Network Working Group | P. Hallam-Baker |
Internet-Draft | Comodo Group Inc. |
Intended status: Standards Track | January 14, 2016 |
Expires: July 17, 2016 |
Mathematical Mesh: Reference
draft-hallambaker-mesh-reference-01
The Mathematical Mesh ?The Mesh? is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. The core protocols of the Mesh are described with examples of common use cases and reference data.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 17, 2016.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
NB: The reference material in this document is generated from the schema used to derive the source code. The tool used to create this material has not been optimized to produce output for the IETF documentation format at this time. Consequently the formatting is currently sub-optimal.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
A profile is a first class object. It has a globally unique identifier that provides an unambiguous reference to the profile in any situation.
A record describes the state of an object at the completion of a specific Transaction.
A transaction is an event in which the state of an object changes. Every transaction has a globally unique transaction identifier. Transaction identifiers are issued in a monotonic sequence such that a transaction that completes at time t1 will always have a lower transaction identifier than one that begins at time t2 where t2 > t1.
The master profile contains the axioms of trust for a Mesh user.
Globally unique identifier that remains constant for the lifetime of the entry.
Contains a signed profile entry
Globally unique identifier that remains constant for the lifetime of the entry.
The signed profile
Contains a signed device profile
Globally unique identifier that remains constant for the lifetime of the entry.
The signed profile
Contains a signed Personal master profile
Globally unique identifier that remains constant for the lifetime of the entry.
The signed profile
Contains a signed Personal current profile
Globally unique identifier that remains constant for the lifetime of the entry.
The signed profile
Contains a signed device profile
Globally unique identifier that remains constant for the lifetime of the entry.
The signed profile
Contains an encrypted profile entry
Globally unique identifier that remains constant for the lifetime of the entry.
The signed and encrypted profile
Parent class from which all profile types are derrived
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
Describes the long term parameters associated with a personal profile.
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
The root of trust for the Personal PKI, the public key of the PMSK is presented as a self-signed X.509v3 certificate with Certificate Signing use enabled. The PMSK is used to sign certificates for the PMEK, POSK and PKEK keys.
A Personal Profile MAY contain one or more PMEK keys to enable escrow of private keys used for stored data.
A Personal profile contains at least one POSK which is used to sign device administration application profiles.
Describes the current applications and devices connected to a personal master profile.
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
The corresponding master profile. The profile MUST be signed by the PMSK.
The set of device profiles connected to the profile. The profile MUST be signed by the DSK in the profile.
Application profiles connected to this profile.
The unique identifier of the application
The application type
Optional friendly name identifying the application.
List of devices authorized to sign application profiles
List of devices authorized to read private parts of application profiles
Describes a mesh device.
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
Description of the device
Key used to sign certificates for the DAK and DEK. The fingerprint of the DSK is the UniqueID of the Device Profile
Key used to authenticate requests made by the device.
Key used to pass encrypted data to the device such as a DeviceUseEntry
Private portion of device encryption profile.
Private portion of the DeviceSignatureKey
Private portion of the DeviceAuthenticationKey
Private portion of the DeviceEncryptiontionKey
Parent class from which all application profiles inherit.
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
Encrypted application data
Stores usernames and passwords
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
Encrypted application data
[TBS]
Username password entry for a single site
DNS name of site *.example.com matches www.example.com etc.
Case sensitive username
Case sensitive password.
Public profile describes mail receipt policy. Private describes Sending policy
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
Encrypted application data
The current OpenPGP encryption key
The current S/MIME encryption key
Describes a mail account configuration
Private profile contains connection settings for the inbound and outbound mail server(s) and cryptographic private keys. Public profile may contain security policy information for the sender.
The RFC822 Email address. [e.g. "alice@example.com"]
The RFC822 Reply toEmail address. [e.g. "alice@example.com"]
When set, allows a sender to tell the receiver that replies to this account should be directed to this address.
The Display Name. [e.g. "Alice Example"]
The Account Name for display to the app user [e.g. "Work Account"]
The Inbound Mail Connection(s). This is typically IMAP4 or POP3
If multiple connections are specified, the order in the sequence indicates the preference order.
The Outbound Mail Connection(s). This is typically SMTP/SUBMIT
If multiple connections are specified, the order in the sequence indicates the preference order.
The public keypair(s) for signing and decrypting email.
If multiple public keys are specified, the order indicates preference.
The public keypairs for encrypting and decrypting email.
If multiple public keys are specified, the order indicates preference.
Describes the network profile to follow
Globally unique identifier that remains constant for the lifetime of the entry.
Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse.
The time instant the profile was last modified.
A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.
Encrypted application data
Describes the network profile to follow
DNS name of sites to which profile applies *.example.com matches www.example.com etc.
DNS Resolution Services
DNS prefixes to search
Certificate Trust List giving WebPKI roots to trust
List of UDF fingerprints of keys making up the trust roots to be accepted for Web PKI purposes.
