
FyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICA
gICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJVbmk2NUVYY0RY
YmVXaW1RbFk5OXhhSG5SWmpiSFpBS2lUNmRlZDR0MWp2TGpFVmhMb3lYCiAgVlFra
WRoZ1lsV21fRHM2ODdPdUpoX1VBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IH
sKICAgICAgIlVkZiI6ICJNQklDLUIyS0QtQkJSWC1HNFBELTRJMk8tUE1ETi1XT1d
BIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tl
eUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Y
mxpYyI6ICJ5cGJTV1ZnSHEwb25oT2tUT1F4MUNkZ3dIRVRQTElSTVQ1aW1SS0pfMG
ozVzBKZnktVk5uCiAgOTJmTzZrSFl0M2dTb0hXSm04TXZWNHdBIn19fX19",
{
"signatures":[{
"alg":"S512",
"kid":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
"signature":"FPjcCzr7s0FbUHrZOOhUGuesUNBJONX9Fe-C__87
eykHW5UOylLhnfxfkULQVRIY3gdFgfLSJ5mALYQ3v9RLJthdPhMpxDfuyIiD3Vt-c
ho2QGaSq7imO-ZlKZLP_jwO48AnqcNZnJwcdKMFhkzZDjkA"}
],
"PayloadDigest":"HgKI5VcczlRi0_H9mEeby_Ylk8zCTleLmhzeWVof
kWccfgpClI1hRH3fn_JUAJZqau76o2AaUTPu3-Deu9TXaw"}
],
"ClientNonce":"-pyukA8KJqdvV_hePIKFZQ",
"PinId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2",
"PinWitness":"wV04crBaf7h-5fclVAGMIsy5ZUZnKcqbPXDUbuZfXYozuI9
ZB-emewnq2awvpw6i7oFvgY-oW0jQrUYqJSTWDg",
"AccountAddress":"alice@example.com"}}¶
The service receives the conenct request and authenticates the message under the device key. The service cannot authenticate the message under the PIN code because that is not know to the service as the service cannot decrypt the local spool.¶
Having authenticated the connect request, the service generates a random nonce value. The random nonce together with the device and account profiles are used to calculate the witness value.¶
The AcknowledgeConnection message is created by the service:¶
{
"AcknowledgeConnection":{
"MessageId":"2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV",
"EnvelopedRequestConnection":[{
"EnvelopeId":"MDKW-3KOD-ZTW6-MRIB-AARK-UACM-PDOZ",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQTQ2LUhTVkctTj
VOVS1FWEtaLTRYN0ctR1NGNy1EVVdTIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowMloifQ"},
"ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOi
AiTkE0Ni1IU1ZHLU41TlUtRVhLWi00WDdHLUdTRjctRFVXUyIsCiAgICAiQXV0aGV
udGljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1DVk4tWExM
VC1MTE5XLVU0SFItQk9NRy1SQTZaLVVXUlIiLAogICAgICAgICJkaWciOiAiUzUxM
iIsCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKWk
NJNklDSk5RMVpPTFZoTVRGUXRURXhPVnkxCiAgVk5FaFNMVUpQVFVjdFVrRTJXaTF
WVjFKU0lpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxk
bWxqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV
04wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJeExURXdMVEkxVkRFMU9qUT
VPakF5V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V
3b2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNK
VlpHWWlPaUFpVFVOV1RpMVlURXhVTFV4TVRsY3RWCiAgVFJJVWkxQ1QwMUhMVkpCT
mxvdFZWZFNVaUlzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KIC
BnZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0F
nSUNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmli
R2xqSWpvZ0ltUXpNbGcxYjNOSE1VdFBSVFZ2YldaCiAgV1RVWnFSRXMwTUY4NGVHS
jVSVE5yWmxWM1QzZFVZbEJYTVhaSmVXOHpRME5PZGtvS0lDQTVhWEJzZVRGQk0KIC
BsZzRUalZNZWpoWFNYUlRXbWwzUzBFaWZYMTlMQW9nSUNBZ0lrVnVZM0o1Y0hScGI
yNGlPaUI3Q2lBZ0lDQQogIGdJQ0pWWkdZaU9pQWlUVVJOVnkxWFEwbFNMVVpLVFU4
dE4xcElOaTFEVGpOS0xVdFZXa3d0VWt4QldDSXNDCiAgaUFnSUNBZ0lDSlFkV0pzY
VdOUVlYSmhiV1YwWlhKeklqb2dld29nSUNBZ0lDQWdJQ0pRZFdKc2FXTkxaWGwKIC
BGUTBSSUlqb2dld29nSUNBZ0lDQWdJQ0FnSW1OeWRpSTZJQ0pZTkRRNElpd0tJQ0F
nSUNBZ0lDQWdJQ0pRZAogIFdKc2FXTWlPaUFpYm5SZmNIVTBXVkppZVhJd1dVeE5Z
MUpYZG1sTkxYSlVXbGhYWmxCMVVWaFdhMWgwVFdkCiAgdWQyaHdlVVZYZGpCSFVtc
HNhQW9nSURsVmNuQlBjMjFqVlRJM0xXeHRlbmhKVDNkVFdHcEJRU0o5Zlgwc0MKIC
BpQWdJQ0FpVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ01
sVXROa2ROTnkxUVNFawogIHpMVE5WVlU0dFRFbGFOaTFWVlVkS0xVbFhOVkVpTEFv
Z0lDQWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljCiAgeUk2SUhzS0lDQWdJQ0FnS
UNBaVVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjblkKIC
BpT2lBaVJXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSlZibWs
yTlVWWVkwUllZbVZYYQogIFcxUmJGazVPWGhoU0c1U1dtcGlTRnBCUzJsVU5tUmxa
RFIwTVdwMlRHcEZWbWhNYjNsWUNpQWdWbEZyYVdSCiAgb1oxbHNWMjFmUkhNMk9EZ
FBkVXBvWDFWQkluMTlmU3dLSUNBZ0lDSkJkWFJvWlc1MGFXTmhkR2x2YmlJNkkKIC
BIc0tJQ0FnSUNBZ0lsVmtaaUk2SUNKTlFrbERMVUl5UzBRdFFrSlNXQzFITkZCRUx
UUkpNazh0VUUxRVRpMQogIFhUMWRCSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21G
dFpYUmxjbk1pT2lCN0NpQWdJQ0FnSUNBZ0lsQjFZCiAgbXhwWTB0bGVVVkRSRWdpT
2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJQ0EKIC
BnSUNBZ0lsQjFZbXhwWXlJNklDSjVjR0pUVjFablNIRXdiMjVvVDJ0VVQxRjRNVU5
rWjNkSVJWUlFURWxTVAogIFZRMWFXMVNTMHBmTUdvelZ6Qktabmt0Vms1dUNpQWdP
VEptVHpaclNGbDBNMmRUYjBoWFNtMDRUWFpXTkhkCiAgQkluMTlmWDE5IiwKICAgI
CAgewogICAgICAgICJzaWduYXR1cmVzIjogW3sKICAgICAgICAgICAgImFsZyI6IC
JTNTEyIiwKICAgICAgICAgICAgImtpZCI6ICJNQ1ZOLVhMTFQtTExOVy1VNEhSLUJ
PTUctUkE2Wi1VV1JSIiwKICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJGUGpjQ3py
N3MwRmJVSHJaT09oVUd1ZXNVTkJKT05YOUZlLUNfXzg3ZXlrSFc1VU95CiAgbExob
mZ4ZmtVTFFWUklZM2dkRmdmTFNKNW1BTFlRM3Y5UkxKdGhkUGhNcHhEZnV5SWlEM1
Z0LWNobzJRR2EKICBTcTdpbU8tWmxLWkxQX2p3TzQ4QW5xY05abkp3Y2RLTUZoa3p
aRGprQSJ9XSwKICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJIZ0tJNVZjY3psUmkw
X0g5bUVlYnlfWWxrOHpDVGxlTG1oemVXVm9ma1djY2YKICBncENsSTFoUkgzZm5fS
lVBSlpxYXU3Nm8yQWFVVFB1My1EZXU5VFhhdyJ9XSwKICAgICJDbGllbnROb25jZS
I6ICItcHl1a0E4S0pxZHZWX2hlUElLRlpRIiwKICAgICJQaW5JZCI6ICJBQVBPLVB
VQ0stQUlZWi1GU09YLU9CSTUtWVpaQi1SVlQyIiwKICAgICJQaW5XaXRuZXNzIjog
IndWMDRjckJhZjdoLTVmY2xWQUdNSXN5NVpVWm5LY3FiUFhEVWJ1WmZYWW96dUk5W
gogIEItZW1ld25xMmF3dnB3Nmk3b0Z2Z1ktb1cwalFyVVlxSlNUV0RnIiwKICAgIC
JBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSJ9fQ"
],
"ServerNonce":"qO9R3oT24EDO5GCYlYCBsg",
"Witness":"2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV"}}¶
The AcknowledgeConnection message is appended to the Inbound spool of the account to which connection was requested so that the user can approve the request. The ConnectResponse message is returned to the device containing the AcknowledgeConnection message and the profile of the account.¶
The device generates the witness value, verifies it against the value provided by the server and presents it to the user as seen in the console example above.¶
