Internet-Draft Mesh Protocol Reference November 2020
Hallam-Baker Expires 6 May 2021 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-hallambaker-mesh-protocol
Published:
Intended Status:
Informational
Expires:
Author:
P. M. Hallam-Baker
ThresholdSecrets.com

Mathematical Mesh 3.0 Part V: Protocol Reference

Abstract

The Mathematical Mesh 'The Mesh' is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. The core protocols of the Mesh are described with examples of common use cases and reference data.

[Note to Readers]

Discussion of this draft takes place on the MATHMESH mailing list (mathmesh@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=mathmesh.

This document is also available online at http://mathmesh.com/Documents/draft-hallambaker-mesh-protocol.html.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 6 May 2021.

Table of Contents

1. Introduction

This document describes the Mesh Service protocol supported by Mesh Services, an account-based protocol that facilitates exchange of data between devices connected to a Mesh profile and between Mesh accounts.

Mesh Service Accounts support the following services:

A Mesh Profile MAY be bound to multiple Mesh Service Accounts at the same time but only one Mesh Service Account is considered to be authoritative at a time. Users may add or remove Mesh Service Accounts and change the account designated as authoritative at any time.

The Mesh Services are build from a very small set of primitives which provide a surprisingly extensive set of capabilities. These primitives are:

Hello

Describes the features and options provided by the service and provides a 'null' transaction which MAY be used to establish an authentication ticket without performing any action,

CreateAccount, DeleteAccount

Manage the creation and deletion of accounts at the service.

Status, Download, Upload

Support synchronization of Mesh containers between the service (Master) and the connected devices (Replicas).

Connect

Initiate the process of connecting a device to a Mesh profile from the device itself.

Post

Request that a Mesh Message be transferred to one or more Mesh Accounts.

Although these functions could in principle be used to replace many if not most existing Internet application protocols, the principal value of any communication protocol lies in the size of the audience it allows them to communicate with. Thus, while the Mesh Messaging service is designed to support efficient and reliable transfer of messages ranging in size from a few bytes to multiple terabytes, the near-term applications of these services will be to applications that are not adequately supported by existing protocols if at all.

2. Definitions

This section presents the related specifications and standard, the terms that are used as terms of art within the documents and the terms used as requirements language.

2.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

2.2. Defined Terms

The terms of art used in this document are described in the Mesh Architecture Guide [draft-hallambaker-mesh-architecture].

2.4. Implementation Status

The implementation status of the reference code base is described in the companion document [draft-hallambaker-mesh-developer].

3. Mesh Protocols

The Mesh specifies two separate types of protocol interactions:

Mesh Service Protocol

A synchronous protocol supporting interactions between devices and a Mesh Service Host and between Mesh Service hosts.

Mesh Messaging Protocol

An asynchronous protocol that supports interactions between devices connected to the same account and between accounts.

The Mesh Messaging Protocol uses the Mesh Service Protocol as transport. The Mesh Service Protocol in turn is supported by either the HTTPS binding over TCP or by the Mesh Datagram binding over UDP.

v l S C s r s D c o r H T h s M c P g P l t T a e s S P o o P n o i h P e T U g t i e o t L s S m h T M a M e e r o D g M r a c a e
Figure 1

Mesh Services MUST support the HTTPS binding and MAY support the Mesh Datagram binding.

4. Mesh Service

A Mesh Service is a minimally trusted service. In particular a user does not need to trust a Mesh service to protect the confidentiality or integrity of most data stored in the account catalogs and spools.

Unless the use of the Mesh Service is highly restricted, a user does need to trust the Mesh Service in certain respects:

Data Loss

A service could refuse to respond to requests to download data.

Integrity (Stale Data)

The use of Merkle Trees limits but does not eliminate the ability of a Mesh Service to respond to requests with stale data.

Messaging

A service could reject requests to post messages to or accept messages from other mesh users.

This risk is a necessary consequence of the fact that the Mesh Service Provider is accountable to other Mesh Service Providers for abuse originating from their service.

Traffic analysis

A Mesh Service has knowledge of the number of Mesh Messages being sent and received by its users and the addresses to which they are being sent to or received from.

The need to trust the Mesh Service in these respects is mitigated by accountability and the user's ability to change Mesh Service providers at any time they choose with minimal inconvenience.

It is possible that some of these risks will be reduced in future versions of the Mesh Service Protocol but it is highly unlikely that these can be eliminated entirely without compromising practicality or efficiency.

4.1. Data Model

The design of the Mesh Service model followed a quasi-formal approach in which the system was reduced to schemas which could in principle be rendered in a formal development method but without construction of proofs.

Like the contents of Mesh Accounts, a Mesh Service may be represented by a collection of catalogs and spools, for example:

Account Catalog

Contains the account entries.

Incident Spool

Reports of potential abuse

Backup of the service MAY be implemented using the same container synchronization mechanism used to synchronize account catalogs and spools.

4.2. Partitioning

Mesh Services supporting a large number of accounts or large activity volume MAY partition the account catalog between one or more hosts using the usual tiered service model in which a front-end server receives traffic for any account hosted at the server and routes the request to the back-end service that provides the persistence store for that account.

In addition, the Mesh Service Protocol supports a 'direct connection' partitioning model in which devices are given a DNS name which MAY allow for direct connection to the persistence host or to a front-end service offering service that is in some way specific to that account.

5. Protocol Bindings

Mesh Service transactions are mapped to an underlying messaging and transport protocol. The following binding

Mesh Services MUST support the Web Service binding specified in this document and MAY support the UDP binding currently in development.

5.1. DNS Web Service Discovery

The DNS Web Service discovery mechanism is used to discover Mesh Services regardless of the protocol binding .The service name, DNS prefix and and .well-known service suffix are specified as follows:

  • Service Name: mmm
  • DNS Prefix: _mmm._tcp
  • Well Known service suffix: /.well-known/mmm

5.2. Web Service Protocol Binding

The Web Service Protocol binding makes use of the most widely deployed and used protocols:

  • Discovery: DNS Service discovery
  • Transport: TLS
  • Application: HTTP
  • Presentation: DARE Message
  • Encoding: JSON, JSON-B

The chief limitations of the Web Service Protocol Binding are that the use of TCP based transport results in unsatisfactory latency for some applications and that the HTTP application layer only serves to allow a host to support multiple services on the same TCP/IP port.

5.2.1. Transport Security

Mesh Services MUST offer TLS transport and MAY offer non TLS transport. MESH clients SHOULD use TLS transport when connecting to a MESH service.

TLS version 1.3 [RFC8446] or higher MUST be supported. Client authentication SHOULD NOT be used.

5.2.2. HTTP Message Binding

All messages are exchanged as HTTP POST transactions. Support for and use of HTTP/1.1 [RFC7230] is REQUIRED. Services MAY support HTTP/2.

In contrast to other approaches to the design of Web Services, the only use made of the HTTP transport is to distinguish between different services on the same host using the Host header and .well-known convention and for message framing. No use is made of the URI request line to identify commands, nor are the caching or proxy capabilities of HTTP made use of.

5.2.3. Request

The HTTP request MAY contain any valid HTTP header specified in [RFC7230].

Request Line URI

/well-known/<service> (unless overridden using a TXT path attribute)

Request Line Method

POST

Host: Header

<domain>

Content-Encoding

As specified in section yy below.

Content-Type

As specified in section zz below.

Content-Length or Transfer-Encoding

As specified in [RFC7230].

Payload

The content payload as specified in section XX below.

[No dump of the binding yet]

~~~~

5.2.4. Response

The response MAY contain any HTTP response header but since JWB services do not make use of HTTP caching and messages are not intended to be modified by HTTP intermediaries, only a limited number of headers have significance:

Response Code

The HTTP response code. This is processed as described in section zz below.

Content-Type

As specified in section zz below.

Content-Length or Transfer-Encoding

As specified in [RFC7230].

Cache-Control

Since the only valid HTTP method for a JWB request is POST, JWB responses are not cacheable. The use of the cache-control header is therefore unnecessary. However, experience suggests that reviewers find it easier to understand protocol specifications if they are reminded of the fact that caching is neither supported nor desired.

[No dump of the binding yet]

~~~~

5.3. DARE Message Encapsulation

The payload of the HTTP requests and responses is a DARE Message whose payload contains the Mesh Service request or response.

The DARE Message encapsulation is used to authenticate the request or response data. The form of the authentication depending on the credentials available to the sender at the time the request is made.

Mesh Service MUST support the use of Mutually Authenticated Key Exchange [draft-hallambaker-mesh-security] to establish the Master Key used for authentication of requests and responses.

Requests and Responses MUST be authenticated. Requests and Responses MUST be encrypted if the transport is not encrypted and MAY be encrypted otherwise.

5.3.1. Null Authentication

Null Authentication MAY be used to make a Hello Request.

The Null Authentication mechanism MUST NOT be used for any Mesh Service request or response other than a Hello request.

Since the Mutually Authenticated key exchange requires both parties to know the public key of the other, it is not possible for a client to authenticate itself to the service until it has obtained the service public key. One means by which the client MAY obtain the service public key is by requesting the service return the credential in a Hello transaction.

5.3.2. Device Authentication

Device Authentication is used in two circumstances

  • When requesting creation of an account
  • When a device is requesting connection to a profile.

5.3.3. Profile Authentication

Profile Authentication has the same form as Device Authentication except that the client provides its Device Connection Assertion as part of the request:

5.3.4. Ticket Authentication

Ticket Authentication is used after a device has obtained an authentication ticket from a service. The ticket is returned in the response to a previous Profile Authentication exchange.

5.4. Payload Encoding

The Dare Message payload of a Hello request MUST be encoded in JSON encoding. The payload of all other requests MUST be in either JSON encoding or one of the encodings advertised as being accepted in a Hello response from the Service. Services MUST accept JSON encoding and MAY support the JSON-B or JSON-C encodings as specified in this document. Services MUST generate a response that is compatible with the DARE Message Content-Type specified in the request.

JSON was originally developed to provide a serialization format for the JavaScript programming language [ECMA-262]. While this approach is generally applicable to the type systems of scripting programming languages, it is less well matched to the richer type systems of modern object oriented programming languages such as Java and C#.

Working within a subset of the capabilities of JSON allows a Web Service protocol to be accessed with equal ease from either platform type. The following capabilities of JSON are avoided:

The ability to use arbitrary strings as field names.

The use of JSON objects to define maps directly

The following data field types are used:

Integer

Integer values are encoded as JSON number values.

String

Test strings are encoded as JSON text strings.

Boolean

Boolean values are encoded as JSON 'false', 'true' or 'null' tokens according to value.

Sequence

Sequences of data items that are encoded as JSON arrays

Object of known type

Objects whose type is known to the receiver are encoded as JSON objects

Object of variable type

Objects whose type is not known to the receiver are encoded as JSON objects containing a single field whose name describes the type of the object value and whose value contains the value.

Binary Data

Byte sequences are converted to BASE64-url encoding [RFC4648] and encoded as JSON string values.

Date Time

Date Time values are converted to Internet time format as described in [RFC3339] and encoded as JSON string values.

5.5. Error handling and response codes

It is possible for an error to occur at any of the three layers in the Web Service binding:

Service Layer

HTTP Layer

Transport Layer

Services SHOULD always attempt to return error codes at the highest level possible. However, it is clearly impossible for a connection that is refused at the Transport layer to return an error code at the HTTP layer. It is however possible for a HTTP layer error response to contain a content body.

In the case that a response contains both a HTTP response code and a well-formed payload containing a response, the payload response SHALL have precedence.

6. Mesh Service Transactions

6.1. Service Description

The Hello transaction is used to determine the features supported by the service and obtain the service credentials

The request payload:

{
  "HelloRequest":{}}

The response payload:

{
  "MeshHelloResponse":{
    "Status":201,
    "Version":{
      "Major":3,
      "Minor":0,
      "Encodings":[{
          "ID":["application/json"
            ]}
        ]},
    "EnvelopedProfileService":[{
        "EnvelopeID":"MC33-WJWJ-I43A-NKBK-G2U5-BYEX-N3FF",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNQzMzLVdKV0otSTQz
  QS1OS0JLLUcyVTUtQllFWC1OM0ZGIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  VNlcnZpY2UiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIk
  NyZWF0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMVoifQ"},
      "ewogICJQcm9maWxlU2VydmljZSI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJl
  IjogewogICAgICAiVWRmIjogIk1DMzMtV0pXSi1JNDNBLU5LQkstRzJVNS1CWUVYL
  U4zRkYiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibG
  ljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICA
  gIlB1YmxpYyI6ICJpVFQwMl9NYmNkYkFndEtDVlZLTkdjby1EWXpsZnU4ZVJHS0dp
  Uk9RaGw5RWhlVmxBNEU0CiAgQTQwZWhHbXB4eEpxSV8tS01rZlphSm1BIn19fSwKI
  CAgICJTZXJ2aWNlRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQkJPLVdHSV
  EtS1RRWS1JQ1FOLTdGU1gtWU9TRy1ENlk1IiwKICAgICAgIlB1YmxpY1BhcmFtZXR
  lcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2
  IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJnbmNxSjZxV1pZa3d3cElPO
  HVpS1dZbEVOcmFSSFRERmtmVlJwM0hHUFNRcnIzZnZvblQ3CiAgcXlUTkFIb2ZudW
  t1UHJ4QlJwZHM1N2NBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MC33-WJWJ-I43A-NKBK-G2U5-BYEX-N3FF",
            "signature":"kFZ2XkGfZNy8TB2T_00mxvA6_JAn5-IdQvnjDPUu7o
  0pClb2E81AEGL-XOnpLbZzeW0PE7T9bpcArHVQXgEyfw5EL_CdYq-EFO887QOeLvs
  qqhV6avsNdEYZeurIb1rjyknp8099eZXtTLg7DTMSXj0A"}
          ],
        "PayloadDigest":"og05O4YE6JX9hWZGPTNAzp8d0XC5f8OopPY9SOCVp-
  thLjTdhwMLKyfZrF7twvB9tbe20t82IVYy3NjpVR06wQ"}
      ],
    "EnvelopedProfileHost":[{
        "EnvelopeID":"MDJK-IDLW-LLI2-W6HD-I6L5-CDSD-3ZDY",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNREpLLUlETFctTExJ
  Mi1XNkhELUk2TDUtQ0RTRC0zWkRZIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  Uhvc3QiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNyZW
  F0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMVoifQ"},
      "ewogICJQcm9maWxlSG9zdCI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIjog
  ewogICAgICAiVWRmIjogIk1ESkstSURMVy1MTEkyLVc2SEQtSTZMNS1DRFNELTNaR
  FkiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2
  V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB
  1YmxpYyI6ICJoLXI3ZkdHMGpiVGtTRWlybktYR0lHTGtUTnNrUkswczYyejRuc1hJ
  NWtYXzAyMEs0cGRlCiAgckZRSXk3NktuVS0ydVpaUFNWcHd0WjZBIn19fSwKICAgI
  CJLZXlBdXRoZW50aWNhdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQk9YLTRERkEtVV
  g1TC1JTkRPLTVIQk8tQTRPNS1CRTNNIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnM
  iOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2Ijog
  Ilg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJzbzNLRnJLMjF2U1ZBVkZfVXNmb
  C1Lc2RtR3E2LTZudHVEWEhYTTBVM2JGdWlESDhTZjBhCiAgNHk5N181Q3YtcGJqNk
  5FSFZrc3QyeEVBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MDJK-IDLW-LLI2-W6HD-I6L5-CDSD-3ZDY",
            "signature":"Cy7q1kvz_p7Za1hkTScHABlzSRWakAjWcNmr8Ck5eX
  ILQvXRKx4mK_UPG0qAOwKGl3STqiYFZ2WAgyvXQeCd0IjqTOEDDFQjktk4cbu27S6
  bl5qFLR7Q3M6c3pTGiYG0m4gEl4VshMFd37QrAZKuSzUA"}
          ],
        "PayloadDigest":"G3Cixcg3-7dTirgDfidEuffWAnQ5S9a6uz_oMyS6FT
  PkL3YhRHVIPIqR0qzSsbEqIVYpNtg5scLOXi3WhbN6Zg"}
      ]}}

6.2. Account Creation

6.2.1. Bind User Account

A User Account is bound to a Mesh Service by completing a BindAccount transaction with the service.

The BindRequest message specifies the account address and ProfileUser of the account to be serviced.

The BindAccount transaction is unique in that it can fail to complete for reasons that are outside the scope of the Mesh specifications. Creation of an account might require payment to be made or authentication of the user's credentials. It is thus quite normal for the result of a CreateRequest to be the account being created in an 'on hold' state which can only be changed out of band.

If the request is at least partially successful, a BindResponse message is returned. In the case of partial success, a description of the request status and link to a Web page providing further details MAY be returned.

The request payload:

{
  "HelloRequest":{}}

The response payload:

{
  "MeshHelloResponse":{
    "Status":201,
    "Version":{
      "Major":3,
      "Minor":0,
      "Encodings":[{
          "ID":["application/json"
            ]}
        ]},
    "EnvelopedProfileService":[{
        "EnvelopeID":"MC33-WJWJ-I43A-NKBK-G2U5-BYEX-N3FF",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNQzMzLVdKV0otSTQz
  QS1OS0JLLUcyVTUtQllFWC1OM0ZGIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  VNlcnZpY2UiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIk
  NyZWF0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMVoifQ"},
      "ewogICJQcm9maWxlU2VydmljZSI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJl
  IjogewogICAgICAiVWRmIjogIk1DMzMtV0pXSi1JNDNBLU5LQkstRzJVNS1CWUVYL
  U4zRkYiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibG
  ljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICA
  gIlB1YmxpYyI6ICJpVFQwMl9NYmNkYkFndEtDVlZLTkdjby1EWXpsZnU4ZVJHS0dp
  Uk9RaGw5RWhlVmxBNEU0CiAgQTQwZWhHbXB4eEpxSV8tS01rZlphSm1BIn19fSwKI
  CAgICJTZXJ2aWNlRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQkJPLVdHSV
  EtS1RRWS1JQ1FOLTdGU1gtWU9TRy1ENlk1IiwKICAgICAgIlB1YmxpY1BhcmFtZXR
  lcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2
  IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJnbmNxSjZxV1pZa3d3cElPO
  HVpS1dZbEVOcmFSSFRERmtmVlJwM0hHUFNRcnIzZnZvblQ3CiAgcXlUTkFIb2ZudW
  t1UHJ4QlJwZHM1N2NBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MC33-WJWJ-I43A-NKBK-G2U5-BYEX-N3FF",
            "signature":"kFZ2XkGfZNy8TB2T_00mxvA6_JAn5-IdQvnjDPUu7o
  0pClb2E81AEGL-XOnpLbZzeW0PE7T9bpcArHVQXgEyfw5EL_CdYq-EFO887QOeLvs
  qqhV6avsNdEYZeurIb1rjyknp8099eZXtTLg7DTMSXj0A"}
          ],
        "PayloadDigest":"og05O4YE6JX9hWZGPTNAzp8d0XC5f8OopPY9SOCVp-
  thLjTdhwMLKyfZrF7twvB9tbe20t82IVYy3NjpVR06wQ"}
      ],
    "EnvelopedProfileHost":[{
        "EnvelopeID":"MDJK-IDLW-LLI2-W6HD-I6L5-CDSD-3ZDY",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNREpLLUlETFctTExJ
  Mi1XNkhELUk2TDUtQ0RTRC0zWkRZIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  Uhvc3QiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNyZW
  F0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMVoifQ"},
      "ewogICJQcm9maWxlSG9zdCI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIjog
  ewogICAgICAiVWRmIjogIk1ESkstSURMVy1MTEkyLVc2SEQtSTZMNS1DRFNELTNaR
  FkiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2
  V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB
  1YmxpYyI6ICJoLXI3ZkdHMGpiVGtTRWlybktYR0lHTGtUTnNrUkswczYyejRuc1hJ
  NWtYXzAyMEs0cGRlCiAgckZRSXk3NktuVS0ydVpaUFNWcHd0WjZBIn19fSwKICAgI
  CJLZXlBdXRoZW50aWNhdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQk9YLTRERkEtVV
  g1TC1JTkRPLTVIQk8tQTRPNS1CRTNNIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnM
  iOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2Ijog
  Ilg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJzbzNLRnJLMjF2U1ZBVkZfVXNmb
  C1Lc2RtR3E2LTZudHVEWEhYTTBVM2JGdWlESDhTZjBhCiAgNHk5N181Q3YtcGJqNk
  5FSFZrc3QyeEVBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MDJK-IDLW-LLI2-W6HD-I6L5-CDSD-3ZDY",
            "signature":"Cy7q1kvz_p7Za1hkTScHABlzSRWakAjWcNmr8Ck5eX
  ILQvXRKx4mK_UPG0qAOwKGl3STqiYFZ2WAgyvXQeCd0IjqTOEDDFQjktk4cbu27S6
  bl5qFLR7Q3M6c3pTGiYG0m4gEl4VshMFd37QrAZKuSzUA"}
          ],
        "PayloadDigest":"G3Cixcg3-7dTirgDfidEuffWAnQ5S9a6uz_oMyS6FT
  PkL3YhRHVIPIqR0qzSsbEqIVYpNtg5scLOXi3WhbN6Zg"}
      ]}}

[Future: Consider converting this to a Messaging flow.]

6.2.2. Bind Group Account

Mesh Group Accounts are created in the same manner as user accounts except that a ProfileGroup is specified.

The request payload:

{
  "BindRequest":{
    "AccountAddress":"groupw@example.com",
    "EnvelopedProfileAccount":[{
        "EnvelopeID":"MDHE-QK2C-RQXN-5CJQ-QROJ-SDQA-XW26",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNREhFLVFLMkMtUlFY
  Ti01Q0pRLVFST0otU0RRQS1YVzI2IiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  Udyb3VwIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcm
  VhdGVkIjogIjIwMjAtMTEtMDJUMTc6NDE6MzdaIn0"},
      "ewogICJQcm9maWxlR3JvdXAiOiB7CiAgICAiUHJvZmlsZVNpZ25hdHVyZSI6
  IHsKICAgICAgIlVkZiI6ICJNREhFLVFLMkMtUlFYTi01Q0pRLVFST0otU0RRQS1YV
  zI2IiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0
  tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJ
  QdWJsaWMiOiAiVVpXTDhDb1N3OHZoeW11QWtyNUNlWXBPTFpyNkJSVHpPSUg1dWZN
  cjBnb3h6UEFwcW9PagogIEFhejBrSWx4SjRfdUtQNWJCeElwejlLQSJ9fX0sCiAgI
  CAiQWNjb3VudEFkZHJlc3MiOiAiZ3JvdXB3QGV4YW1wbGUuY29tIiwKICAgICJBY2
  NvdW50RW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQ01DLTZHNU8tNklITi1
  IR05GLVdLR0MtRlJGTi1RQlEzIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7
  CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0N
  DgiLAogICAgICAgICAgIlB1YmxpYyI6ICJwYklwVVNVaGlTTlFzSkVhenZiWlVpWX
  lPRnl5eHUxb1l2cVE3MEZJcm1fRy1SOW5uSUc0CiAgd0NlVjRVTThsaHpRbnVrUVh
  ya2h2R2NBIn19fSwKICAgICJBZG1pbmlzdHJhdG9yU2lnbmF0dXJlIjogewogICAg
  ICAiVWRmIjogIk1ESEUtUUsyQy1SUVhOLTVDSlEtUVJPSi1TRFFBLVhXMjYiLAogI
  CAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESC
  I6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI
  6ICJVWldMOENvU3c4dmh5bXVBa3I1Q2VZcE9MWnI2QlJUek9JSDV1Zk1yMGdveHpQ
  QXBxb09qCiAgQWF6MGtJbHhKNF91S1A1YkJ4SXB6OUtBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MDHE-QK2C-RQXN-5CJQ-QROJ-SDQA-XW26",
            "signature":"qp6CXsgAnElmlT1Gqmaqkij1t3VVjWBt034LtAaCcY
  GWc4xqxBOvSn2mrsXWRLH7ZkvzlOwKZc0A7KAORyZ3tFJc0KA6KqkqVTdr2R5VZ9x
  DKVgnu_bQbfzO6Vk0jrCkBetV7rXTFnvAVfcgXc7G4BMA"}
          ],
        "PayloadDigest":"plq9bhHRRSJDjoBM-A0stSibGswCs_oD3LV1uOYn3l
  pEm2Qa8Ehhrlji-382fepcXWkaTLvWFJg700espozplg"}
      ]}}

The response payload:

{
  "BindResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully"}}

6.2.3. Unbind Account

An account registration is deleted using theUnbindAccount transaction.

The request payload:

The response payload:

6.3. Persistence Store Management

All the state associated with a Mesh profile is stored as a sequence of DARE Messages in a Dare Container. The Mesh Service holding the master copy of the persistence stores and the devices connected to the profile containing complete copies (replicas) or partial copies (redactions).

Thus, the only primitive needed to achieve synchronization of the profile state are those required for synchronization of a DARE Container. These steps are:

  • Obtain the status of the catalogs and spools associated with the account.
  • Download catalog and spool updates
  • Upload catalog updates.

To ensure a satisfactory user experience, Mesh Messages are intentionally limited in size to 64 KB or less, thus ensuring that an application can retrieve the most recent 100 messages almost instantaneously on a high bandwidth connection and without undue delay on a slower one.

6.3.1. Status

The status transaction returns the status of the containers the device is authorized to access for the specified account together with the updated Device Connection Entry if this has been modified since the entry presented to authenticate the request was issued.