Contains escrowed data
Globally unique identifier that remains constant for the lifetime of the entry.
[TBS]
Contains data escrowed using the offline escrow mechanism.
Globally unique identifier that remains constant for the lifetime of the entry.
[TBS]
Contains data escrowed using the online escrow mechanism.
Globally unique identifier that remains constant for the lifetime of the entry.
[TBS]
A set of escrowed keys.
The escrowed keys.
Describes network connection parameters for an application
DNS address of the server
TCP/UDP Port number
DNS service prefix as described in [RFC6335]
Describes the security mode to use. Valid choices are Direct/Upgrade/None
Username to present to the service for authentication
Password to present to the service for authentication
Service connection parameters in URI format
List of the supported/acceptable authentication mechanisms, preferred mechanism first.
Service timeout in seconds.
If set, the client should poll the specified service intermittently for updates.
Container for JOSE encrypted data and related attributes.
[TBS]
Container for JOSE signed data and related attributes.
[TBS]
Container for public key pair data
UDF fingerprint of the key
List of X.509 Certificates
X.509 Certificate chain.
X.509 Certificate Signing Request.
[TBS]
[TBS]
[TBS]
[TBS]
[TBS]
[TBS]
[TBS]
Contains a signed connection request
Globally unique identifier that remains constant for the lifetime of the entry.
The signed profile
Contains a signed connection request
Globally unique identifier that remains constant for the lifetime of the entry.
The signed profile
Report service and version information.
The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.
Request validation of a proposed name for a new account.
For validation of a user's account name during profile creation.
Request creation of a new mesh account.
Unlike a profile, a mesh account is specific to a particular Mesh portal. A mesh account must be created and accepted before a profile can be published.
Publish a profile or key escrow entry to the mesh.
Search for data in the mesh that matches a set of keys.
Request a bulk transfer of the log between the specified transaction identifiers. Requires appropriate authorization
[Not currently implemented]
Request the current status of the mesh as seen by the portal to which it is directed.
The response to the status request contains the last signed checkpoint and proof chains for each of the peer portals that have been checkpointed.
[Not currently implemented]
Request connection of a new device to a mesh profile
Request status of pending connection request of a new device to a mesh profile
Request status of pending connection request of a new device to a mesh profile
Request status of pending connection request of a new device to a mesh profile
[None]
[None]
[None]
Enumerates the protocol versions supported
Enumerates alternate protocol version(s) supported
Account name requested
If true, request a reservation for the specified account name. Note that the service is not obliged to honor reservation requests.
List of ISO language codes in order of preference. For creating explanatory text.
[TBS]
[TBS]
A list of characters from the requested account that the service does not accept in account names.
Text explaining the reason an account name was rejected.
Account name requested
[None]
[None]
[None]
Lookup by profile ID
Lookup by Account ID
List of KeyValue pairs specifying the conditions to be met
[TBS]
[TBS]
If true return multiple responses if available
[None]
List of mesh data records matching the request.
[None]
[None]
Time that the last write update was made to the Mesh
Time that the last Mesh checkpoint was calculated.
Time at which the next Mesh checkpoint should be calculated.
Last checkpoint value.
[None]
Major version number of the service protocol. A higher
Minor version number of the service protocol.
Enumerates alternative encodings (e.g. ASN.1, XML, JSON-B) if supported by the server
The preferred URI for this service. This MAY be used to effect a redirect in the case that a service moves.
The IANA encoding name
For encodings that employ a named dictionary for tag or data compression, the name of the dictionary as defined by that encoding scheme.
[TBS]
[TBS]
Time the pending item was created.
Time the pending item was last modified.
Entry containing the UniqueID is Account[Name]-[Portal] Indexed by [Name], [UserProfileUDF] [Most recent open]
Time the pending item was created.
Time the pending item was last modified.
Assigned account identifier, e.g. 'alice@example.com'. Account names are not case sensitive.
Fingerprint of associated user profile
Status of the account, valid values are 'Open', 'Closed', 'Suspended'
Time the pending item was created.
Time the pending item was last modified.
Assigned account identifier, e.g. 'alice@example.com'. Account names are not case sensitive.
Fingerprint of associated user profile
Status of the account, valid values are 'Open', 'Closed', 'Suspended'
[TBS]
Object containing the list of currently pending device connection requests for the specified account. Unique-ID is ConnectionsPending-[UserProfileUDF]
Time the pending item was created.
Time the pending item was last modified.
Assigned account identifier, e.g. 'alice@example.com'. Account names are not case sensitive.
Fingerprint of associated user profile
Status of the account, valid values are 'Open', 'Closed', 'Suspended'
List of pending requests
TBS
All the IANA considerations for the Mesh documents are specified in this document
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC6335] | Cotton, M., Eggert, L., Touch, J., Westerlund, M. and S. Cheshire, "Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry", BCP 165, RFC 6335, DOI 10.17487/RFC6335, August 2011. |