9.1.3. Phase 3:
The user synchronizes their pending messages:¶
Alice> message pending
MessageID: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV
Connection Request::
MessageID: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV
To: From:
Device: MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR
Witness: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV
MessageID: NCVP-LUEL-F3OI-QOAM-HND2-WG5Z-346D
Group invitation::
MessageID: NCVP-LUEL-F3OI-QOAM-HND2-WG5Z-346D
To: alice@example.com From: alice@example.com
MessageID: NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ
Confirmation Request::
MessageID: NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ
To: alice@example.com From: console@example.com
Text: start
MessageID: NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT
Contact Request::
MessageID: NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT
To: alice@example.com From: bob@example.com
PIN: AAIE-IVI5-54XO-5PHG-VE62-FFS7-62GQ
Alice> account sync /auto
¶
The administration device determines that the device connection request is authenticated by a PIN code. The PIN code is retrieved and the message authenticated. This is shown in the PIN registration interation example in section $$$ above.¶
Bug: This command is currently showing superflous pending messages due to the failure to clear messages processed in earlier examples.¶
The Cataloged device record is created from the public key values corresponding to the combination of the public keys in the device profile and those defined by the activation.¶
This is returned to the onboarding device by wrapping it in a RespondConnection message posted to the local spool of the account.¶
{
"RespondConnection":{
"MessageId":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW",
"Result":"Accept",
"CatalogedDevice":{
"DeviceUdf":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
"EnvelopedProfileUser":[{
"EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0t
UVhKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ
mlsZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIk
NyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
"ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJl
IjogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzL
VUzQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibG
ljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICA
gIlB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUky
bWRJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKI
CAgICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2
VydmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiw
KICAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhR
SC1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ld
GVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcn
YiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3F
FQzNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNS
Vmo0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogI
CAgICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLA
ogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUN
ESCI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGlj
IjogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwS
GdCbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbW
luaXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVF
GWU0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJz
IjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6I
CJFZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2
lNUjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTB
zaV9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsK
ICAgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FII
iwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleU
VDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Ymx
pYyI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3
OU5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY
2NvdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILV
VKTjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHs
KICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0
NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhe
nZlNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF
84bC1SaUdBIn19fX19",
{
"signatures":[{
"alg":"S512",
"kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
"signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa
8WVr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In
4RZ9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"}
],
"PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fP
bqu5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"}
],
"EnvelopedProfileDevice":[{
"EnvelopeId":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQ1ZOLVhMTFQt
TExOVy1VNEhSLUJPTUctUkE2Wi1VV1JSIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ
mlsZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKIC
AiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAyWiJ9"},
"ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1
cmUiOiB7CiAgICAgICJVZGYiOiAiTUNWTi1YTExULUxMTlctVTRIUi1CT01HLVJBN
lotVVdSUiIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdW
JsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICA
gICAiUHVibGljIjogImQzMlg1b3NHMUtPRTVvbWZWTUZqREs0MF84eGJ5RTNrZlV3
T3dUYlBXMXZJeW8zQ0NOdkoKICA5aXBseTFBMlg4TjVMejhXSXRTWml3S0EifX19L
AogICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTURNVy1XQ0lSLUZKTU
8tN1pINi1DTjNKLUtVWkwtUkxBWCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjo
gewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJY
NDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAibnRfcHU0WVJieXIwWUxNY1JXdmlNL
XJUWlhXZlB1UVhWa1h0TWdud2hweUVXdjBHUmpsaAogIDlVcnBPc21jVTI3LWxten
hJT3dTWGpBQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1
CMlUtNkdNNy1QSEkzLTNVVU4tTElaNi1VVUdKLUlXNVEiLAogICAgICAiUHVibGlj
UGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgI
CAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJVbmk2NUVYY0
RYYmVXaW1RbFk5OXhhSG5SWmpiSFpBS2lUNmRlZDR0MWp2TGpFVmhMb3lYCiAgVlF
raWRoZ1lsV21fRHM2ODdPdUpoX1VBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6
IHsKICAgICAgIlVkZiI6ICJNQklDLUIyS0QtQkJSWC1HNFBELTRJMk8tUE1ETi1XT
1dBIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0
tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB
1YmxpYyI6ICJ5cGJTV1ZnSHEwb25oT2tUT1F4MUNkZ3dIRVRQTElSTVQ1aW1SS0pf
MGozVzBKZnktVk5uCiAgOTJmTzZrSFl0M2dTb0hXSm04TXZWNHdBIn19fX19",
{
"signatures":[{
"alg":"S512",
"kid":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
"signature":"FPjcCzr7s0FbUHrZOOhUGuesUNBJONX9Fe-C__
87eykHW5UOylLhnfxfkULQVRIY3gdFgfLSJ5mALYQ3v9RLJthdPhMpxDfuyIiD3Vt
-cho2QGaSq7imO-ZlKZLP_jwO48AnqcNZnJwcdKMFhkzZDjkA"}
],
"PayloadDigest":"HgKI5VcczlRi0_H9mEeby_Ylk8zCTleLmhzeWV
ofkWccfgpClI1hRH3fn_JUAJZqau76o2AaUTPu3-Deu9TXaw"}
],
"EnvelopedConnectionAddress":[{
"dig":"S512"},
"e7QRQ29ubmVjdGlvbkFkZHJlc3N7tA5BdXRoZW50aWNhdGlvbnu0EFB1
YmxpY1BhcmFtZXRlcnN7tA1QdWJsaWNLZXlFQ0RIe7QDY3J2gARYNDQ4tAZQdWJsa
WOIOdulr0WkJsqoELzV6ZGITa3QJhpT6D22IPFeUSgiSp-K8l1msYOAPUExAKdsvR
WgGhs_oOv7o4kEgH19fbQHQWNjb3VudIARYWxpY2VAZXhhbXBsZS5jb219fQ",
{
"signatures":[{
"alg":"S512",
"kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
"signature":"03oFK4MzMkSRYzgImz6WJw3JSZ4fmU7djU63aS
oQWhCmzNDCf4XCKfx-bKoJesukT_VTGq5bW-AAWqO_2ZfO3pqjr5CwSH9yOKBzH0t
pPFDAeKi7oBM43kk5rqljTNOf4EtcaiEqYFohIVoPbn75NAwA"}
]}
],
"EnvelopedConnectionService":[{
"dig":"S512",
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0
aW9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI
CAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAzWiJ9"},
"e7QRQ29ubmVjdGlvblNlcnZpY2V7tA5BdXRoZW50aWNhdGlvbnu0A1Vk
ZoAiTURCVy03TjVTLUpJWUUtT0JPNi1HWlROLURLUTYtRDNTSLQQUHVibGljUGFyY
W1ldGVyc3u0DVB1YmxpY0tleUVDREh7tANjcnaABFg0NDi0BlB1YmxpY4g526WvRa
QmyqgQvNXpkYhNrdAmGlPoPbYg8V5RKCJKn4ryXWaxg4A9QTEAp2y9FaAaGz-g6_u
jiQSAfX19fX0",
{
"signatures":[{
"alg":"S512",
"kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
"signature":"9m0vcnmYQFNYfzGd0dEH605dJzn72QGwibh4j9
LvR2skx_QmOz52TCT9P884t5KzVfAvOSdRFsUAfqm-Olo3vDDRBaAGbm9uBQ-1YR7
r3B43OlHR1KnUD5IwqsbxN2lpFHNPzLt0fkmliATLNRd6UiYA"}
],
"PayloadDigest":"vPLHz2roZcH2iYj7GhGYup4R1v4b1WDCOrAIO3
R-hq5AVRT8FxVmvwhFK5TF8Zh_KFSti0qU9gP6-QliFCPnCg"}
],
"EnvelopedConnectionDevice":[{
"dig":"S512",
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0
aW9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI
CJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDNaIn0"},
"e7QQQ29ubmVjdGlvbkRldmljZXu0DkF1dGhlbnRpY2F0aW9ue7QDVWRm
gCJNREJXLTdONVMtSklZRS1PQk82LUdaVE4tREtRNi1EM1NItBBQdWJsaWNQYXJhb
WV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAEWDQ0OLQGUHVibGljiDnbpa9FpC
bKqBC81emRiE2t0CYaU-g9tiDxXlEoIkqfivJdZrGDgD1BMQCnbL0VoBobP6Dr-6O
JBIB9fX20BVJvbGVzW4AJdGhyZXNob2xkXbQJU2lnbmF0dXJle7QDVWRmgCJNQjRQ
LU9DVjctV0RUSS1LRlk2LUE3VzUtWEdNTi1JTExMtBBQdWJsaWNQYXJhbWV0ZXJze
7QNUHVibGljS2V5RUNESHu0A2NydoAFRWQ0NDi0BlB1YmxpY4g5juOAZ2RcHBqm9o
YYcRAg8h4hPDUzGu0aYyTVrkOXlpyXUMblnSbyJ_Xj5KouRYnm3aOS4AtWZakAfX1
9tApFbmNyeXB0aW9ue7QDVWRmgCJNQlZYLVVYTEQtUEg2Ry1XS1E0LTROTUItNklH
Sy0zNVFatBBQdWJsaWNQYXJhbWV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAEW
DQ0OLQGUHVibGljiDnXexA8QK1De4Ivy5Yaz7nO85iB8QWOGgntwgdARK7Oi9OafE
hsyVyXISV887BxPL5rCFpmXsP2CAB9fX19fQ",
{
"signatures":[{
"alg":"S512",
"kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
"signature":"7QKcgJS4Ub14gYYjiBP3O1RC5U-tDs5mehOV_Y
Mc7Rq4PV_I1WzTTZ5wnPPWdXxsS4-gjzlxra4AhMKYT4tN0z3Hc954sJVIAoZDHED
bSxxeSWsp6Fd06hCa5Bt43tYt3TyEmnIHFgUmSFNIwIpOfw0A"}
],
"PayloadDigest":"OstbMttGc4Jpw5qapxrMx_wAdIyJ1ozebqUCmW
SrE0G_bbYLycdNVYq35C6hesgUUGwAItS3939DgezPSm9lxg"}
],
"EnvelopedActivationDevice":[{
"enc":"A256CBC",
"dig":"S512",
"kid":"EBQH-KLCY-C4F3-VF7J-YSU3-EQFU-FZHQ",
"Salt":"6K4bKrm5-_rjgI4_I08wTw",
"recipients":[{
"kid":"MDMW-WCIR-FJMO-7ZH6-CN3J-KUZL-RLAX",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"nvVIGPvOYsOJ8Ilm-19RbyLkAWivgWgZ5a-0A
Rp9ftWFsoSSAqQSxaxWNMJr-X4HRTb65eFiuWSA"}},
"wmk":"Dxo1wkjSF6txOOkZ3YtNDWzK-e_95sEbZay2cEJnm3aa
Pt-oMy9PbA"}
],
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0
aW9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI
CJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDNaIn0"},
"ki85WOQnh96OwNqp5BCXx-pDm5ZyRU7w93rIb9kZQVcO0mvkvuiAq28q
zje1vLZ4b-XwiqY8MOCLqRkscz_PL8ALVscz5rBQz4JsCHtD1xCRMqkGOUOYeY205
8lGpQ5MLZgNEeQCxORAlAdNrKRLvdUG6q2G0M9GOPzG9ocyhrI3D4P4T62_KJq9-G
YmyHA7UEIXE04mCDn7dFWeP8lzsnpBTWbIFC4SNY1tOJeudypR01PQbkvFIn4whoF
lUDgL",
{
"signatures":[{
"alg":"S512",
"kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
"signature":"KHnfih_mZ14FUavWwY5vdhUFqu7WiBjh1hvHy0
HTCQbdW35_6UmLcqTT2bzsxaEAXsl8yDTSvB6AK51Q3DvtVXp23AH4Try8p66EvNr
azKWjh4CAr1QJnUdIJnu-Y3ja2WQJaseKmO4g2svNAXadhAYA",
"witness":"TPxOv-bF8Of0cYXGhOZB-yJ5JRgwXYqmwciTxUQb
BEE"}
],
"PayloadDigest":"Mqa4f-6bQ07E2IYl2hQUqfXTighNhw9KF-WSEy
mbPQMTqfXsXMgrExxUg4KCgPX1EYVt9k-UfdyZBWtFUxFNiw"}
],
"EnvelopedActivationAccount":[{
"enc":"A256CBC",
"dig":"S512",
"kid":"EBQM-73UM-YBTS-SOUZ-PADZ-SVFD-AV7U",
"Salt":"mX9DOllVVNyFxJ9ocDg4vg",
"recipients":[{
"kid":"MBVX-UXLD-PH6G-WKQ4-4NMB-6IGK-35QZ",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"zxVZRX_9E5bQaBCq_T3de_j-6WWQvNH84u03M
G7UfjtP6mDcbdopF3KuzMIebcuch8Lb7UtLz1AA"}},
"wmk":"rg3puHIMXDoR7ATzOjfxsJUeIwk4Sb2-L5FzwvFVFk-V
Hol4H35yhg"}
],
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0
aW9uQWNjb3VudCIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI
CAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAzWiJ9"},
"gBlhcdXySmUZ3MHsR9XY0Opwp4zrqtnfvxnEI3SlZjq7dsfAPhHoVFOI
MT7ArKsCojQ-Tikc65a4t0my5aDr-s_CQ5QQAlY6CKhsFW01hjTiTxZnL63w8XH59
XrniVqdI5ehtVHRO36eiuDDHe97tBrCFUky2pZdbuLO9BDm1r96GsboXBT1vuCbXE
Y8jJreAeroNhvJkCDFqq3mOhBC1Cndj1g15_MOPPd3KQ7rryOHoGpwN2DP2kicx8F
S3jGLtuGdIDxXawAR255D-QesHwr5zZyHY3F_FkJ-1ga5OxKHOQtU-oRIdivpnYSA
Lt2cBTTZJ0K2qzWkYgMLPRHxtQRIVvzGt80mlncUuoGSmyJprO-BSR0ow8N573ubC
GUQzrfwHggM36L2UrPBzm5Ou8bX5IKu4iLjgE9Wq9J1bYuerqqHYJ6csZFiGUG1pf
IGQTuNoFJWi49_NzI-vHpo3RBu_aXsClJo3Kgi8Wn4KJsT2rtQuCTbVLmt0Vja_YJ
lqlJJwjmBSDNqPsitwZtvW2uVZFOwhFSxXI0L9ZZiyzWOdHccOtJnZkzJiKy4RaGA
1ArpJ2Nm4MLbKvjDb4gJOvcL_a19qFlkhPWt56SySzGN95n5FQA8nRq2EvjQdJmGC
OCn1MGFB1NooUWi3dXOeV2acHy8nTavVNEWVQeqWid5D2QxFSmV8cWghYn5nuFsy2
OGNbIH-kNGxjt9W5IbQKowUvhAfpqQ3P-RlNMCEKzxZZioA6YeNG6Hh9kRAk2gYAm
Z9LlISSOmu0pvavRb8rXW-mNttPmFlC8g232avdLyZyR9XjcjkzHBNaz-cVqKraQf
vR_3M-8mIqGKCS_1oRYGOOpDIxw9VU0JCEO6DfBHFEv-2a3JDg8XvyRuZMIlzJFzO
9usilNnsODaygIabfqA_Gs2qe_t4iAOq1a_yBRr0PW2Tba6BuuorLYmOxL9k7EzFs