The request payload:

{
  "StatusRequest":{}}

The response payload:

{
  "StatusResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "EnvelopedProfileAccount":[{
        "EnvelopeID":"MCVI-2KFD-AQTG-FX4N-O4RN-5OIS-BH5E",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNQ1ZJLTJLRkQtQVFU
  Ry1GWDROLU80Uk4tNU9JUy1CSDVFIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  VVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNyZW
  F0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMloifQ"},
      "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIjog
  ewogICAgICAiVWRmIjogIk1DVkktMktGRC1BUVRHLUZYNE4tTzRSTi01T0lTLUJIN
  UUiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2
  V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB
  1YmxpYyI6ICI4dUZ1TmhjRHFhZXROVVY5S01YWnRHcXlQMWl1WWVYTE5uOVBDamR3
  dHVoZVFVcWJmblhGCiAgSXIzX2lxamt5SUw4VEcyS2JtcWZ2TUlBIn19fSwKICAgI
  CJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vydm
  ljZVVkZiI6ICJNQzMzLVdKV0otSTQzQS1OS0JLLUcyVTUtQllFWC1OM0ZGIiwKICA
  gICJBY2NvdW50RW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNRFlELUFEWlQt
  Q1JKRy1IT0lELUhHSUctQ0tMNC03TTJUIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlc
  nMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2Ij
  ogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJLelBFajNGOGpwc0lkLUpzV3F
  1SnktLTUydnRKLWFnNEtlVXdrZDhIeVpDeUNGc0gxYk5nCiAgR0xIUlJrN0ZkMzI0
  Q1d3N0dHUnJHRkdBIn19fSwKICAgICJBZG1pbmlzdHJhdG9yU2lnbmF0dXJlIjoge
  wogICAgICAiVWRmIjogIk1DVkktMktGRC1BUVRHLUZYNE4tTzRSTi01T0lTLUJINU
  UiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V
  5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1
  YmxpYyI6ICI4dUZ1TmhjRHFhZXROVVY5S01YWnRHcXlQMWl1WWVYTE5uOVBDamR3d
  HVoZVFVcWJmblhGCiAgSXIzX2lxamt5SUw4VEcyS2JtcWZ2TUlBIn19fSwKICAgIC
  JBY2NvdW50QXV0aGVudGljYXRpb24iOiB7CiAgICAgICJVZGYiOiAiTUFINS1GVFd
  QLTRDNEgtSU9EUS1KV1lJLUhJS1QtQVJPViIsCiAgICAgICJQdWJsaWNQYXJhbWV0
  ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNyd
  iI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiandZdWpLeTQ1Um1rTmNKan
  U1R0EzazdVRGRyem5xb1lrOGhFS2hZOV9zd1F4NnpTSE43SgogIDBLZjB6SENzOE9
  rMG5QMXRnQXRVdFBDQSJ9fX0sCiAgICAiQWNjb3VudFNpZ25hdHVyZSI6IHsKICAg
  ICAgIlVkZiI6ICJNQ1FDLU1EWlItM0hDTC1TVklVLTUzUU0tQlQ0RC1LN0ZFIiwKI
  CAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDRE
  giOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQdWJsaWM
  iOiAiYlhwa1F4UFBNbTE4UVBvN0JTSnk5alVEeHd6VW9hTnhVYnZMZ2V5SHpTTmRP
  SUFzbDZlOAogIDRaV0xIOE15VWVDLWVuSnBZMVUwRzJVQSJ9fX19fQ",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MCVI-2KFD-AQTG-FX4N-O4RN-5OIS-BH5E",
            "signature":"NAOTClRNF51SazbgbIJAdlLx8r4qwXSHr4rdeql-sw
  9fIb5fDsmW4jbG-DiKP0S5x8ax1Z6ao6sAYrjGGXrFFRFfgAB2lhC823Pu9uox30d
  vTIS0JSLM_IxOg9khTPLCBr22HUBhyyksvHMqH6zwwwwA"}
          ],
        "PayloadDigest":"CPW9V4gBCAv-rH-EkTtX8aOXZH4nJFkqSZtw84c94_
  FDWL-aetsptBePjOYqttZxnz7VP6KpnXSUfaqvGC9J2Q"}
      ],
    "ContainerStatus":[{
        "Container":"MMM_Inbound",
        "Index":3},
      {
        "Container":"MMM_Outbound",
        "Index":1},
      {
        "Container":"MMM_Local",
        "Index":2},
      {
        "Container":"MMM_Access",
        "Index":1},
      {
        "Container":"MMM_Credential",
        "Index":3},
      {
        "Container":"MMM_Device",
        "Index":3},
      {
        "Container":"MMM_Contact",
        "Index":2},
      {
        "Container":"MMM_Application",
        "Index":1},
      {
        "Container":"MMM_Bookmark",
        "Index":2},
      {
        "Container":"MMM_Task",
        "Index":2}
      ]}}

6.3.2. Download

The download transaction returns a collection of entries from one or more containers associated with the profile.

Optional filtering criteria MAY be specified to only return objects matching specific criteria and/or only return certain parts of the selected messages.

The service MAY limit the number of entries returned in an individual response for performance reasons.

Obsolete example 1

6.3.3. Conflict Detection

Clients SHOULD check to determine if updates to a container conflict with pending updates on the device waiting to be uploaded. For example, if a contact that the user modified on the device attempting to synchronize was subsequently deleted.

The means of resolving such conflicts is not in the scope of this specification.

6.3.4. Filtering

Clients may request container updates be filtered to redact catalog entries that have been updated or deleted or spool entries that have been read, deleted or were received before a certain date.

6.3.5. Transact

The transact transaction appends envelopes to one or more stores. The operation is atomic, that is either all the changes specified will be made to the stores or none will. This ensures that simultaneous attempts to update a store do not result in race conditions.

Each update to a catalog or container specifies the expected container index and apex digest. This provides a strong guarantee of consistency. The service MUST verify each update to check that the Merkle Tree values specified are consistent with the store entries and that the signature on the apex value (if specified) is valid and correct.

Services MAY impose limits on the size and number of additions performed in response to a TransactRequest message to ensure that processing time does not degrade performance for other users.

Obsolete example 2

6.4. Messaging

Mesh Messaging is an asynchronous messaging service that allows exchange of information between devices connected to a Mesh account and between Mesh users.

To enable effective abuse mitigation, Mesh Messaging enforces a four corner communication model in which all outbound and inbound messages pass through a Mesh Service which accredits and authorizes the messages on the user's behalf.

b s P S i o e B b o ' M P l c S M l c e A ' A B i s
Figure 2

The Post transaction is used for client-service and service-service messaging transactions.

Client-Service (Post Transaction)

To send a message, the client creates the Mesh Message structure, encapsulates it in a DARE Message and forwards this to its service using a Post transaction.

The Post transaction is authenticated to the service by device using the usual means of profile or ticket authentication.

The DARE Message MUST be signed under a device signature key accredited by a Device Connection Assertion provided in the message signature block.

The request payload:

{
  "ConnectRequest":{
    "EnvelopedRequestConnection":[{
        "EnvelopeID":"MDW7-EM2L-BHBZ-76DY-TLRJ-PYBG-MUL7",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJORDVCLVVINkgtT0tB
  RC1BM1o3LVJZWUwtN1NEQS02N1czIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWVzd
  ENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCi
  AgIkNyZWF0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMloifQ"},
      "ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOiAi
  TkQ1Qi1VSDZILU9LQUQtQTNaNy1SWVlMLTdTREEtNjdXMyIsCiAgICAiQXV0aGVud
  GljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlEIjogIk1DRUstTVlWUS
  1aSzNHLTdDRTQtWTVVVy1DS1Q0LUVGRTUiLAogICAgICAgICJkaWciOiAiUzUxMiI
  sCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKUkNJ
  NklDSk5RMFZMTFUxWlZsRXRXa3N6UnkwCiAgM1EwVTBMVmsxVlZjdFEwdFVOQzFGU
  mtVMUlpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxkbW
  xqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV04
  wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJd0xURXhMVEF5VkRFM09qUXhP
  ak15V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V3b
  2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNKVl
  pHWWlPaUFpVFVORlN5MU5XVlpSTFZwTE0wY3ROCiAgME5GTkMxWk5WVlhMVU5MVkR
  RdFJVWkZOU0lzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KICBn
  ZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0FnS
  UNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmliR2
  xqSWpvZ0ltWjFla1ZqYjI4NGMwdDNaR0ZLWVRkCiAgcVIzZGxiWEZJVkhCUmNHTmh
  RVGc0UzFCU01XZFlaR3gzTUdscWRVaEZNR2xEVEZZS0lDQjNVbUpIU1hGTE4KICBF
  dHVRbXh5TkRSVFpXcFZVazkwUjBFaWZYMTlMQW9nSUNBZ0lrSmhjMlZGYm1OeWVYQ
  jBhVzl1SWpvZ2V3bwogIGdJQ0FnSUNBaVZXUm1Jam9nSWsxQlRFc3RVbFpLTkMxTF
  ZrMVVMVkpOVFVRdFJUZElXUzFCUkZCR0xWZFJRCiAgMVlpTEFvZ0lDQWdJQ0FpVUh
  WaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzS0lDQWdJQ0FnSUNBaVVIVmliR2wKICBq
  UzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaVdEUTBPQ0lzQ
  2lBZ0lDQWdJQ0FnSQogIENBaVVIVmliR2xqSWpvZ0lsVjBhWHBmY1dJemVIQnhNWE
  JOVlRCcVVsUlhSbUY0VTIxRVRTMUpVRUk0VG1oCiAgUGVEWnhkekpMVXpkdVJXTnJ
  MVXg1UjFnS0lDQnFPVzB3WmxvelJYSkpXVFZ6VjJwR1NtRjZOeTEyTmtFaWYKICBY
  MTlMQW9nSUNBZ0lrSmhjMlZCZFhSb1pXNTBhV05oZEdsdmJpSTZJSHNLSUNBZ0lDQ
  WdJbFZrWmlJNklDSgogIE5RMU5hTFV4VlExTXRXamREUlMxRE1rTkxMVU5hTjFndF
  QxTTJXUzFKVlZJM0lpd0tJQ0FnSUNBZ0lsQjFZCiAgbXhwWTFCaGNtRnRaWFJsY25
  NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW14cFkwdGxlVVZEUkVnaU9pQjdDaUEKICBn
  SUNBZ0lDQWdJQ0FpWTNKMklqb2dJbGcwTkRnaUxBb2dJQ0FnSUNBZ0lDQWdJbEIxW
  W14cFl5STZJQ0ptTwogIFV0SU0xa3hjRnBRUldSVlpuUnBObU4xVEVSZmNVMWFRa3
  hPVGpsWVMyTlhZM1IyTUdnMFIycEpVWFJmVEVSCiAgUVNEVXRDaUFnU2twWGVISnR
  RMDk0ZDNOVlpIVnZkVFJQYmpKa1IzRkJJbjE5ZlN3S0lDQWdJQ0pDWVhObFUKICAy
  bG5ibUYwZFhKbElqb2dld29nSUNBZ0lDQWlWV1JtSWpvZ0lrMUNTVk10VkRNMFRTM
  URVbFF5TFRVeU5FVQogIHRUME5GVEMwMlZWRTJMVkpQTTBraUxBb2dJQ0FnSUNBaV
  VIVmliR2xqVUdGeVlXMWxkR1Z5Y3lJNklIc0tJCiAgQ0FnSUNBZ0lDQWlVSFZpYkd
  salMyVjVSVU5FU0NJNklIc0tJQ0FnSUNBZ0lDQWdJQ0pqY25ZaU9pQWlSV1EKICAw
  TkRnaUxBb2dJQ0FnSUNBZ0lDQWdJbEIxWW14cFl5STZJQ0pXYW5sbGVURjBaVEJoY
  1ROQlRqVlVORGRNVgogIGxvdE0xbFFhRW96ZDI4NWFreGplbE5PWVhkcldGUlNRbk
  5ZVjNSUmMxTmpDaUFnTlhsb2MwWmFNVTlOWjAxCiAgb09YQnllRVpFVVRsd1dWVkJ
  JbjE5ZlgxOSIsCiAgICAgIHsKICAgICAgICAic2lnbmF0dXJlcyI6IFt7CiAgICAg
  ICAgICAgICJhbGciOiAiUzUxMiIsCiAgICAgICAgICAgICJraWQiOiAiTUNFSy1NW
  VZRLVpLM0ctN0NFNC1ZNVVXLUNLVDQtRUZFNSIsCiAgICAgICAgICAgICJzaWduYX
  R1cmUiOiAiQ2NhWDYzTzZDd0E3ZXhTTVo0T2YtUE5kTTNTQ0lyN0otM1hNVWZfQXF
  NMmdKTldyeQogIHBfM012MzJ2dlFXUHhHcVUwZmdMUVVSc0xvQUFzT2ZaVUNtZ25D
  YXlBbTRFdDZtcFZDZjFEUl9OSkpfSS1kCiAgNHozRUFoemtwUmV1YTdkY203c1lQN
  HlJVDk3V05jUGhUaE92TmZ4d0EifV0sCiAgICAgICAgIlBheWxvYWREaWdlc3QiOi
  AiZldPZEFkWGZlRWl5ZEEteG4tZkNWSlJXcW04UmkyUUgzbUIyWHdUTkN4amMzCiA
  gVWh3OHlhWnVLYkRZQTBnZkZfVHdrMi1HQ3NldFBLc3ZnWmVuUEFzb1EifV0sCiAg
  ICAiQ2xpZW50Tm9uY2UiOiAiaEUxeFlzMVBGQjYzMzhGTEt0WlhMQSIsCiAgICAiQ
  WNjb3VudEFkZHJlc3MiOiAiYWxpY2VAZXhhbXBsZS5jb20ifX0"
      ]}}

The response payload:

{
  "ConnectResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "EnvelopedAcknowledgeConnection":[{
        "EnvelopeID":"MDVL-XLOH-2F52-7QOD-OPC2-7MGO-FFAS",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJSUkhLLTI3UFEtWEpY
  TS1BSkQ1LTVZNjctREpaWi1LRUNIIiwKICAiTWVzc2FnZVR5cGUiOiAiQWNrbm93b
  GVkZ2VDb25uZWN0aW9uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3
  QiLAogICJDcmVhdGVkIjogIjIwMjAtMTEtMDJUMTc6NDE6MzJaIn0",
        "ContainerInfo":{
          "Index":1,
          "TreePosition":0},
        "Received":"2020-11-02T17:41:32Z"},
      "ewogICJBY2tub3dsZWRnZUNvbm5lY3Rpb24iOiB7CiAgICAiTWVzc2FnZUlk
  IjogIlJSSEstMjdQUS1YSlhNLUFKRDUtNVk2Ny1ESlpaLUtFQ0giLAogICAgIkVud
  mVsb3BlZFJlcXVlc3RDb25uZWN0aW9uIjogW3sKICAgICAgICAiRW52ZWxvcGVJRC
  I6ICJNRFc3LUVNMkwtQkhCWi03NkRZLVRMUkotUFlCRy1NVUw3IiwKICAgICAgICA
  iQ29udGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpSQ0k2SUNKT1JEVkNM
  VlZJTmtndFQwdEJSQzEKICBCTTFvM0xWSlpXVXd0TjFORVFTMDJOMWN6SWl3S0lDQ
  WlUV1Z6YzJGblpWUjVjR1VpT2lBaVVtVnhkV1Z6ZAogIEVOdmJtNWxZM1JwYjI0aU
  xBb2dJQ0pqZEhraU9pQWlZWEJ3YkdsallYUnBiMjR2YlcxdEwyOWlhbVZqZENJCiA
  gc0NpQWdJa055WldGMFpXUWlPaUFpTWpBeU1DMHhNUzB3TWxReE56bzBNVG96TWxv
  aWZRIn0sCiAgICAgICJld29nSUNKU1pYRjFaWE4wUTI5dWJtVmpkR2x2YmlJNklIc
  0tJQ0FnSUNKCiAgTlpYTnpZV2RsU1dRaU9pQWlUa1ExUWkxVlNEWklMVTlMUVVRdF
  FUTmFOeTFTV1ZsTUxUZFRSRUV0TmpkWE0KICB5SXNDaUFnSUNBaVFYVjBhR1Z1ZEd
  sallYUmxaRVJoZEdFaU9pQmJld29nSUNBZ0lDQWdJQ0pGYm5abGJHOQogIHdaVWxF
  SWpvZ0lrMURSVXN0VFZsV1VTMWFTek5ITFRkRFJUUXRXVFZWVnkxRFMxUTBMVVZHU
  lRVaUxBb2dJCiAgQ0FnSUNBZ0lDSmthV2NpT2lBaVV6VXhNaUlzQ2lBZ0lDQWdJQ0
  FnSWtOdmJuUmxiblJOWlhSaFJHRjBZU0kKICA2SUNKbGQyOW5TVU5LVm1KdGJIaGt
  WMVpLVWtOSk5rbERTazVSTUZaTVRGVXhXbFpzUlhSWGEzTjZVbmt3QwogIGlBZ00x
  RXdWVEJNVm1zeFZsWmpkRkV3ZEZWT1F6RkdVbXRWTVVscGQwdEpRMEZwVkZkV2VtT
  XlSbTVhVmxJCiAgMVkwZFZhVTlwUVdsVlNFcDJXbTFzYzFvS0lDQlZVbXhrYld4cV
  dsTkpjME5wUVdkSmJVNHdaVk5KTmtsRFMKICBtaGpTRUp6WVZkT2FHUkhiSFppYVR
  sMFlsY3dkbUl5U25GYVYwNHdTV2wzUzBsRFFRb2dJR2xSTTBwc1dWaAogIFNiRnBE
  U1RaSlEwbDVUVVJKZDB4VVJYaE1WRUY1VmtSRk0wOXFVWGhQYWsxNVYybEtPU0o5T
  EFvZ0lDQWdJCiAgQ0FpWlhkdlowbERTbEZqYlRsdFlWZDRiRkpIVmpKaFYwNXNTV3
  B2WjJWM2IyZEpRMEZuU1d4Q2VXSXlXZ28KICBnSUhCaVIxWlVZVmRrZFZsWVVqRmp
  iVlZwVDJsQ04wTnBRV2RKUTBGblNVTktWbHBIV1dsUGFVRnBWRlZPUgogIGxONU1V
  NVhWbHBTVEZad1RFMHdZM1JPQ2lBZ01FNUdUa014V2s1V1ZsaE1WVTVNVmtSUmRGS
  lZXa1pPVTBsCiAgelEybEJaMGxEUVdkSlEwcFJaRmRLYzJGWFRsRlpXRXBvWWxkV0
  1GcFlTbnBKYW04S0lDQm5aWGR2WjBsRFEKICBXZEpRMEZuU1VOS1VXUlhTbk5oVjA
  1TVdsaHNSbEV3VWtsSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbAogIHRUbmxr
  YVVrMlNRb2dJRU5LUmxwRVVUQlBRMGx6UTJsQlowbERRV2RKUTBGblNVTkJhVlZJV
  m1saVIyeHFTCiAgV3B2WjBsdFdqRmxhMVpxWWpJNE5HTXdkRE5hUjBaTFdWUmtDaU
  FnY1ZJelpHeGlXRVpKVmtoQ1VtTkhUbWgKICBSVkdjMFV6RkNVMDFYWkZsYVIzZ3p
  UVWRzY1dSVmFFWk5SMnhFVkVaWlMwbERRak5WYlVwSVUxaEdURTRLSQogIENCRmRI
  VlJiWGg1VGtSU1ZGcFhjRlpWYXprd1VqQkZhV1pZTVRsTVFXOW5TVU5CWjBsclNta
  GpNbFpHWW0xCiAgT2VXVllRakJoVnpsMVNXcHZaMlYzYndvZ0lHZEpRMEZuU1VOQm
  FWWlhVbTFKYW05blNXc3hRbFJGYzNSVmIKICBGcExUa014VEZack1WVk1Wa3BPVkZ
  WUmRGSlVaRWxYVXpGQ1VrWkNSMHhXWkZKUkNpQWdNVmxwVEVGdlowbAogIERRV2RK
  UTBGcFZVaFdhV0pIYkdwVlIwWjVXVmN4YkdSSFZubGplVWsyU1VoelMwbERRV2RKU
  TBGblNVTkJhCiAgVlZJVm1saVIyd0tJQ0JxVXpKV05WSlZUa1ZUUTBrMlNVaHpTMG
  xEUVdkSlEwRm5TVU5CWjBsRFNtcGpibGwKICBwVDJsQmFWZEVVVEJQUTBselEybEJ
  aMGxEUVdkSlEwRm5TUW9nSUVOQmFWVklWbWxpUjJ4cVNXcHZaMGxzVgogIGpCaFdI
  Qm1ZMWRKZW1WSVFuaE5XRUpPVmxSQ2NWVnNVbGhTYlVZMFZUSXhSVlJUTVVwVlJVa
  zBWRzFvQ2lBCiAgZ1VHVkVXbmhrZWtwTVZYcGtkVkpYVG5KTVZYZzFVakZuUzBsRF
  FuRlBWekIzV214dmVsSllTa3BYVkZaNlYKICBqSndSMU50UmpaT2VURXlUbXRGYVd
  ZS0lDQllNVGxNUVc5blNVTkJaMGxyU21oak1sWkNaRmhTYjFwWE5UQgogIGhWMDVv
  WkVkc2RtSnBTVFpKU0hOTFNVTkJaMGxEUVdkSmJGWnJXbWxKTmtsRFNnb2dJRTVST
  VU1aFRGVjRWCiAgbEV4VFhSWGFtUkVVbE14UkUxclRreE1WVTVoVGpGbmRGUXhUVE
  pYVXpGS1ZsWkpNMGxwZDB0SlEwRm5TVU4KICBCWjBsc1FqRlpDaUFnYlhod1dURkN
  hR050Um5SYVdGSnNZMjVOYVU5cFFqZERhVUZuU1VOQlowbERRV2RKYgogIEVJeFdX
  MTRjRmt3ZEd4bFZWWkVVa1ZuYVU5cFFqZERhVUVLSUNCblNVTkJaMGxEUVdkSlEwR
  nBXVE5LTWtsCiAgcWIyZEpiR2N3VGtSbmFVeEJiMmRKUTBGblNVTkJaMGxEUVdkSm
  JFSXhXVzE0Y0ZsNVNUWkpRMHB0VHdvZ0kKICBGVjBTVTB4YTNoalJuQlJVbGRTVmx
  wdVVuQk9iVTR4VkVWU1ptTlZNV0ZSYTNoUFZHcHNXVk15VGxoWk0xSQogIHlUVWRu
  TUZJeWNFcFZXRkptVkVWU0NpQWdVVk5FVlhSRGFVRm5VMnR3V0dWSVNuUlJNRGswW
  kROT1ZscElWCiAgblprVkZKUVltcEthMUl6UmtKSmJqRTVabE4zUzBsRFFXZEpRMH
  BEV1ZoT2JGVUtJQ0F5Ykc1aWJVWXdaRmgKICBLYkVscWIyZGxkMjluU1VOQlowbER
  RV2xXVjFKdFNXcHZaMGxyTVVOVFZrMTBWa1JOTUZSVE1VUlZiRkY1VAogIEZSVmVV
  NUZWUW9nSUhSVU1FNUdWRU13TWxaV1JUSk1Wa3BRVFRCcmFVeEJiMmRKUTBGblNVT
  kJhVlZJVm1sCiAgaVIyeHFWVWRHZVZsWE1XeGtSMVo1WTNsSk5rbEljMHRKQ2lBZ1
  EwRm5TVU5CWjBsRFFXbFZTRlpwWWtkc2EKICBsTXlWalZTVlU1RlUwTkpOa2xJYzB
  0SlEwRm5TVU5CWjBsRFFXZEpRMHBxWTI1WmFVOXBRV2xTVjFFS0lDQQogIHdUa1Ju
  YVV4QmIyZEpRMEZuU1VOQlowbERRV2RKYkVJeFdXMTRjRmw1U1RaSlEwcFhZVzVzY
  kdWVVJqQmFWCiAgRUpvWTFST1FsUnFWbFZPUkdSTlZnb2dJR3h2ZEUweGJGRmhSVz
  k2WkRJNE5XRnJlR3BsYkU1UFdWaGtjbGQKICBHVWxOUmJrNVpWak5TVW1NeFRtcER
  hVUZuVGxoc2IyTXdXbUZOVlRsT1dqQXhDaUFnYjA5WVFubGxSVnBGVgogIFZSc2Qx
  ZFdWa0pKYmpFNVpsZ3hPU0lzQ2lBZ0lDQWdJSHNLSUNBZ0lDQWdJQ0FpYzJsbmJtR
  jBkWEpsY3lJCiAgNklGdDdDaUFnSUNBZ0lDQWdJQ0FnSUNKaGJHY2lPaUFpVXpVeE
  1pSXNDaUFnSUNBZ0lDQWdJQ0FnSUNKcmEKICBXUWlPaUFpVFVORlN5MU5XVlpSTFZ
  wTE0wY3ROME5GTkMxWk5WVlhMVU5MVkRRdFJVWkZOU0lzQ2lBZ0lDQQogIGdJQ0Fn
  SUNBZ0lDSnphV2R1WVhSMWNtVWlPaUFpUTJOaFdEWXpUelpEZDBFM1pYaFRUVm8wV
  DJZdFVFNWtUCiAgVE5UUTBseU4wb3RNMWhOVldaZlFYRk5NbWRLVGxkeWVRb2dJSE
  JmTTAxMk16SjJkbEZYVUhoSGNWVXdabWQKICBNVVZWU2MweHZRVUZ6VDJaYVZVTnR
  aMjVEWVhsQmJUUkZkRFp0Y0ZaRFpqRkVVbDlPU2twZlNTMWtDaUFnTgogIEhvelJV
  Rm9lbXR3VW1WMVlUZGtZMjAzYzFsUU5IbEpWRGszVjA1alVHaFVhRTkyVG1aNGQwR
  WlmVjBzQ2lBCiAgZ0lDQWdJQ0FnSWxCaGVXeHZZV1JFYVdkbGMzUWlPaUFpWmxkUF
  pFRmtXR1psUldsNVpFRXRlRzR0WmtOV1MKICBsSlhjVzA0VW1reVVVZ3piVUl5V0h
  kVVRrTjRhbU16Q2lBZ1ZXaDNPSGxoV25WTFlrUlpRVEJuWmtaZlZIZAogIHJNaTFI
  UTNObGRGQkxjM1puV21WdVVFRnpiMUVpZlYwc0NpQWdJQ0FpUTJ4cFpXNTBUbTl1W
  TJVaU9pQWlhCiAgRVV4ZUZsek1WQkdRall6TXpoR1RFdDBXbGhNUVNJc0NpQWdJQ0
  FpUVdOamIzVnVkRUZrWkhKbGMzTWlPaUEKICBpWVd4cFkyVkFaWGhoYlhCc1pTNWp
  iMjBpZlgwIl0sCiAgICAiU2VydmVyTm9uY2UiOiAiVGw0NXozMkN2OFZzVTByMTA2
  b2xNdyIsCiAgICAiV2l0bmVzcyI6ICJSUkhLLTI3UFEtWEpYTS1BSkQ1LTVZNjctR
  EpaWi1LRUNIIn19",
      {}
      ],
    "EnvelopedProfileAccount":[{
        "EnvelopeID":"MCVI-2KFD-AQTG-FX4N-O4RN-5OIS-BH5E",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNQ1ZJLTJLRkQtQVFU
  Ry1GWDROLU80Uk4tNU9JUy1CSDVFIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  VVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNyZW
  F0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMloifQ"},
      "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIjog
  ewogICAgICAiVWRmIjogIk1DVkktMktGRC1BUVRHLUZYNE4tTzRSTi01T0lTLUJIN
  UUiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2
  V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB
  1YmxpYyI6ICI4dUZ1TmhjRHFhZXROVVY5S01YWnRHcXlQMWl1WWVYTE5uOVBDamR3
  dHVoZVFVcWJmblhGCiAgSXIzX2lxamt5SUw4VEcyS2JtcWZ2TUlBIn19fSwKICAgI
  CJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vydm
  ljZVVkZiI6ICJNQzMzLVdKV0otSTQzQS1OS0JLLUcyVTUtQllFWC1OM0ZGIiwKICA
  gICJBY2NvdW50RW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNRFlELUFEWlQt
  Q1JKRy1IT0lELUhHSUctQ0tMNC03TTJUIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlc
  nMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2Ij
  ogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJLelBFajNGOGpwc0lkLUpzV3F
  1SnktLTUydnRKLWFnNEtlVXdrZDhIeVpDeUNGc0gxYk5nCiAgR0xIUlJrN0ZkMzI0
  Q1d3N0dHUnJHRkdBIn19fSwKICAgICJBZG1pbmlzdHJhdG9yU2lnbmF0dXJlIjoge
  wogICAgICAiVWRmIjogIk1DVkktMktGRC1BUVRHLUZYNE4tTzRSTi01T0lTLUJINU
  UiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V
  5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1
  YmxpYyI6ICI4dUZ1TmhjRHFhZXROVVY5S01YWnRHcXlQMWl1WWVYTE5uOVBDamR3d
  HVoZVFVcWJmblhGCiAgSXIzX2lxamt5SUw4VEcyS2JtcWZ2TUlBIn19fSwKICAgIC
  JBY2NvdW50QXV0aGVudGljYXRpb24iOiB7CiAgICAgICJVZGYiOiAiTUFINS1GVFd
  QLTRDNEgtSU9EUS1KV1lJLUhJS1QtQVJPViIsCiAgICAgICJQdWJsaWNQYXJhbWV0
  ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNyd
  iI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiandZdWpLeTQ1Um1rTmNKan
  U1R0EzazdVRGRyem5xb1lrOGhFS2hZOV9zd1F4NnpTSE43SgogIDBLZjB6SENzOE9
  rMG5QMXRnQXRVdFBDQSJ9fX0sCiAgICAiQWNjb3VudFNpZ25hdHVyZSI6IHsKICAg
  ICAgIlVkZiI6ICJNQ1FDLU1EWlItM0hDTC1TVklVLTUzUU0tQlQ0RC1LN0ZFIiwKI
  CAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDRE
  giOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQdWJsaWM
  iOiAiYlhwa1F4UFBNbTE4UVBvN0JTSnk5alVEeHd6VW9hTnhVYnZMZ2V5SHpTTmRP
  SUFzbDZlOAogIDRaV0xIOE15VWVDLWVuSnBZMVUwRzJVQSJ9fX19fQ",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MCVI-2KFD-AQTG-FX4N-O4RN-5OIS-BH5E",
            "signature":"NAOTClRNF51SazbgbIJAdlLx8r4qwXSHr4rdeql-sw
  9fIb5fDsmW4jbG-DiKP0S5x8ax1Z6ao6sAYrjGGXrFFRFfgAB2lhC823Pu9uox30d
  vTIS0JSLM_IxOg9khTPLCBr22HUBhyyksvHMqH6zwwwwA"}
          ],
        "PayloadDigest":"CPW9V4gBCAv-rH-EkTtX8aOXZH4nJFkqSZtw84c94_
  FDWL-aetsptBePjOYqttZxnz7VP6KpnXSUfaqvGC9J2Q"}
      ]}}