BUlkAHjJIdEixgwerVnmAnFXfXqKsc2tQ7LRRUkMfOQ3UCypn3niYn4B7M7eJ5efq
-xXu4hWSzrdBpxwOUiLjb9ofvClQjkFWvi-VwRtKGIqdk8V-I2Wvc2nS8zzGaK0zU
-8GnCP9eIe-1JKa2s4qPLD6ASA9QBz6IbtYlgi8HmEh-JfVoWwVdsSMOzJ-1V2ILx
CN2YJIWV-q49xurbCDog4CFeHLvDPlSjMGYmofzcBHkwL-0H3qee-r6A7m4UuyDUw
9LqyWyGzo0pjDkXCEGp8v31jxHI4P7NzlT4K2rN1CzYEnVrqYuqxLR3S-7ySnEQWu
Fk4HrX07bQG5j1iNGghQVV5rQ-uk-7-1uFY8GIIUpiBsI75IwbCeaIvOiCI4v4U3Q
vTR8ssVOgIDDuZdvQFRCMDgnTzbQda3isGT-fdrGkp5tX94a6ASuIWQ4jC2yqfndW
y5NVkglyPEyVCPYVyaBI-SxSwzPtmzC3Xla4GVo7gMmVOALyx-7nMzxerc8HsB-hr
S9bAgyY7V-cCmbQ6VEteR5GVYuX1Nu2w4aXWwU3-yrIx8NXI22Pe9DPcNtj44wySa
BijiOvduLwnlG-b5aKxfjfvCJWfqL7kEZE0ioCSLE0y-cWPM3MsM3I0gwffEuy7-8
b-nSMPGYjcCTbXoHBxmLt_-srSDjg89fSC4pLN9He2NoamM3Bl2ZZnItE-8vmQbH8
Wy304nJNPGhJ_W2juLh758V9XqumJHrADHrjU4n-SOjRngrFjLwYVufxtrtGehcC_
W2BzNnFhWtBRCA0A7Jjm8tjF0fHH7hxuaFDJKpIXYbJP2LqB8USizq_KRR6i6jsKM
pxc7wG_81b_unXx1cPs9xMFdQWnn_2Izc7jXKJYC6cVNOGH3dQDZfIgL4O2KoFXzm
7goJ8hE1Hqx3trdsEjKC7c1UM-cdxFzNKmrto64I7kjJdVHpswFleKSHwxgQ93sLh
J38mq2FKYQP_rMp40GgWABCtY78P-XZoc6Mev5bBWxN7NL3WlpnrZKTgJGyz92Ori
bPQPz4Ma3aZ_3WqipO15r9QDZWWjsFzZnGSXpDnXh0uHBtqcqlu87y4LdmHkKgQqZ
PCioP5KtpgusscKBbIhkQTHe4oe7zUEiRFLd8ff8fp0LImOnmo0WDrMgS3p96driz
9d9FaUWOFP0rK2OnWVZ9PhvqEzLERr99WVTJ68ZITE5NoaF1OwLGdgWFYs610VJoQ
jsXZsT0dmR0Zj-vl6yei8sVZjFLosjst9uh0Wv7k_URAUEE95p-Ty2ZLjmwhWeWNS
Siw4Qk_LwlkxRxSuuad9RfGumOydUrsKh3I8qerv0PmHz0WD4ZHAqa8c9ZLitVX51
WC0BeLD2iaExGdjThfnO3sJh1CC0R_SqbCV6xSmkcfN_iCEKfE_d-3Twwp2cVKJ2l
gEvTwsbYX4PkbI_P1SzChkrlC6sn1EBsk7-tnBngnU_OVhUIq2Dxjv9KrrR3pa3DJ
3s471xfSZpNywnmjxFFv8uPAczmBPf_5BSC5ikub2nT5UTFmUNlAERh5XoDmDZJsE
seikGCNOyFh0ZLdiLYgL6cUpFw171QZILt7v_1a6e2wKw6gMc_9k74qTEISlLyuVP
tNz7PryNMyVG4aEwKQMBojHqUN5R8zG3X-KxOTD7PCV9ZtgKiP9SvdzBLzN9wW5Y1
3zGvi3f256i5vOIeO73nE-mEeTDtBdH2WTjHUPtTmTwvH1TruHJlMhV4W5Zs2XjjE
_MsrFxV5enl3koNMwAfu0TgPpLZI9xKu6OwXwwcc9XHPQVUPUJK2qAWD1R6Dms2kd
hmXoLC6Hia5w9R9jSnei4SNyvZAfkKH1peZHHamxeHBEZObARFnxFXq77zp9H9VqF
pALocgAYXbuUBU6FHPIWXF1-xR4IGjswPgrKq6lA2QKsf9D7d2hheMrB0KZR5k8fV
K5T5kRhICgu9NxErQkvf2RjfGk707lMmDdE-g8L27AxNqdku0wxRGFIUxcaVutXAB
5cHH3pKrIJfZfEfAggDooU8RMUI20J6IVZxyZ8nsTdT9ECZuoolAoXh1C4_w-zSpr
5A6WTLzYTLpnyChxueFeWD-qQWjzXjeN4b-aqJUcO89xEZ4AfRGE8xMeIWp72GzKE
vMhXfL5v-zHOFJUJ-yenAkROt33qTZH2OlxMVFqIrtW_wTW7-y-B7wD9RHI67tooH
3pm6QYFTkUdJu0nL6FV9WN28zBVPRuS0mJEm_MJXzUr5fLY7SCDbGOAbxy-a8B_yQ
40xDftA7FNu4Ylugg2Si5NNBwoXCaWfmF0wy_0IMZhXudDTgI30LwNqpLH1hFOthv
DKGJn4qPF-wOu5QaeRdwJgpiOE_XwQI2Xsx8ONyb7xGysaY04xtEiZALwcHO57454
jnbJpAdoOAMLZHRiOkhYNoyjp_SRxZqr3pB27SFzCzlP5s7EnaSd79hIfKY7Ii5p5
JjTZRKcVMF0Ger9CuuRPccR0hS6y3yCBL5VUQ_OhKmWYPJ9vE3mRz7h037cBJkVbB
eiBOxT-EpNko9JWHtvdOjDnUPK2W2Q75R8qpvvLSX2jWibqsdvBrm2TkTXv4jx0JZ
I-YBZZ8AmA-AQlu8-oEafCHvL65sgu9qpmTGt0NI6QO_7Fbu2WKeUuSTugbL7q2EN
u1jQAzz2itiF9GZ9p4ol93FjsK0tiRjyoKlqSsEAa_fBETnTzmlhblMTRwNEwoVQ1
_kygDezz0fuklkICAwLgHl6wLc_9oI3gGyS2W62dRvsIDcz4mmMsMkJizqdDNxKBr
TJrkpWJXulKozk81xjbECG8Rbic_QGwbC7yyaiYxU9lazb7VMnlnSKwitx4GxgXN0
nKISYPHO0jnZLMYTvhog3mbIqqNrcJGWRmEl7sRJa2_k84FI-MOEESYxaCndq0CwS
atguRggOlY8wVFNkdAUdCT-T1j43eTVcKPqGrTB6rDxhAClHkFfwW8bIrRenLmxMW
HplKju7xbjCaj-3Usz6v5p_-0TUdlFsoPcEU3Cb_b4LgvyvZA_stq1TbQoyctrVQA
OcSxFX2-aImyJYuyKkyMNTKmQNgv62f6h111QO34vPZqrLgArTgpnQhu5eYEgymfU
empry7SRLkwQdywml4jeImqtZ-AfzM3Test1FsU2xGaMslxrQz80h2J8FHzOkxTAP
CUs68MNOXRUChYzUvRespSXCPzisFFmZWJkFAFyNayWVHPRxcWADHTJWKlc17NS1j
b5pprmqCynRE5AbPIeDMEGx96r57nIb63l6TadwQMFiQHDiaHOdP1EAREPT9tYURx
JelgcpNdqWELXkGGkUaBpZoF0Wh3aHJMd3beMG1dZaMkY3hMCagpeoArs4w96393w
gQik5AFeh22kJdf2PaRAvakmMsZ9PvvyHzTRVKj0kUyegloQH5EpOheYfmXcQL2Hd
p3_LMAIfZtT9EJ7avVQCftCaDVhAuJtVAOTUzZUTw9y5DOFXoCD8fQ0NzeAywhP-G
XK3Bm3duH-T9BlXN3NC3hbKKaJzVkgJuVDihWuMB5aXKj_R65vLIxgx8Z4V1qYjQf
p9vIcENaDKT0j6qRjlnwwKdPLeJQfJBqBvCU7RBXZr7k5mCLSbMij3GZWyvpb6FZ2
ekxJO9O2Xov1-EcOPATjqFvo2ZqhLqKzGzvAa8l-blua10eF50OOYd32uk5WpY7Xl
kcSjE8XKfCPmh-sVkrdxTV0bB-1mwbRkcofJh2SFBTvl2D9MgP13dybD3hh2Ab5fE
02rc1kJx4kke4p8LykCpRP8KP9T1ZRmy03GxpCjW-Q7_165ZciX6JCs-_OQoTgn9R
9DBX2KcvoBEHOCu5GJczfd_j6dS5KgLz_-sI3xLFjaKEyRdpJHlfNMv-ca9m-yCZr
l7Rk_kHb-IxPa6DA9t-EwNvE4PKGbt9WUqYPDBUV2hJyQrIevSEqH84sSmY0ycvjN
-ORwv1JwE0okT7uJ7TRgxf2eSGMkXJQx_FVnsj5pz_EPxMj72zAXlr5mUvFBEzlce
Qlvwcc1HQ8_JPASkK_e1hiq7nABmYfdfAR48HKdzDxFCVd4e87oeqsQrYeaLm4nM-
ojNYBQJmbWwhewiRai-CK_K3Q-PYlbhPvmzIbp2yE79EawtCNBTPn3myWo79ejxdY
CekhJRdevRCPsCKTg3Yuj8m59IPCkG7-p_GFFmPnF2zu7QAyllNID7wbr16L5xqJC
r3YYu-xHEbN8ovNXbusNCtKEBss2Evn-XS6zq4Spci8gOH7V5Pv9MK8G0MuPkbssc
jkqc5IqsG-YVAiOtI0bn6RCqqwoQV16QfLpY0NNP7KMBjRxsspERxBd05o46xAuzZ
jYs-JOSbR3vy8z6-lIAJEPViw2po8DnuXccwrMns2p_unIiwWqHgeUbau6MsEO6aA
BaboDrE-aqQhlb0YcTgZmcznFOzghmlZ9X_HokeO58KT9uVR39h6o-ZPzctnN-e8c
U07EwjWUkyGgUoYNI6MWW9J_z_pUSBYydjjm2jQchV7CcdNlUBBlid9lZbOQZpwwJ
_RcUfTGv3LvUnUT7SxNZL2QAzFlTwXQGrVmEUzhPUxeu7m4WgQ5kTrOpoF2T2Xt8p
QvlCnzMlz9y0akQtF8bkQfdwj_JJTMr9EGRrnkq99xmHUdyzxPWhSx9RzhPJPqEK2
qiQxAs8Uj60m6lnDoyqmCRpjz5u5WG-lB6EMXATOVnj6Mkkylsmwb-ZiBOnPS3n8O
m2Ua58ULY1_e5UpPsdPZDRqN2ypTgy3IFoFoXf6RR1L32us3-SoYLoqdZRO5tDzcn
ARzlrRVomW7CoVEsHhP_IOcpy4QvK66_K3dVLQnrGoFsJHAD2AZ41f4yyQ0qy7NVT
C8qTVyC4tJ23rQl4E9UZ0FgnK6REMFWq-UhEUrVTZWwwbLaGq1OH_cAFk9DXRwbVM
Z_ty20Gd0e_JKFQ8zSZJxtqwFPzb2hVINzLhgeBOYfH-ExmeW4vy5THHhvfKAIL9h
5CKGCqztEyUIpsZLOkN0NEyDHZrN2oshiq-BACnoMcE9q0z18JeNxKnw-_u3pUEFP
JNyvWpROA3if7-lEu7bO6Rh0kmDnlU0f1kBWwsWDQkA6tdD6hwiYg1U36XuTLutD_
FfR7IBnQqBx_QWJJzLnMyz_nkQHki1uIlWHHabOzuVbcSAH4P5M7P4Z6XKE0oLgG0
wGFgK5MJYOC2wSGBgXIdbr-GJGp4wCZ2mGZ9zE8DW84cZWYs-Nv5rmrgrcPUEsK9W
MXDj-T5Liqo3y8lgHuOyNjGAkYM4M9ysT-XJBHNxYC1a5SxJtAM8IxAx-ba-uOtby
nkV7X5ANUblK03bAUlmDgndmtA3kq77ykGWL1TjT5q8O5bTe3mxWwoT724EV_rUDl
Nba99vzfRVxtyNDxBgOZsBJUP4IghMZJm--bQ9jq28MGduAHtgicra_hzOHs1kuWw
1qh6vsmP6RmR7R4_yDNoQl6ccHz3_DLzd2oAlWCIJ9Mi1xuP041zJ6d42Pv7w9tdb
vDwlavTq_1n2JF2pnC-nC6frxXepuIG0eDdq1bVBLrrq0LG_HiBEZqVZFfFOMY4et
SNcUujrtzBGqVCJbLbrkairiozJiOfW324VKW2ESFgiKjmW_gmMckQAqwsXsAKdib
VP_pwQ9Cl9ZJGqVchgFxgmXbfCZsmPSkajWHg2YlJcOEE2vXZsN5e6dkjm1Xck2Ng
xjRxMg54-vO_eA9UJkX8EIGeFHGvlqs43Xoi4_3JqUy2qwhFI-aPuoi0CORf-nXS4
Ahudwcqh3uCn-JwrI4dRG4XmFhniEFS8PO4-ZPB0J-xQNGtg8qZxxSUeoMIMSITKi
GN86Dd1tPnWBU1f5EWz0xlEOZuhteeaIkRwB1l-pBSWA-2jiHadqetS7LqMsDYeBk
uwTehlcqWXTXuGEENiRLTWtjF6MTV84kkUuN8WsnKJ87f0Rr9oUwbDwjcJhFfV5TO
3xWZbvL97I-ydU6h-45QoTW2myGD_OdKHzT9jEgGNJXmmdMYECAjUUdVuO1-wecfT
VqytzQ_aYb2YbtRHwMY5D_gSj6WCqCxmnL3coPXrMcbyaRUHWzxouN9u6A2fEq-Xg