Service-Service (Post Transaction)

The Mesh Service receiving the message from the user's device MAY attempt immediate retransmission or queue it to be sent at a future time. Mesh Services SHOULD forward messages without undue delay.

The Post transaction forwarding the message to the destination service carries the same payload as the original request but is authenticated by the service forwarding it. This authentication MAY be my means of either profile or ticket authentication.

Missing example 33

Denial of Service Mitigation

Services SHOULD implement Denial of Service mitigation strategies including limiting the maximum time taken to complete a transaction and refusing connections from clients that engage in patterns of behavior consistent with abuse.

The limitation in message size allows Mesh Services to aggressively time out connections that take too long to complete a transaction. A Mesh Service that hosted on a 10Mb/s link should be able to transfer 20 messages a second. If the service is taking more than 5 seconds to complete a transaction, either the source or the destination service is overloaded or the message itself is an attack.

Imposing hard constraints on Mesh Service performance requires deployments to scale and apply resources appropriately. If a service is attempting to transfer 100 messages simultaneously and 40% are taking 4 seconds or more, this indicates that the number of simultaneous transfers being attempted should be reduced. Contrawise, if 90% are completinin less than a second, the number of threads allocated to sending outbound messages might be increased.

Access Control

The inbound service MUST subject inbound messages to Access Control according to the credentials presented in the DARE Message payload.

After verifying the signature and checking that the key is properly accredited in accordance with site policy, the service applies authorization controls taking account of:

  • The accreditation of the sender
  • The accreditation of the transmitting Service
  • The type of Mesh Message being sent
  • User policy as specified in their Contact Catalog
  • Site policy.

Service-Client (Synchronization)

The final recipient receives the message by synchronizing their device. The message received will be appended to the inbound spool.

6.5. Publication

The Publication mechanism allows content to be published through a Mesh Account and retrieved by means of the EARL mechanism described in Uniform Data Fingerprint [draft-hallambaker-mesh-udf]. This mechanism is used in certain flows supported by the Mesh Device Connection and Contact Exchange functions.

Content is published by appending an entry to an account's Publication spool. The content may then be retrieved by issuing a claim to the account specifying the publication identifier that is authenticated under the value specified in the EARL.

Use of the Publication spool to post content necessarily requires that the content be smaller than the maximum message size imposed by the Mesh Service so that it can be uploaded to the service by means of a Transact transaction.

Publication of large data items will require modification of the protocol to support use of a detached message body. Transfer of a detached message body is outside the scope of this document.

6.5.1. Claim

The Claim Transaction is used to obtain the publication from the service. The claim request contains a MessageClaim signed by the party requesting the device. This in turn contains a proof of knowledge of the authentication PIN that can be verified by the content creator and a proof of knowledge of the authentication PIN that can be verified by the service.

The request payload:

The response payload:

6.5.2. Poll Claim

The static device connection protocol allows a device connected to an account to retrieve the latest claim made for a particular publication. This is used in the device connection protocol.

The device polling the service specifies the identifier of the publication it is attempting to obtain the claim for.

The request payload:

{
  "TransactRequest":{
    "Updates":[{
        "Container":"MMM_Device",
        "Envelopes":[[{
              "enc":"A256CBC",
              "kid":"EBQK-SYQV-OFWW-GELI-2ADO-UIQR-5RSK",
              "Salt":"ClY0vt4W_qvD-TvvrQJ39Q",
              "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNQk5KLTNQTk
  ctTlVCQS1LMlVJLTRNQlgtTURTSS1WUkJGIiwKICAiRXZlbnQiOiAiTmV3In0",
              "ContainerInfo":{
                "Index":2,
                "TreePosition":845}},
            "65M_sy0xZ9WEPwSBH57Cd86ZG0DjNeAMANrQv14_Ndvz0lL5K2vkSF
  hJkEJ5o5Dv7slP2A1dksSqw9keNhWm1XRVNZTyhQRV20GNFd8nofQwauTdY_oGK5K
  9tjsy-a9764KKNmt31xuYJEoXGDf0nODX7rK2BV5_xrpzzLGvguWN3DtVx5prHBUR
  8AScuv9h7EZ1eodDrdRMFr_aLIkmxabfpFCRy7HGEPOdN-MUf3f3jEsBHIXdRVEMA
  FzuWHRsrfbz6O0ub3MrHi9Z-U_PZQOALIPYWwJLdhyzqKE_UwU1YkQW_IoIYkHy1u
  SYMpsnABs_bVFTdNWVrrET6BoXEaPS9lGRH1qmSaMMg8JVa6w53IpU8laWD3A7H4f
  w1G82pGUmNq21J0-rrPEuE6VW1Z6ndlvyKmGvaj6bstQq1PKn_I_esK5IIzqzkcDw
  MppXj4XXucXv6X8HZZn5DUlIAZVZNT7du-F7sc427Pyt3imsX0sIuvhcEBHY7FUm7
  mH8_CafH0eEkPqimgY4zzYe4-G9Yj7Vs1iMyAM_d3yJFiyXdcCbhHDd1edD2SpzyE
  HXWtUjR_u7abu4mc2h1cFS9kHhQYSqolOb7a9TJEteWxx-euUbCKhmr3o0xSH36zs
  Zm_ALY0VyMqNeK3WVGdXAaph_H_XvoJ-ykb73q2njTJMa0sN5MhJ6-h8fX5zV8mEi
  9UNMcyll_LEk1NJn9_gdEHqAzbKn2K8DCnRU7u-f_c_R_kUDbYCu_75DLrEAclw0R
  Xx4jSurHkFzG220zsZYuakI4sI1y2IqmAcKgMBrWXL_MHs0xi694X7Y0D6dDZeQ67
  q7XADKYnMPZ-TWYlXkjo4v9HyX06VTzujNVp9nkF6W0LOBeOHnIaA_jJj3d6Z-yA2
  8Apfwl7uTicltUzuOp1eEzBJc-znugDKqGSG5OapGlYs4JPpEv1uu9tHeU02RA529
  cwVhMhiNJKZhc1SJcv2q6CieVlyOdE6veauLoT6KcuxOcuPDfsunUiT_TXob1YxBT
  qbFg9BOyNGonkBppLSNiEM_WDIwgX9CSfZPzeTwQlnk3bIqdS5XBHiXRsTAFqmco-
  2kfEwH2F8XCaIBbnjgYMI1kjc9ltiht3oFheqETuDNhVlqcItqpFH266tWEJXw_AN
  YYurj_iz_VBpxqkhI6AlqIlZnWDxk1w0OqbDxf9p8KLjZBSvzqzuyznzJu0rkvHza
  _2fE_j--iGrWrLANfyPIg7YW1KfW74N-A_fbA5iuMTENCK3zwOtWEHexXxp4mnE4l
  gtOJwuOTuSgD8KplcNlEsIs9gs9aQ_1-RLlEQs9tX7m2LJMFuvZb5zsLFURE1Jz6X
  U_qhgsVwZpUoxkZmwY4vm3vGIKEztlWgYVuT4NlP0XJbrx_Ji1hfMKI2Vx7bum3mV
  -Lqt5D7CrMXhotG7mN103uOe0LhRMvyJM9cDLfyahOKQzG9smBMYCDLPAmwGlTVj3
  _MoZ28aC8z0lSJSC3kCVit2zHQfETgkSS2vXwfWb8D_yUqJ49KLdmCX6-01NtgDZi
  ERHIMRB70Rp9sk_s-s0g_qyqImFCvt8QOq_JsiSXFFKNy6CMqegcobr6WnyxNupiU
  pkHUr0jI2EKCmmDXeEPgssUALJmNpuy-blspldASzxnFuFecJbV-tS9H-EA64DFPJ
  RE0_DLalxboe4U9dYVbnH_HgeJd62IQyI4A1eWgD5YQkDbrdmTAFamZU2C38ikP47
  4HnIR7WfpccKXUu8dvv7Nm8DF4bCvPcckWWR3_QM8An6sKKSHUXYNeP68_cfL7oNz
  1MPx19veR0B0KXt2wuMcypwlXJEzOwLQi-mxrz04VAo3lSoruJG62NeemXsnX1jpg
  C3GghGBQ_mgCCQoePVK1IizYL5eM-1TEuBkg39u7Ah9trzMbX_-tyKnXCTPX2KJH2
  2-j_aNU1bbnHcUf6jw4R00So4822C_FTW52ZX8mVcVu9Rz0AwARqyhN37edfe0Jed
  WGsHc4eT0v2CkhURsBZ4Jmq8w_UOzU99fZhs-FwySvV9nXOcPySZYTa_gcsj5ss6h
  iQAkXdEWPkyfn1SDoBvA9pHYWoXpaeKpd6TwK8bND7BP8CEPGsNVjASDXH9-BDZRe
  PV2xFxTHAU-jcZhSDf3t5z_YEN1XUCgFiReNJSo1QLdFKYL3yqLLz3kybKQfLmCpz
  XI0JpqZyHGM6vIFeWMJeQnnoXFeQdHthUcKhOiEKn7vAvUDt9UvKEVrQbuLR9QNXz
  WPy6MTswz52cTK1rTpqcuJ-tmWQPJGZlnmQln2WGdfcK9wVhvWK7hBxfMPO798sp9
  hfPh34tTTWedgX8pGFmm5wZhytyWjSkQcpKLXkopMeVorg6vEjkVIOJrz7SYuQPi_
  6uxXu9HGcHdwrvYIp1fBUtlHtDaTxoS2kaVrnlDrCsSDDw8jp2sLJEooZsaSLuFbt
  Q9FGfPHB7Kfoba2wv_nXnJiY61TDj-1B78f-p9N98parqaX71_hO8_-AdRruBnoDf
  ITdmmUJfqo1Tamp3GyGEhGQEzbq9E2H6x1GnnSrvmSdOJKV6JteDfmyzPp8DAXnc6
  cA-oV6x_rq6ATHg1s9eFyU93BCz2HSJU8Agn2n76UZJR8J6p4TKsgh4p0dxw2LcTg
  NAdzoln_MSt7yjMmIs-9vHPoo6x24hV12DKenmy-G6GyheSAOfGPJqWRIybQLORp_
  -lw5CCn3xwgoy9guu4HTkJjlidxJPMm3UQfClWIqDVA20iRZReNRsUhJceh0ZgnWf
  -sKlMm9GsHvYJJmFE8HwlldZLiiPtqX4IopSC76MATM-ihkSUTQ515RsFV9BEGXGG
  7swYn_hKQPAJnpuyeAcegQP2gV8EujP0s-ke9nwOImR-AEMFMAPK0pEMr5RjP5GdF
  ie-D8Xt9j9XtYRJhkhSdZ8yOg8hwnw46n3icUVlYQqKP6LOB-2k6H4v5mG64tp3Ij
  7EFQ7xVdz-q9J7OXDaQ0fiwiC3QXlRKh_ogJEUzOAwGYgzMlsRbRwFVeBCO2fG8PA
  0fvxXCscJR7gT7HtDWOMAXOFhMfKQweQwKKianf7YD0DuHvJ1tr9SOF5DKQNyswSJ
  u1ow6-ZeLBj2gSLKV5XCAr8-ffJToEACuKTy7Y7m0joyyAk9BuN8kw1xth2xfU6-0
  pROoQkF-diciab4T3Y8yQuxyxnSm2j_ckG9Tjh1FSim57nq1C48DJLo0oc7gOAPID
  6ZpoG_o45L8lui8pQDq2gPWr50L9FHtKCwhgGw8xMsR-dVQUazHFF_xl90aCfpPnh
  HH7ZaoVIswayE0LoK0oixCpmA2s_cwtVcc6ihYcovIq2x7ZQy0WF0dstEfthGtfap
  HYjXT05lQ3XEoIEEmcwbra_2D47bSw94_ohq0JrBNkAVDzr3zJiI0armVggmLWMxV
  zcZBXLSAUGo6GN0ecUCsQUsaVXP7vb2m5lNE4tA0W9stXnqcXiW4rd2fETu6XTOMU
  9ZKx18K1pEI7WxQRtSYCKZNv6d49SYSgQw4R_Ojz3Trtax2k3qPA_6LBA4HIbPTOY
  D-4LRwwpoDd4x3ExAq429AASyyMBx3Hn4Ot-aISnTvfyq4W8-KQgsuUuxPgXjkQ_W
  1rCGv_4bRtJTvtgcYXV5247YRKVjdMAjtrwO2cfGJMLniyevHw4ieO0bd4HXRWcqk
  Q93r1s7IGPtu0W99dguuEEMG5aB1q36szsbZMFVZh8rD9d3SGU2icA5Xn1gDWym-8
  hZcwlKGh5bBg8xCsvTK0oBkqPkTDJteuXANdCgwOWG52Mtp6sRtBIqUmspwNCvikh
  _4c-DHWt-xMEN28Fe3J8H1dZFCV3tWhOdW9nLavRKDKatntMdeBYozxqhFrEx0H1e
  ICJ935vFothS3XL6rkE89LIhoFQD_8gi-BNc8YNwB3FOXWu110CZITFcsHg7Xivzp
  fqhGvylNR7k-z157Gue3OaqUlmCbrBaqLrKv_20AT-ZlUWJ2n1t-DVlNREUC1DYTV
  sgjbdtkLda6ZhwX9jaUA0kJDfE9sPGikDnElg2mjwiiCd55dAXKB8QTlRwYkrNxr7
  N8x5QqWhQSUGIkRQbHKcra2svARmW8HOJDKk4wJn6lk1Q2TCsWjChzjjLA8rwSc6u
  ga_6t7soye5iII3ZwgLlj8t6x8fj0x4CNIdN9uGtOzr6OgyYiuAdKSengLwSWDWXL
  53nXl-y88ME4g68lsQvV_SLSjxSiEA_6wujlX976SEI6QsTkoCKDXe9hfPwZ2n4wd
  O8Ys0vstDjQcDYaBh1yYxn8ND52W0oIjseGgpJqAIm-1gP1iFJRr4fIRTJKYZy0t2
  c8zmYrAG61MLkE9IStJo2dXgvdkdKIVXMoYDzvBdIsjxF5IuBMZkrdR48OZ4qFMH3
  tKARrmbNDvXqjrzk1-RvLdhT2tYPitPwLpweS58Fqgp-puRF6fCZDZsKEVQH5JfMK
  nhLAfFRnVc3Qv2HNbQvQYbTCj49d8vKu2V8QRzxRp48-cOxph8XvA0Zzme2xQjSmO
  ZcEZ_n8EcAyzQUKal-d5b3CMAYsJHGSJNVXp7nS7G3ZidXcqnrOqIXGo0xnyoiJYC
  l2nCliqEJw4epjFvE0aRow6g_TXAZuvD2B_mv1PrMrLRf7RUVn-t0KxOPOqo115gV
  us8XGaa7ehLldoFdwiMoDzqu7wxG0MgiFKbT62F-B2gI5GrpoOY-a4GzuJnuvr64A
  9L5TPHnYB5pV107yvM_UaElLolPkczhx-CBqSUBa23mpLYPFweKW4-Tgw9q1FicD3
  FKQxwb9kndIbaHYPHmcmqRgDtWwcbwoAsXiPCKCtI4qOVEvS62xa9nwBtCzAWyKlz
  cvYuN7BuQbnh54Tv5u_eXsf9E-56xfzUYfDqie6RG_TE2Lg8gQJdjH4NMS6wupYkZ
  AvpyWjHyfW3hleE2cCPHqXlHfYNX6q_gActDsgJ7hDN_3G7qwTUpAgOYVF3zugWxI
  ii6ZmXaq8dPAKHK5tBzjJOWQ1DS_gBOB1g4qTJtw6f8lD_9dIRbu5VISkplzRTDcI
  HpDrce5oUh7lfumoP9vmF36r0NjMPAlPWsqpYc3SAP3ScVW37TnxECYGPruxln5Pu
  xgR3VHxpJz11ijbOBUHOhiIcu1RWBNtT2CLN3EwNrUwRt9R3YK0gx_eacQnNoWAZI
  OZdZZAqFBb7Kk0713M98bMmjSCtgrAE0udxjh_RZ_IxbPfClvaWH22ZiJrtXmkE3u
  BNA3ynM4jeVLKlSC-epe8ejL4BmSUS9_oXeKjMl2NZIMqnwvyjpPxlIYqcnXWIlLg
  qsmOXJaHf3SoHqi_7jC3Oyyy_-swTGtPSi61ShaultsP7N9c0BO1JWbhXa8SRGCji
  EB_XunKOlA2OOo8LoUhJ-zUK-eweajby2knWGl-J1LHhwL3PVgeosBq_jlmes8e7u
  IZlK5Qhlc2rlA7EBFs8xwDnaXlRe__13qaeryxRDGznGAwE3JuMFRUJukGLtfp9xk
  WuAlOVJVQbfQnSxX_dFAkJo1u0j2yR_14HenqLQkT9jxbyFYq1e-zLMXh1HI07JRK
  AImLYzFktu4Jw2htnwsPFe1TyTQvdscjM0U4sOiD_EazpHU-9OhWGT2DxW8yoaV88
  AgB1l8EscPicCmOWFrLaCG4rAnlHQNgg__TvhbZGpTO8qJDRfNnPD2Z92Wh7tK5oE
  QL60Mkrpu0008AECtmd-w2-ECTLgXeOgxdPVY_vYS0AbQWhrkRwFrODEBy7UcXoRz
  R64IxyiDt6PfdkvwTMLffQPCrvpVbwmI6_yaHFPXe8EC0-7Yq55jVnEDuD5NBiADe
  z_BjBCfwsckX3HhcRAUyZ2UIe_JmnCYlaTr91h7lCU2qCsSJc0lmIsDGmUKHl48Su
  vl0zFYLtuHitancmQ-FUoY5qjOuCnO2v4EqEN_5ArGLwdzpEOodNxiKyY5h1S19TX
  2M8qrmRdzWmKa7cUS2inCqQUi9GnJp6Vb29JDN6WyUr7elyA7Xu0qKBPXoS-Thktd
  ZIJqqb4RsfTBdD5plVzqWMIIhn7MmFG9iro80ioLcm1gr-wxpQ2tnerg4g8vUi5vS
  EWXw_w0Ttp8_Xij3D73CtScw_V7X58E1nnTHjq4bkNUsydJ5xZr7SkU80-QMe55xS
  OmqTEMWgeUHft47R3VYEGhFVlQ36Kdk121pQs3wApXtaEynftMo5kpc6ConK1YqR0
  Yuw5ntnpWdE0Hpd9yhQ-qnPhwokwiasmDZutxlh45PlOxGbuBd408xu0hyN7W92CC
  BnvRcRWZKbOvugADGeKpufmznsUtTo9XSdQ1ojP8ZxU4QSLHPcaMpX8f1L41VUiTe
  maXmuelntWzjTXmRD8e0kn9PNQrYCvRWz4vNDj7ASTHqYFdHmCmr9wH0zSAOLuddn
  o8bX0mWoB3SEkx-FLvJu50_A4falaU8WJopvA2z_GLJoPsxletclDf7RZAZzoQE0a
  ti-UHxU2HmeW-68JGgDuN6j3TOJoC_jdJzfJSWxS_qfymvM_uo_ZTuJ9l3Nj3ufny
  Ou4yg7g422mM166dVMjiFrLtOZBC38ewaodrNTzaKicc_418bBai3-lSd6S8JHzoP
  NiBIfXPf5ycr6R_CPEwliWLplGGBtd7thnuKBVsn-vovhw7U4qM580zMQBKNmvW00
  cq6rBZ7HNb7KcDznXXrVj1LFr4bgRk8cNxyPKlhhRzUslmpz9T-tmx6UUsH6Fh8tE
  mL1FMd9RpDg5qIMRGpNqZFYrGWyGn4rS3gvbqrBhh3UE8eBTHpEkaadWXeslkHN52
  Vz6gES49N2XkfkeCFq7FqaHmwuIwfmycA_O-iIs8d22U7ekr1KMrSU5KA67bBeq0V
  elVI6UmqQLEfXIt_4NnEeGPD1gOfIVc-1sNCfnHn0VMQK7dahkvWV9Ar171Idn54D
  6K4Hysh3Tqz0iWIhHd3MRR2ABnWrWy-RqhrZKAwx6pd8sQ6IuPoY7F3pZ7F67ueNU
  8u4xSspnQhyQJTDHQYqpGw4i-Gl89XdnUje2GOpyoHfh6kL2DWMpMY32Jn8HoX_f5
  Pw7OcJ6gwpi8ooPvx-5AmFLWH3zF59i-bHGWTfsgvjp4TCYF4sGGmZ1Y3qXmSRYcp
  dg_CcDgYLtFyvu4a6h-Kg3_1Mc9bWuwS9j5zDiXLaUWf3baxzrXRBLdpnLghPZLOq
  6HMPvkQKQ2t7kBCoGDecJiPXCNcQf5O9Psyb5JSBhVxyzZuSJK-P6WEIBCwYcDtnJ
  lHAA89_J8FlQbmUPK_TfxX8uiNGgdp7CQJviL5IW2DcGbjYMdCwVnvSKDKaK0KLNj
  DbiyBOhelcTT73wfXjn81qCSemUgdn4C8eACGdwNhyH71kUf6i8sVtBJv1ClzY-3z
  BRtrAUJdNs8GVcHL-kUuc5IKxrPIBGY-SrjkyYLKOWeN2oInsj3gcVm9g1FX_8_FG
  DZxVerSo8C-FC-2I5M6j1pO_VELZzisz9FEiYUmyantmwVFXGWQOv2FcnSdA3VC6w
  puDr-TCNQFUoRILtCtLkx5hGlxWFOXMjA_mozhM5dAnQ95iopr3Yb7ZrUf_YoRfLK
  YSckvxaVW7M4c08B3YBWeHLGnepTQVLKbYMgZenJpsEr1GlF35BKJYz4aSKlaTBfk
  faQMRNk5rrC0TqFRdmkkr6LiF1WSfWQcfBgzVDlIpC5JVjc_SUeV9Yjd7vkRhyAuH
  X7dWGEyiKte0GQ2RmeWHsAXDT34PT1j0__aj9njnJGCTOAVIVZjpPJR-f3oHUObgg
  gL-wQvgSkBOYkM9C7_CusNX100U8FezhpUPWbwmtIPpV3-yqdhDUNlyTOVe-p9Dv0
  PF11dGan80M2PCrO31AX-r8C3m1EhzCzVDwmPHyOEXo-YBQSJ2Kafr7UQC0A5DltG
  e49aK9QFQCrRsLt8m-GS37UroV9RhBnoqFyJWkwnbPGz7y_o5dFljM397VbU-SknM
  v7cK675HDKom6IILcpTlujUyYSg5Q6Lc9SJUUr7Zjd16TTgjvarV-zz9vx0eoll_9
  b6FP-Vm5-CmDMzHzXO53AWm32sP02GnzzbjNYcGL8RrlfuS0zc0jTBgmnEs-0Pvl4
  nJwbv7s4IDjRDLakAC7RGVNp5cCsQTLJLZxXXplSs3XbT3NefUSjQSxJ2qp42aMdn
  wwBt-5GHaKDkNidTPT36-e8-fWmu5Pn7Od5g8VpD4oA4qG5acsraEyGOjEG9CXDMp
  m492eMXP9Vgxr3b_Gik0tWeMaNOx5jfy4qO8dETL_gXwW0FTkT5sxLdpHoQoEBEID
  2RY9mOLMFLWfMAAeQyicsf3u6Uy_0g0sS7ZIy1NZLG8peQL-Bk8f23J0cbfIQAu1i
  wsYQfUhGUVASKAvBeV7pYaeQx2ldDllkJZzMeHum_90al9rI16V6ln3afRJHgCN9C
  fs4cPzyqjz657bkv6anBpbOkMVjy160TNszlhZgTwxsoJ9DzdrtQEjyU9sP5pSR7J
  U8cK-wISBol5Wuh1-fHpmgQ7066nMOnl9ZLLZXJEiLhY_C-8Ps9M0ekjjSct8RBNR
  zdsDHQ4V5ad8fRIFUVX--3_h6TkgsS0b33I-9QAaN505gy3jUy6NHPI0U6KVia04J
  NEzWD_-ABCgci9wUtXy08PFYqbWTYWQiRsATUFiPFiIoizVWUOX406I05TjtJUqZm
  Tokso8KUxqb_ywZzW0OZ01LU_J0HZm8bwkII8n4-GhzUA784xQgeyk4CdQsZNF3Ps
  LmxekhFzCafVxF7kl6on02yhmNKACtVAEi1_omFSqmD9QUSpb814nmGDjnR6rDQ6G
  PW4MUgGUObBNTQQahKFZ16q_8G3UbdwZ2Tt7G6JgU1s7w-NsiRH_O-Twhs7dMwjMh
  1LKpMEfTxIWpu1W07Dz87iah4vPh9S0VjgwJyE7TuiIO4P1Tbw4wl1UUQ-JNQPqT-
  lqFM2DrBojN8dxP4qdtSdAnNjQh6LnA_kFD2fWiROWgT77cYb34kD679o4erlsa3G
  KVYskvXnuK5ZYfhQHidekY31ZyYm_AzViXKw0zWCEZg-CgBwMdAHFXv_YWiP3vmIe
  YrXx94cqWLM-L4NflaiAG10lJGsgBTnnNMwWIngTumx21WhkfxNkZW7rUZoPWNndk
  GkmHCG884Xerr-VFSQwwlwRRn6LaRPRYLVpjdGFBNRfrkxTT2gNv1C9fy1kY7nkYt
  Efg-iowIgwkldU3EIV3ZkNUlTUfTiYhgwO4OfQ6rg_NqWNpIP5HhbPYU7QbMd_val
  VPWA6h8C-XN-mS_zyy70xEUpPjaTYIfSd1RZ-DLSkvyvR_7eUFY8Jt8w3xChqcVod
  6bJ1iLh33RJ2AU2r2ru4m9enTTgfSuqVLdE3yFZXydC3SQyb2UYmTXweLJ-ZhdbU-
  r23JlFIHRBa04CpqS7nbZJgn12JuIpFy7pcelyLf6YA7_WfhdOXy06hoIEeYFl0Q2
  FOxTe8jlZqcUZn1L-O3URd_zSmc6SV4qwcpI0uDoa-K2H_IDxPo7xPwpkdqNTKPJp
  ov7EL_gOGbCxfEs_6tmMZLzBzJmt91Gw7gjSaiQp3bW1-zYopCW9QC2pLCXBCM51N
  k_3lyiYWWwDOGvaVyeaa5LHVbiMFWgsexCf-lCUNa1UtZQWYxmQLLHYwQqHtQsOlb
  XH690YRY0e5-9E2lxG7uElQXEK2n0DwuNAS1RMu8PBuXnp2EoFQpg9m9S30-mKBKQ
  kteXyduPoprvjkhi5vsQuT8FFKOr9pAkjpPy0EhPfWD57iFN4G64BBG7xHslm5vzd
  T4HIPTDOgYIVLywOBee-YQHvTUwp0PsO79q7cIerjI-52VmcrOn2fjY7aJf4jdEiu
  zBTweVfSzn1qqptB83aKAbp7FoSjcBsX9w-abS7KpxOUHMjoHM8dViQ2vsB2NqZlX
  TC03pHKbekCOLRD0WJQAUzmiR8XAo_S_A423rV7oh_JsO88rP5LmUS7NOZNqwTRhG
  mfbpU6R8-QOoZ7mBvFT51bigvPbv_u7xUHVEL44mQFTAYQ9Ltl7eyW7eWiHNfI5ke
  0WSpH_2aeVKKUU9xDYtELXe8D7u3pbSONSZ7B-jSP9S8DdCZYTXcbRssW1z9Vt-4U
  0fgckFtUVuE-xc9nu-fexjY5nNpcXapIjKf0oO0Q2hReunI_WyE2BQyynv6I-6KBO
  z-zZdJmsfAUqzlOdtFEsyv7sx8oAUnBSpQr9fKAct9SChdYL78vO-DIhR-tyrLEYz
  cg6eGMpZOK9wIfBp94Yg4M-QDFVsDP4c8GbC1nuriw2MTHb084DkGFRmF49r4fua4
  BbfvCi26kwJmnIj0bUx39fWgxUIkLxQN3Rb7tRHHajS9PzRx1GRczDd8n8Ur9moHS
  W8_HSlNG-kF3uX3R8gLpXApItKnZ-5W3RrabryOYE3blOax5weyFUqH3FQQDG3NI0
  11s99vlGfw22vvDhYf8AaG5pBPreWxuuddkmpnCq7YsmE1zm_bv206CMBbaZCsiSr
  jWoHRM46783XQRN20iYztNRon9w_uWQ__pbpD09jn0OuQu_N9prYOTflA6OdveJzZ
  eszz9muMI4ZOksDXgWt8Skeacvyc34fjrNAxqyKIODyVWHLoiBKjefqrd2gtHLORo
  O8-_OKYom0HEaHqZSC85cJoe6hmifQb62U4gRRrW1u_7w-WylB2HgY85HWdSwxmsC
  OYjNx3DVrvMrRlJHZySuoGw7Gj6WpWGoDBCsfU5iiox7JQRcHPV2z5IAnHA0QAsUX
  XT0O5AVIiGsjgOxGxti3NcynSgjtoLU2x_JBJ10OuSe_ew-HSXs2ur4nT4VwdpYBv
  xnFFf5Iemh37o6mO-orxsOR3bBufkhfQr7-46z6OUfW3B_Wt73T8MxfJQPg5TugPG
  txdaIMhSG_ZNzRNxi6i0d-tueygRYVc0loDawpatlsEdOzGZYVfWMOgUN0ap02sCt
  XGIMukoSjq4fPOZJVvvKbX4Bm5zYXIej7iFvlh_m5INOdsH_ZRINEEhysJoek3owT
  GPuFWLa5KC0Uz_4s05p7_5EqwPhJw1rJ1J4nwHuykpSXrSBdRhC6LfCS2dbfPzi9a
  2TDZO1ezc3Q4Sr7JOmH0Mct4nH_qQggc7rHbJDNpPl8nI4aNUblSNS_kPzZQlQzqo
  cuw9nURV0miQyLThg7Zi0p9Y01A4Gir2-ZVgcmGE67dQJ2AlY4srjMatwScjs6KI7
  nkh9VgdBNMInAoRKDSo7zTzIjLySXZRVKzBymvLKfWu48G9AO6a1_jkmOXOxRwHKR
  x0CmZkygtDBjN3WfHvZyUEWxKDD3uTxCHWUjbMxqqOIXiDYBQsuSFjKFXTb6D3Mn8
  QwTqXTxE86hiX2UaDxKoVHNZFobU9ndY4ZDabuKlf6w3tYiIxwGk4aCK95P4fRwZD
  4h4ccCb4FnUFAbWjhVQ1FYIvdkUXXnylCm46hpWAM8om_bCghRdSec34jcbyGEQ-a
  qwSkpbl1k50XJIqwIGIJ1K8HmViRBW1di01mhROZ9iEkSC_pJYMgirINAVoUjkhcA
  SwtQjiPtrSkD48qNEU6Wxk_TdhlPzVGTATDj20HxBPlu1vcSPRVIJYhh86jKrELUH
  Itfuhd5hDQjpMIJfOjw9eLRo7gErek-CWfa3jKHyWvitmjfGFZK_rvkFMSakYY7ho
  vgGG1PtspvvNMrOU7KKujtP4bDkLXAkYhy-bOmuNlzMLA3YRaBjDPUeOq-hNTAXKa
  7HoE8NMlUoTf5Il5f2ZNjP9rK9nfbBGnhqm9yHfA4x5R5f1NFn-k5i3pGqiL8CG2f
  cl12-GftVn6H-Lz5UleyUadDmJipJbBhr_aGSy5tFYRgkG1_8g0AK_6ZTdSDAViCa
  fca0pPrXyirCV6r-1j0yr78aWnQJfMEQ3N9RG6lgDq52x2SF_NZLsRLnD961EHxd9
  pUYVZ0_Wj_Iz6DM5pMGCL3BiKg9-uu-OtLv-LYrs1Cp7kKmEIIMcTs6zdhbHAPdEw
  3qHs2VPgSoUiIWUhnrSy5dVFju1o31p1ssrLJvmYKpQpt3GWpBOrdo1Nw4jYuCwBU
  1qQGiqwaezX7ZtqJlqCjO5o5TgIHfrH_sILqbUnksMKR6Qt-ZyPru1RViTcGWVG-o
  OoQDRNF1aEfbQcH8b_D2HJrUjeC2tplPWS1U-CDfH2yZ6U3ub8usZ5srAMqyXJYpG
  HXeeWh8sPWMHNkkTMvtQLkz98gdLEDYwwSYLHzrpqi8JJU4Oc5tWCmo-0YzTWfBXE
  24ksliLgTW_GYFn2JUhnqYVKMBr6Aq4axGN8S9Y1SwvDU5aee1lTDHw2_TS9SjxNS
  ZuNmRSwx1NdT8Bb3lWku4y1oBxlcph-OYoDhBHs-oHsiR0RTtAqKJz6TpmOvkkuzb
  KK2AYg19Pq4B",
            {
              "PayloadDigest":"QMPBj6seeYHz0Qsm-ZbIACc2Kt_yv6iRCwBr
  VzMWsJxppQWluV4n0pwfVkoY0AxdC87mA4nJ7I1e3VDjFwDF_w",
              "TreeDigest":"2J9OgvdgKNPzRLZwl5U6m1fkbYqsmIi83OoG2P8
  Axca-GYjfFByypNU0-sS9RiqQtn9cWuuXw9jnkIrYum9TwQ"}
            ]
          ]}
      ],
    "Local":[[{
          "EnvelopeID":"MB5Q-B3IF-WZUQ-2QFA-ULYK-4NYZ-7IOC",
          "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNRFZBLTNBM0QtSj
  NYSi1BSkNXLTI2SlUtNkFLUy1RNTJKIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVzcG9
  uZENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
  CiAgIkNyZWF0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTo0MVoifQ"},
        "ewogICJSZXNwb25kQ29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOi
  AiTURWQS0zQTNELUozWEotQUpDVy0yNkpVLTZBS1MtUTUySiIsCiAgICAiUmVzdWx
  0IjogIkFjY2VwdCIsCiAgICAiQ2F0YWxvZ2VkRGV2aWNlIjogewogICAgICAiVWRm
  IjogIk1CMzItRkNCSS1UREdELUpTWFQtM1FYUC1DM1NKLVhIUk0iLAogICAgICAiR
  GV2aWNlVWRmIjogIk1CTkotM1BORy1OVUJBLUsyVUktNE1CWC1NRFNJLVZSQkYiLA
  ogICAgICAiRW52ZWxvcGVkUHJvZmlsZVVzZXIiOiBbewogICAgICAgICAgIkVudmV
  sb3BlSUQiOiAiTUNPSS1YU0dYLTNRUDMtNUY2Ny1YSkFHLVJJNTctMktRSiIsCiAg
  ICAgICAgICAiZGlnIjogIlM1MTIiLAogICAgICAgICAgIkNvbnRlbnRNZXRhRGF0Y