pXDloJzlamml5NRxaYGTvAgz9wqxMyQkqsLrMri3qeGVAX1ZGm4OJREo5gbw7eSgK
Dkz1a6O4Da6aN1GVcTtpP4oM0Cu2IsFNII2nmqawJ5iaG_U1UtD_3uwX6bjly6YAy
m5q4YNprmKyFFwyJIPFmtd_B4QEoZ65MTcp_EUDtzFql2TLv8GKPqmvySkammIVFA
A3eHDDusfQEI6CyaCs_DG_wmtTQkSncCmJBvWAKgkZgPkwTXtOSmjOSOxH-L250mH
3DJhGl4PvsV-zMvcsoPhb8oENH_BZVeolpbHCL_YBFIbp4N3PlbJHZdhMLB3wgO4G
JLs8Dz0Jl21DL7m3F997TASwyDdDymk_LzjND-T8V7YYQVVT0mxRnK9jefTF_C4YR
mlYhN-6HA5SKYtMLRSMNNyWyYgeUMCK9m2jXW-AMc11lIkrshhb_JR8sjGR5A97_R
qVc1AYBmaCmHiChlb39YzhEWVovNQDvTfqLwlgM6WXXN7BMrDmv898t028AEDQaRJ
dWSCwNXq2Vs7P43gr-Vo0zf6ZErqs6S1grgPaqgpZqoKSlGbH84d_RcmDQqzhsXA0
cR1g6qgj3w6WJd-Ft8H-JxJjEOnuNpwgVyj2Uht1-3kXC0kUTHGCZL6Wx9p4kqxYa
GQi5MVzYg7AolcPjGagR2l0UdD5nTJdkputAIDZZ73PAFJ9H1JuZPhH7kD8eJQJyy
Broh_pnBXpgFi_6SZVJCh5NJWErajfFibPBePkpDrXVyehFzTJw1Jzsq-rPbL_oIo
2N08_i7GpDjSQlDI2ENkEvdMrX6zrIWoP-FbFT9U-xij4FQWiNzg4Ww7c1d7hU8lI
4gJQSY5SzV6eSdxlSYc_6C165E3F5eN2FBSUi3kPy-jIwmQVJ59UniV8eCCBEtPDp
nT40gCQaytamAOIATcP8IK5HRQQIksmgcZxtYITyiE0_ZK_30sSyo_Bft-USwa8MF
0w5cEQTBsKfyGYxOr_8Wo_4N_rrEvbvJTDMWow5BTcvE8vq4r2FnXNFC4xUdy5Lk5
HG7XKNUKeZQSTkwP0Ry95Yzw8Be4qovtYmm7UkGiwDNB_abRQGnb3bQcrZv5GXOH7
TlDUE2m0n9BcG3W_oqCESdXpNL-w83u-puP_vF19I_maOkUtpyUWJXXj0kRd8c0WF
osuYsGg6sIy_nC2ErgEQPDvuAL0cq0Qkc8gX9SckW0W3vOPxAkQdYN3eMt-k13Afs
y7IePBNP_hXordX3WdkAK-55A7JuPBN7zW5MqL96jvLCJk_10ms66e2Ae5MK73Wpl
HXQl3IQ7JwCAqXdb-uOMfdViIs6a47y7EXJikZNacrKthzunoyD1F8cZ6wL4ecRTn
Jsl_2jstlwKcZEuEcvZGAvPqzIl9qhYqEw7O8MOWQMS8cDAUrAb0etfbSmDNWwQR3
RgaMM6BuevUgFBdVAvf_wvI9994rQRDroeipduhis8xvFDVD_pH_ZpJEl6eQpijxA
tIdtdap3kwib1gylmAxJ6-zfImOBJo5_aBszjOJWiMmB3Cd0",
{
"signatures":[{
"alg":"S512",
"kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
"signature":"V5h7pFoycR-2WNj7rSO8cyfzbrMHw8GeyME3Wp
wnFW9a0X1f1FbKuRAQzgo6CAQR9CmOffm92lqACM-DA_Rylu0zKWbq3PK3u2iRrJt
YZ4RyqDam8DoaDEejYJTz7CtKOh88q62L1iF7QirYhqLcWicA",
"witness":"KqVrOTlFoo8dHQd3Slg-eowe2e_9OaoPHfDB4Duy
Fo8"}
],
"PayloadDigest":"3-0c-MhvBsyqxImZbVhOiLXXtd8Av4Rj8C-zOF
BOutKwzhvOdQ_x5Y1DV7tEM1HQeIZnzhdber6onFEVlsdSvA"}
]}}}¶
9.1.4. Phase 4
The device periodically polls for completion of the connection request using the Complete transaction.¶
To provide a final check on the process, the command line tool presents the UDF of the account profile to which the device has connected if successful:¶
Alice3> device complete Device UDF = MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR Account = alice@example.com Account UDF = MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA Alice3> account sync¶
The completion request specifies the witness value for the transaction whose completion is being queried:¶
{
"CompleteRequest":{
"AccountAddress":"alice@example.com",
"ResponseID":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW"}}¶
The Service responds to the complete request by checking to see if an entry has been added to the local spool. If so, this contains the RespondConnection message created by the administration device.¶
9.2. Preconfigured (Static QR Code)
The preconfigured device connection interaction is used to connect devices that lack affordances such as a display or a keyboard. It is also known as the static QR code interaction because a static QR code printed on the device itself is used to connect it to a user's account.¶
Future: Note that this interaction is likely to be changed substantially in future revisions of the specification and the Claim/PollClaim mechanism removed and replaced with a messaging based approach.¶
The interaction has five phases:¶
- Phase 1: Preconfiguration
-
The device to be onboarded is preconfigured with a ProfileDevice and private key information and a DeviceDescription posted to a publication service. This process is typically performed during manufacture. An EARL providing the ability to locate and decrypt the description is printed on the device itself as a QR code.¶
- Phase 2: Device description acquisition
-
The administration device acquiring the onboarding device scans the QR code on the device and uses this information to obtain the device description by means of a Claim operation described above as described in the Device Description.¶
- Phase 3: Administration Device Acceptance
-
This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device MAY advise the device that a connection request is being made by additional means described in the device description (e.g. WiFi, Bluetooth).¶
- Phase 4: Poll Claim Notification
-
When connected to a network, the preconfigured device periodically attempts to poll the connection sources specified to find out if there is a pending request. If a connection request is posted, the device decrypts it to allow it to complete the connection process.¶
- Phase 5: Onboarding Device Completion
-
This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device requires notice that of the pending connection request.¶
The main differences between this connection interaction and the witness/PIN connection interactions are that the device is preconfigured with the device profile at the time of manufacture and the onboarding device MAY be acquiring network configuration information during the connection process.¶
9.2.1. Phase 1
The manufacturer preconfigures the device¶
Maker> device preconfig Device UDF: MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE File: EC6P-KOIX-T3B4-YIKE-OLX3-BUUD-64.medk¶
This results in the creation of a primary secret which is used to compute a ProfileDevice and corresponding connection records signed by the manufacturer's administrator key.¶
The data is combined to create a DevicePreconfiguration record that is provisioned to the firmware of the device being preconfigured.¶
{
"DevicePreconfigurationPrivate":{
"EnvelopedProfileDevice":[{
"EnvelopeId":"MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE",
"dig":"S512",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRERULUtURFQtQV
o2Mi01NUhWLUZGVlktSllOVS1ZM1lFIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi
Q3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjA3WiJ9"},
"ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1cm
UiOiB7CiAgICAgICJVZGYiOiAiTUREVC1LVERULUFaNjItNTVIVi1GRlZZLUpZTlU
tWTNZRSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJs
aWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgI
CAiUHVibGljIjogInF0TDhCYVN3UUptNk12bE1BUXY0MkpsSk9MWFZMY0gxTWNweU
p1SWxJazhXbVpvYTlHd2MKICB4WjFIMmI5VE5MZGFZUGp1VlVaWHRkb0EifX19LAo
gICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTUFCQy1MR1k1LUJVMk8t
U0FaTi1ESjJFLVMzQ0ItQkc2NSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjoge
wogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYND
Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAiWDZUaF9IOEJZOC1zRHpydWNVV3F4S0c
1YVloenhTVC12dDE5STlKOU83TmlnRGYxZmhEcQogIGZCT1pWWk9uUDhYNVdTMkJJ
WGQ3SjlTQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1EW
lQtREFFNC02TkJQLUJSQ08tUzVUTC01Q1E2LVNDWTMiLAogICAgICAiUHVibGljUG
FyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICA
gICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJpM1hia3lpT201
WnlXaWxBeU9DZnFUalBMaUtVLUgyNTJZVUdqRVd3MWgtZ2haR3Nkb09aCiAgcXRkQ
0k4Q0hRYWtzS3JHTWZDdDMxbjRBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IH
sKICAgICAgIlVkZiI6ICJNQk1DLVE3SFctNUlOSy1RU1pPLVBLRFEtS01aNS1BT01
GIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tl
eUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Y
mxpYyI6ICJSX08tZnpLUnp4aExsdHh1Nko5VG05MVNHSWFCY2g0LXFfNnFwNTZ4WU
YtVTZqa0hSall2CiAgT2hjNm12OUdLOVhNUjZtVFNOUEstV0tBIn19fX19",
{
"signatures":[{
"alg":"S512",
"kid":"MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE",
"signature":"VFD-9f8AXHdm38HR7y7JKsPStGNRu7wW5SXsJgc1
lbRyzQ0XVyDyNtqR5el9TCEuJKC0vU4lq4QAQfzJlUaa-viM7xhTcvJhVZ_YGiYEW
wq3Nb1-sortDNUdi7FGmG9C5Nh-ErWxy2oKkH8Nht19LDQA"}
],
"PayloadDigest":"PRkvfQ8djpN_Z3tY_p8qPRR4rTy_ZFEFW_WAqBcQ
2WpffnNZf_dPVKtW1XW9IpGjxYg2h0zB-hSVnCWViSUiEQ"}
],
"EnvelopedConnectionDevice":[{
"dig":"S512",
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW
9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJ
DcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDdaIn0"},
"ewogICJDb25uZWN0aW9uRGV2aWNlIjogewogICAgIkF1dGhlbnRpY2F0aW
9uIjogewogICAgICAiVWRmIjogIk1BQkMtTEdZNS1CVTJPLVNBWk4tREoyRS1TM0N
CLUJHNjUiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVi
bGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgI
CAiUHVibGljIjogIlg2VGhfSDhCWTgtc0R6cnVjVVdxeEtHNWFZaHp4U1QtdnQxOU
k5SjlPN05pZ0RmMWZoRHEKICBmQk9aVlpPblA4WDVXUzJCSVhkN0o5U0EifX19LAo
gICAgIlNpZ25hdHVyZSI6IHsKICAgICAgIlVkZiI6ICJNRFpULURBRTQtNk5CUC1C
UkNPLVM1VEwtNUNRNi1TQ1kzIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7C
iAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkND
Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAiaTNYYmt5aU9tNVp5V2lsQXlPQ2ZxVGp
QTGlLVS1IMjUyWVVHakVXdzFoLWdoWkdzZG9PWgogIHF0ZENJOENIUWFrc0tyR01m
Q3QzMW40QSJ9fX0sCiAgICAiRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQ
UJDLUxHWTUtQlUyTy1TQVpOLURKMkUtUzNDQi1CRzY1IiwKICAgICAgIlB1YmxpY1
BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICA
gICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJYNlRoX0g4Qlk4
LXNEenJ1Y1VXcXhLRzVhWWh6eFNULXZ0MTlJOUo5TzdOaWdEZjFmaERxCiAgZkJPW
lZaT25QOFg1V1MyQklYZDdKOVNBIn19fX19",
{
"signatures":[{
"alg":"S512",
"kid":"MDQJ-G5K2-BJ66-MPLM-FWSA-665O-MILP",
"signature":"r-JxVZxihprjMs3buV4yqmgXO7NdXlAEI-Cn2nYF
HB3rlbcNPwmi5z_0f5HpAXkQfFlVJefnxsMAffF8GNbOocmVEdaIXR8rHDkBMa1xd
6iCaWZdv8SAGdTHK0wLHkeAUDGj2wXsINFTMfDqhh_TjRUA"}
],
"PayloadDigest":"aT7dqhsuhW15GSExnBrO1nHQqAcT-uLaCUkJPhqg
AevgNUtTUuWkHC63T2ensFiSjCAAXd1YOvp7L8V7twmvZg"}
],
"EnvelopedConnectionService":[{
"dig":"S512",
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW
9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICA
iQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjA3WiJ9"},
"ewogICJDb25uZWN0aW9uU2VydmljZSI6IHsKICAgICJBdXRoZW50aWNhdG
lvbiI6IHsKICAgICAgIlVkZiI6ICJNQUJDLUxHWTUtQlUyTy1TQVpOLURKMkUtUzN
DQi1CRzY1IiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1
YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgI
CAgIlB1YmxpYyI6ICJYNlRoX0g4Qlk4LXNEenJ1Y1VXcXhLRzVhWWh6eFNULXZ0MT
lJOUo5TzdOaWdEZjFmaERxCiAgZkJPWlZaT25QOFg1V1MyQklYZDdKOVNBIn19fX1
9",
{
"signatures":[{
"alg":"S512",
"kid":"MDQJ-G5K2-BJ66-MPLM-FWSA-665O-MILP",
"signature":"BwF9R7byEqkzaUblEujRrko0zPuHn7NwH__14VRv
YH0jTblJSrmG40hujXOKqs9ElXe8F0jM26EAXm6l0Okhi_stdxotXwa8CHLZgzTGO
T9qEKdJElqkZIWLYJ9Tv_vM-VowlOz7jlzP4ThsVkI4fhcA"}
],
"PayloadDigest":"KUSigElHIQenRINVDSSgH5M9Dt5GJLzKUk5yylWM
TNdJ_4bW-JKREQiwutelFZvKv0-rX4XFnfBPwzmUflNY2A"}
],
"PrivateKey":{
"PrivateKeyUDF":{
"PrivateValue":"ZAAQ-APQL-QS4L-SY3L-RER2-TYEA-V4EF-Q3OB-6N2
F-DKDP-UJQ6-KXUN-LI2H-7RXH",
"KeyType":"MeshProfileDevice"}},
"ConnectUri":"mcu://maker@example.com/EC6P-KOIX-T3B4-YIKE-OLX3-
BUUD-64"}}¶
An EARL is created specifying the means by which an administration device can acquire the information required to complete a connection to the device:¶
QR = {Connect.ConnectEARL}¶
The preconfigured ProfileDevice is encrypted under the encryption key and published to the location key derived from the EARL.¶
9.2.2. Phase 2 & 3
The administration device scans the QR code and obtains the Device Description using the Claim operation as shown in section $$$$. The administration device creates the ActivationDevice and CatalogedDevice records and populates the service as before.¶
Alice> account connect ^
mcu://maker@example.com/EC6P-KOIX-T3B4-YIKE-OLX3-BUUD-64 /web
¶
10. Protocol Schema
- HTTP Well Known Service Prefix: /.well-known/mmm
Every Mesh Portal Service transaction consists of exactly one request followed by exactly one response. Mesh Service transactions MAY cause modification of the data stored in the Mesh Service or the Mesh itself but do not cause changes to the connection state. The protocol itself is thus idempotent. There is no set sequence in which operations are required to be performed. It is not necessary to perform a Hello transaction prior to any other transaction.¶
10.1. Request Messages
A Mesh Portal Service request consists of a payload object that inherits from the MeshRequest class. When using the HTTP binding, the request MUST specify the portal DNS address in the HTTP Host field.¶
10.1.1. Message: MeshRequest
Base class for all request messages.¶
[No fields]¶
10.1.2. Message: MeshRequestUser
Base class for all request messages made by a user.¶
10.2. Response Messages
A Mesh Portal Service response consists of a payload object that inherits from the MeshResponse class. When using the HTTP binding, the response SHOULD report the Status response code in the HTTP response message. However the response code returned in the payload object MUST always be considered authoritative.¶
10.2.1. Message: MeshResponse
Base class for all response messages. Contains only the status code and status description fields.¶
[No fields]¶
10.3. Imported Objects
The Mesh Service protocol makes use of JSON objects defined in the JOSE Signatgure and Encryption specifications and in the DARE Data At Rest Encryption extensions to JOSE.¶
10.4. Common Structures
The following common structures are used in the protocol messages:¶
10.4.1. Structure: KeyValue
Describes a Key/Value structure used to make queries for records matching one or more selection criteria.¶
10.4.2. Structure: ConstraintsSelect
Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.¶
- Container: String (Optional)
-
The container to be searched.¶
- IndexMin: Integer (Optional)
-
Only return objects with an index value that is equal to or higher than the value specified.¶
- IndexMax: Integer (Optional)
-
Only return objects with an index value that is equal to or lower than the value specified.¶
- NotBefore: DateTime (Optional)
-
Only data published on or after the specified time instant is requested.¶
- Before: DateTime (Optional)
-
Only data published before the specified time instant is requested. This excludes data published at the specified time instant.¶
- PageKey: String (Optional)
-
Specifies a page key returned in a previous search operation in which the number of responses exceeded the specified bounds.¶
When a page key is specified, all the other search parameters except for MaxEntries and MaxBytes are ignored and the service returns the next set of data responding to the earlier query.¶
10.4.3. Structure: ConstraintsData
Specifies constraints on the data to be sent.¶
- MaxEntries: Integer (Optional)
-
Maximum number of entries to send.¶
- BytesOffset: Integer (Optional)
-
Specifies an offset to be applied to the payload data before it is sent. This allows large payloads to be transferred incrementally.¶
- BytesMax: Integer (Optional)
-
Maximum number of payload bytes to send.¶
- Header: Boolean (Optional)
-
Return the entry header¶
- Payload: Boolean (Optional)
-
Return the entry payload¶
- Trailer: Boolean (Optional)
-
Return the entry trailer¶
10.4.4. Structure: PolicyAccount
Describes the account creation policy including constraints on account names, whether there is an open account creation policy, etc.¶
- Minimum: Integer (Optional)
-
Specifies the minimum length of an account name.¶
- Maximum: Integer (Optional)
-
Specifies the maximum length of an account name.¶
- InvalidCharacters: String (Optional)
-
A list of characters that the service does not accept in account names. The list of characters MAY not be exhaustive but SHOULD include any illegal characters in the proposed account name.¶
10.4.5. Structure: ContainerStatus
- Container: String (Optional)
- Index: Integer (Optional)
- Digest: Binary (Optional)
10.4.6. Structure: ContainerUpdate
- Inherits: ContainerStatus
- Envelopes: DareEnvelope [0..Many]
-
The entries to be uploaded.¶
10.5. Transaction: Hello
- Request: HelloRequest
- Response: MeshHelloResponse
Report service and version information.¶
The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.¶
The PostConstraints field MAY be used to advise senders of a maximum size of payload that MAY be sent in an initial Post request.¶
10.5.1. Message: MeshHelloResponse
- ConstraintsUpdate: ConstraintsData (Optional)
-
Specifies the default data constraints for updates.¶
- ConstraintsPost: ConstraintsData (Optional)
-
Specifies the default data constraints for message senders.¶
- PolicyAccount: PolicyAccount (Optional)
-
Specifies the account creation policy¶
- EnvelopedProfileService: Enveloped (Optional)
-
The enveloped master profile of the service.¶
- EnvelopedProfileHost: Enveloped (Optional)
-
The enveloped profile of the host.¶
10.6. Transaction: BindAccount
- Request: BindRequest
- Response: BindResponse
Request creation of a new service account or group.¶
Attempt¶
10.6.1. Message: BindRequest
Request binding of an account to a service address.¶
10.6.2. Message: BindResponse
- Inherits: MeshResponse
Reports the success or failure of a Create transaction.¶
10.7. Transaction: UnbindAccount
- Request: UnbindRequest
- Response: UnbindResponse
Request deletion of a service account.¶
10.7.1. Message: UnbindRequest
Request creation of a new portal account. The request specifies the requested account identifier and the Mesh profile to be associated with the account.¶
- Inherits: MeshRequestUser
[No fields]¶
10.7.2. Message: UnbindResponse
- Inherits: MeshResponse
Reports the success or failure of a Delete transaction.¶
[No fields]¶
10.8. Transaction: Connect
- Request: ConnectRequest
- Response: ConnectResponse
Request information necessary to begin making a connection request.¶
10.9. Transaction: Complete
- Request: CompleteRequest
- Response: CompleteResponse
10.9.1. Message: CompleteRequest
- Inherits: StatusRequest
- AccountAddress: String (Optional)
- ResponseID: String (Optional)
10.9.2. Message: CompleteResponse
- Inherits: MeshResponse
- EnvelopedRespondConnection: Enveloped (Optional)
-
The signed assertion describing the result of the connect request¶
10.10. Transaction: Status
- Request: StatusRequest
- Response: StatusResponse
10.10.1. Message: StatusRequest
- Inherits: MeshRequestUser
- DeviceUDF: String (Optional)
- ProfileMasterDigest: Binary (Optional)
- Catalogs: String [0..Many]
- Spools: String [0..Many]
10.11. Transaction: Download
- Request: DownloadRequest
- Response: DownloadResponse
Request objects from the specified container with the specified search criteria.¶
10.11.1. Message: DownloadRequest
- Inherits: MeshRequestUser
Request objects from the specified container(s).¶
A client MAY request only objects matching specified search criteria be returned and MAY request that only specific fields or parts of the payload be returned.¶
- Select: ConstraintsSelect [0..Many]
-
Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.¶
- ConstraintsPost: ConstraintsData (Optional)
-
Specifies the data constraints to be applied to the responses.¶
10.11.2. Message: DownloadResponse
- Inherits: MeshResponse
Return the set of objects requested.¶
Services SHOULD NOT return a response that is disproportionately large relative to the speed of the network connection without a clear indication from the client that it is relevant. A service MAY limit the number of objects returned. A service MAY limit the scope of each response.¶
- Updates: ContainerUpdate [0..Many]
-
The updated data¶
10.12. Transaction: Transact
- Request: TransactRequest
- Response: TransactResponse
Attempt an atomic transaction on the containers and spools associated with an account.¶
10.12.1. Message: TransactRequest
- Inherits: MeshRequestUser
Upload entries to a container. This request is only valid if it is issued by the owner of the account¶
- Updates: ContainerUpdate [0..Many]
-
The data to be updated¶
- Accounts: String [0..Many]
-
The account(s) to which the request is directed.¶
- Outbound: Enveloped [0..Many]
-
The messages to be sent to other accounts¶
- Inbound: Enveloped [0..Many]
-
Messages to be appended to the user's inbound spool. this is typically used to post notifications to the user to mark messages as having been read or responded to.¶
- Local: Enveloped [0..Many]
-
Messages to be appended to the user's local spool. This is used to allow connecting devices to collect activation messages before they have connected to the mesh.¶
10.12.2. Message: TransactResponse
- Inherits: MeshResponse
Response to an upload request.¶
- Entries: EntryResponse [0..Many]
-
The responses to the entries.¶
- ConstraintsData: ConstraintsData (Optional)
-
If the upload request contains redacted entries, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.¶
10.12.3. Structure: EntryResponse
- IndexRequest: Integer (Optional)
-
The index value of the entry in the request.¶
- IndexContainer: Integer (Optional)
-
The index value assigned to the entry in the container.¶
- Result: String (Optional)
-
Specifies the result of attempting to add the entry to a catalog or spool. Valid values for a message are 'Accept', 'Reject'. Valid values for an entry are 'Accept', 'Reject' and 'Conflict'.¶
- ConstraintsData: ConstraintsData (Optional)
-
If the entry was redacted, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.¶
10.13. Transaction: Post
- Request: PostRequest
- Response: PostResponse
Request to post to a spool from an external party. The request and response messages are extensions of the corresponding messages for the Upload transaction. It is expected that additional fields will be added as the need arises.¶
10.13.2. Message: PostResponse
- Inherits: TransactResponse
[No fields]¶
10.14. Transaction: Claim
- Request: ClaimRequest
- Response: ClaimResponse
Claim a publication¶
10.14.1. Message: ClaimRequest
- Inherits: MeshRequest
- EnvelopedMessageClaim: Enveloped (Optional)
-
The claim message¶
10.14.2. Message: ClaimResponse
- Inherits: MeshResponse
- CatalogedPublication: CatalogedPublication (Optional)
-
The encrypted device profile¶
10.15. Transaction: PollClaim
- Request: PollClaimRequest
- Response: PollClaimResponse
Check party making claim¶
10.15.2. Message: PollClaimResponse
- Inherits: MeshResponse
- EnvelopedMessage: Enveloped (Optional)
-
The claim message¶
10.15.5. Structure: CryptographicOperationKeyAgreement
- Inherits: CryptographicOperation
[No fields]¶
10.15.6. Structure: CryptographicOperationGenerate
- Inherits: CryptographicOperation
[No fields]¶
10.15.8. Structure: CryptographicResult
- Error: String (Optional)
10.15.9. Structure: CryptographicResultKeyAgreement
- Inherits: CryptographicResult
[No fields]¶
10.16. Transaction: Operate
- Request: OperateRequest
- Response: OperateResponse
Perform a set of cryptographic operations¶
10.16.1. Message: OperateRequest
- Inherits: MeshRequest
- AccountAddress: String (Optional)
-
The service account the capability is bound to¶
10.16.2. Message: OperateResponse
- Inherits: MeshResponse
[No fields]¶
11. Security Considerations
The security considerations for use and implementation of Mesh services and applications are described in the Mesh Security Considerations guide [draft-hallambaker-mesh-security].¶
12. IANA Considerations
All the IANA considerations for the Mesh documents are specified in this document¶
13. Acknowledgements
A list of people who have contributed to the design of the Mesh is presented in [draft-hallambaker-mesh-architecture].¶
14. Normative References
- [draft-hallambaker-jsonbcd]
- Hallam-Baker, P., "Binary Encodings for JavaScript Object Notation: JSON-B, JSON-C, JSON-D", Work in Progress, Internet-Draft, draft-hallambaker-jsonbcd-21, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-jsonbcd-21>.
- [draft-hallambaker-mesh-architecture]
- Hallam-Baker, P., "Mathematical Mesh 3.0 Part I: Architecture Guide", Work in Progress, Internet-Draft, draft-hallambaker-mesh-architecture-18, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-architecture-18>.
- [draft-hallambaker-mesh-rud]
- Hallam-Baker, P., "Mathematical Mesh 3.0 Part VI: Reliable User Datagram", Work in Progress, Internet-Draft, draft-hallambaker-mesh-rud-00, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-rud-00>.
- [draft-hallambaker-mesh-schema]
- Hallam-Baker, P., "Mathematical Mesh 3.0 Part IV: Schema Reference", Work in Progress, Internet-Draft, draft-hallambaker-mesh-schema-08, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-schema-08>.
- [draft-hallambaker-mesh-security]
- Hallam-Baker, P., "Mathematical Mesh 3.0 Part IX Security Considerations", Work in Progress, Internet-Draft, draft-hallambaker-mesh-security-08, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-security-08>.
- [draft-hallambaker-mesh-udf]
- Hallam-Baker, P., "Mathematical Mesh 3.0 Part II: Uniform Data Fingerprint.", Work in Progress, Internet-Draft, draft-hallambaker-mesh-udf-14, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-udf-14>.
- [RFC2119]
- Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
15. Informative References
- [draft-hallambaker-mesh-developer]
- Hallam-Baker, P., "Mathematical Mesh: Reference Implementation", Work in Progress, Internet-Draft, draft-hallambaker-mesh-developer-10, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-developer-10>.