  SI6ICJld29nSUNKVmJtbHhkV1ZKUkNJNklDSk5RMDlKTFZoVFIxZ3RNMUZRTXkwCi
  AgMVJqWTNMVmhLUVVjdFVrazFOeTB5UzFGS0lpd0tJQ0FpVFdWemMyRm5aVlI1Y0d
  VaU9pQWlVSEp2Wm1sc1oKICBWVnpaWElpTEFvZ0lDSmpkSGtpT2lBaVlYQndiR2xq
  WVhScGIyNHZiVzF0TDI5aWFtVmpkQ0lzQ2lBZ0lrTgogIHlaV0YwWldRaU9pQWlNa
  kF5TUMweE1TMHdNbFF4TnpvME1UbzBNRm9pZlEifSwKICAgICAgICAiZXdvZ0lDSl
  FjbTltYVd4bFZYTmxjaUk2SUhzS0lDQWdJQ0pRY205bWFXeAogIGxVMmxuYm1GMGR
  YSmxJam9nZXdvZ0lDQWdJQ0FpVldSbUlqb2dJazFEVDBrdFdGTkhXQzB6VVZBekxU
  VkdOCiAgamN0V0VwQlJ5MVNTVFUzTFRKTFVVb2lMQW9nSUNBZ0lDQWlVSFZpYkdsa
  lVHRnlZVzFsZEdWeWN5STZJSHMKICBLSUNBZ0lDQWdJQ0FpVUhWaWJHbGpTMlY1Ul
  VORVNDSTZJSHNLSUNBZ0lDQWdJQ0FnSUNKamNuWWlPaUFpUgogIFdRME5EZ2lMQW9
  nSUNBZ0lDQWdJQ0FnSWxCMVlteHBZeUk2SUNJd2VFbEZZVU5KTWtKQ00yMW5Ua1JZ
  YW1SCiAgRGRWVnRORVJZYlVoemFWTm1WMHQ1VUd4elltUlNTVFYyUkdwd1ZuaDNSV
  nBPQ2lBZ1ZXbGFUbk5STlc5aWQKICBsbFVZMlp5V0dkTVJ6VklOVmxCSW4xOWZTd0
  tJQ0FnSUNKQlkyTnZkVzUwUVdSa2NtVnpjeUk2SUNKdFlXdAogIGxja0JsZUdGdGN
  HeGxMbU52YlNJc0NpQWdJQ0FpVTJWeWRtbGpaVlZrWmlJNklDSk5Rek16TFZkS1Yw
  b3RTCiAgVFF6UVMxT1MwSkxMVWN5VlRVdFFsbEZXQzFPTTBaR0lpd0tJQ0FnSUNKQ
  lkyTnZkVzUwUlc1amNubHdkR2wKICB2YmlJNklIc0tJQ0FnSUNBZ0lsVmtaaUk2SU
  NKTlFWcGFMVXRKTWs4dFdsUllTeTFZU2tRMExWcFdTRk10TQogIDFoU1N5MUNTemM
  zSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21GdFpYUmxjbk1pT2lCN0NpQWdJQ0Fn
  SUNBCiAgZ0lsQjFZbXhwWTB0bGVVVkRSRWdpT2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM
  0oySWpvZ0lsZzBORGdpTEFvZ0kKICBDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDST
  JXRUZtWkVWTk9VMTJWMDlWWlhKa01HTkNjalZLZFRad01UYwogIHhkWGRFT0ZseFF
  tTTNkbE53WTB0ck5uUkNWazQzUzBOUUNpQWdZMTh3ZVdZeGRFOVBRVGhRWkcxNVox
  OTNaCiAgVWxLZWpoQkluMTlmU3dLSUNBZ0lDSkJaRzFwYm1semRISmhkRzl5VTJsb
  mJtRjBkWEpsSWpvZ2V3b2dJQ0EKICBnSUNBaVZXUm1Jam9nSWsxRFQwa3RXRk5IV0
  MwelVWQXpMVFZHTmpjdFdFcEJSeTFTU1RVM0xUSkxVVW9pTAogIEFvZ0lDQWdJQ0F
  pVUhWaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzS0lDQWdJQ0FnSUNBaVVIVmliR2xq
  UzJWCiAgNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaVJXUTBOR
  GdpTEFvZ0lDQWdJQ0FnSUNBZ0kKICBsQjFZbXhwWXlJNklDSXdlRWxGWVVOSk1rSk
  NNMjFuVGtSWWFtUkRkVlZ0TkVSWWJVaHphVk5tVjB0NVVHeAogIHpZbVJTU1RWMlJ
  HcHdWbmgzUlZwT0NpQWdWV2xhVG5OUk5XOWlkbGxVWTJaeVdHZE1SelZJTlZsQklu
  MTlmCiAgU3dLSUNBZ0lDSkJZMk52ZFc1MFFYVjBhR1Z1ZEdsallYUnBiMjRpT2lCN
  0NpQWdJQ0FnSUNKVlpHWWlPaUEKICBpVFVOSVFpMHpRekpKTFRkSFVsUXRSVkpTTl
  MxS1QwTXpMVmRZVTBRdFJreFFSaUlzQ2lBZ0lDQWdJQ0pRZAogIFdKc2FXTlFZWEp
  oYldWMFpYSnpJam9nZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9n
  ZXdvCiAgZ0lDQWdJQ0FnSUNBZ0ltTnlkaUk2SUNKWU5EUTRJaXdLSUNBZ0lDQWdJQ
  0FnSUNKUWRXSnNhV01pT2lBaU8KICBHNXdSRVJ0VW5WYWJVMVNZV2hPTjJGU1dYUT
  VZVGRuTUhCSk1EUmljbUZhYVZWWlUzRTNjR3R4TURObExYaAogIHdhSFJvUXdvZ0l
  IZDFPRWxNVTJsUlRESnVSV1ZqV0UwNVVVbEtYMmxYUVNKOWZYMHNDaUFnSUNBaVFX
  TmpiCiAgM1Z1ZEZOcFoyNWhkSFZ5WlNJNklIc0tJQ0FnSUNBZ0lsVmtaaUk2SUNKT
  lExVlNMVWN5UWtFdFVFRk1XQzEKICBOVFVwYUxWWk1XRFV0UkZFMldTMU5URVF5SW
  l3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21GdFpYUmxjbk1pTwogIGlCN0NpQWdJQ0F
  nSUNBZ0lsQjFZbXhwWTB0bGVVVkRSRWdpT2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oy
  SWpvCiAgZ0lrVmtORFE0SWl3S0lDQWdJQ0FnSUNBZ0lDSlFkV0pzYVdNaU9pQWlUR
  jlPU3kxUmVIWTFZMjUyUmpsQlMKICBFWmlXbnBRVm5CeFRWQkJZak5tZDNWMmN6ZG
  1aekZPWkRCS2VXVkVWWFZmTVdKS05Rb2dJR3BtYUd4bmQyOQogIHpWR1JIV2pKaVF
  XeGpSRlpDTFZsSlFTSjlmWDE5ZlEiLAogICAgICAgIHsKICAgICAgICAgICJzaWdu
  YXR1cmVzIjogW3sKICAgICAgICAgICAgICAiYWxnIjogIlM1MTIiLAogICAgICAgI
  CAgICAgICJraWQiOiAiTUNPSS1YU0dYLTNRUDMtNUY2Ny1YSkFHLVJJNTctMktRSi
  IsCiAgICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJFZ0kxWDlWNXhGUjl6cHhGc1F
  NZXNfRzlzZ3AtcnAxd1o5Ym5XYkgwOGVCVFZ2eVk4CiAgUXVTOGR3dUtvVG9CTnQ3
  M0FsZnpnbzR2ajBBMGpkVFBEcnRnd1VXUW95S1JhS0Vwd05yanVzTXFPeWlSQXcKI
  CBxRDBJcUhtajBGU1dDbzNRZFdkQTV4cDdnekpld2lySXFZYmRuX1FRQSJ9XSwKIC
  AgICAgICAgICJQYXlsb2FkRGlnZXN0IjogInpiMlJTUXRsb3ZPSmhvYzdqUU9yb2t
  UUGRHNFp2TDJLcnZxS0tiTXlVZ0V5TQogIFdDcDZMbzExQS1oY183UVJkRzc4dFZs
  MHZCdmpjTjJZVVNfbWlVQ0FRIn1dLAogICAgICAiRW52ZWxvcGVkUHJvZmlsZURld
  mljZSI6IFt7CiAgICAgICAgICAiRW52ZWxvcGVJRCI6ICJNQk5KLTNQTkctTlVCQS
  1LMlVJLTRNQlgtTURTSS1WUkJGIiwKICAgICAgICAgICJkaWciOiAiUzUxMiIsCiA
  gICAgICAgICAiQ29udGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpSQ0k2
  SUNKTlFrNUtMVE5RVGtjdFRsVkNRUzEKICBMTWxWSkxUUk5RbGd0VFVSVFNTMVdVa
  0pHSWl3S0lDQWlUV1Z6YzJGblpWUjVjR1VpT2lBaVVISnZabWxzWgogIFVSbGRtbG
  paU0lzQ2lBZ0ltTjBlU0k2SUNKaGNIQnNhV05oZEdsdmJpOXRiVzB2YjJKcVpXTjB
  JaXdLSUNBCiAgaVEzSmxZWFJsWkNJNklDSXlNREl3TFRFeExUQXlWREUzT2pReE9q
  UXdXaUo5In0sCiAgICAgICAgImV3b2dJQ0pRY205bWFXeGxSR1YyYVdObElqb2dld
  29nSUNBZ0lsQnliMloKICBwYkdWVGFXZHVZWFIxY21VaU9pQjdDaUFnSUNBZ0lDSl
  ZaR1lpT2lBaVRVSk9TaTB6VUU1SExVNVZRa0V0UwogIHpKVlNTMDBUVUpZTFUxRVU
  wa3RWbEpDUmlJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvCiAg
  Z2V3b2dJQ0FnSUNBZ0lDSlFkV0pzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUNBZ
  0lDQWdJbU55ZGlJNkkKICBDSkZaRFEwT0NJc0NpQWdJQ0FnSUNBZ0lDQWlVSFZpYk
  dsaklqb2dJbTlaTmpWdWRuSXdWRkY0TlRaSFZXVgogIFVSQzFSZUUxT2FXSmtRbXR
  PWm1GRGRrUlVWM0ZoYVdKTFMwdHhSRmhpUTFRd2RtOEtJQ0IxY2xobkxWSnNVCiAg
  WEZEUzNWRVpFOHRkMVo2TFhsVWRVRWlmWDE5TEFvZ0lDQWdJa0poYzJWRmJtTnllW
  EIwYVc5dUlqb2dld28KICBnSUNBZ0lDQWlWV1JtSWpvZ0lrMUVRamN0TTFOR1FpMU
  9RVE5PTFRKWlUxTXRXRlJWVUMxU1JrMUVMVVZVVgogIGpJaUxBb2dJQ0FnSUNBaVV
  IVmliR2xqVUdGeVlXMWxkR1Z5Y3lJNklIc0tJQ0FnSUNBZ0lDQWlVSFZpYkdsCiAg
  alMyVjVSVU5FU0NJNklIc0tJQ0FnSUNBZ0lDQWdJQ0pqY25ZaU9pQWlXRFEwT0NJc
  0NpQWdJQ0FnSUNBZ0kKICBDQWlVSFZpYkdsaklqb2dJbWxXT1ZSWmJVcGphVTVRUk
  VSd1ZYcEVkVXRtT0hObWQzbElNRzlYZFdwbVdFZwogIHpjV2hPYkVSa1RFWkVXVkZ
  3VUc0MGFtZ0tJQ0JaUzFkR2FsZE1UWEZUTkY5cFltODNXSG96TUdOSU1FRWlmCiAg
  WDE5TEFvZ0lDQWdJa0poYzJWQmRYUm9aVzUwYVdOaGRHbHZiaUk2SUhzS0lDQWdJQ
  0FnSWxWa1ppSTZJQ0oKICBOUVVwQkxWZEVXa3N0TkVNeU5pMVpWRTlCTFZSRVNrUX
  RRVnBHU3kxVlZVdEhJaXdLSUNBZ0lDQWdJbEIxWQogIG14cFkxQmhjbUZ0WlhSbGN
  uTWlPaUI3Q2lBZ0lDQWdJQ0FnSWxCMVlteHBZMHRsZVVWRFJFZ2lPaUI3Q2lBCiAg
  Z0lDQWdJQ0FnSUNBaVkzSjJJam9nSWxnME5EZ2lMQW9nSUNBZ0lDQWdJQ0FnSWxCM
  VlteHBZeUk2SUNKdloKICBsTmpObFZ5VnpNelZXUXpkbTlMVHpGZmJXMW9UVVJQYz
  JoT05GbFdVMEZUYWxGd2EwbGFWRVZWYWxJdE9VSgogIHBSa2RIQ2lBZ2REUndlR1I
  1ZHpJMVpXOXNhakU1VlVocWFGUnZXV1ZCSW4xOWZTd0tJQ0FnSUNKQ1lYTmxVCiAg
  MmxuYm1GMGRYSmxJam9nZXdvZ0lDQWdJQ0FpVldSbUlqb2dJazFEVkVRdFZGTkRXa
  TFYTTB3MkxVMVpORmcKICB0U3pORVRTMU1WMWxUTFZvMVYwOGlMQW9nSUNBZ0lDQW
  lVSFZpYkdsalVHRnlZVzFsZEdWeWN5STZJSHNLSQogIENBZ0lDQWdJQ0FpVUhWaWJ
  HbGpTMlY1UlVORVNDSTZJSHNLSUNBZ0lDQWdJQ0FnSUNKamNuWWlPaUFpUldRCiAg
  ME5EZ2lMQW9nSUNBZ0lDQWdJQ0FnSWxCMVlteHBZeUk2SUNKak5GZHVVM2d6T0hVM
  GJEbHNYMDlOWTFGQmMKICBXOWFOVkpZTFdwNGNrdzBhbUkwTWxaNFltRTRXbmhvTT
  Jwa1VEaHZNa2RFQ2lBZ05ITjBkRGxPTWpGT1pYYwogIHdUbTF4T0ZCaVV6bFhVMWx
  CSW4xOWZYMTkiLAogICAgICAgIHsKICAgICAgICAgICJzaWduYXR1cmVzIjogW3sK
  ICAgICAgICAgICAgICAiYWxnIjogIlM1MTIiLAogICAgICAgICAgICAgICJraWQiO
  iAiTUJOSi0zUE5HLU5VQkEtSzJVSS00TUJYLU1EU0ktVlJCRiIsCiAgICAgICAgIC
  AgICAgInNpZ25hdHVyZSI6ICJlU0w0dmhad2RTZkJ2eFBzelpZMHp5a1F1WDNkVnk
  zVTVRVmZhNTN6YlE1eUxPZVN0CiAgMG9kUzlFMk5URTQ0M0t2cHhkM1hCSTB0T29B
  YmZDOGdOeXNCaUFHb1FublVlY1VRNVBmcmdtRGdBMUdJWmIKICAzY2tDS1B5NnY5N
  VpHSkNjOG1lcGs3LVg4OWxjenhrZGhsdFJmbGpFQSJ9XSwKICAgICAgICAgICJQYX
  lsb2FkRGlnZXN0IjogImZZeTdSUnBjV3poZl81UlBhLUtCVmNxWE1WQmp2bS1nN2d
  xbEE3QUJBMHZtQQogIEZDMlQ4RjhJb3VxQ2M1RTZ5U3JNYW1BMHBzVGZCcEJYSHc2
  VWZ5ZjF3In1dLAogICAgICAiRW52ZWxvcGVkQ29ubmVjdGlvblVzZXIiOiBbewogI
  CAgICAgICAgImRpZyI6ICJTNTEyIiwKICAgICAgICAgICJDb250ZW50TWV0YURhdG
  EiOiAiZXdvZ0lDSk5aWE56WVdkbFZIbHdaU0k2SUNKRGIyNXVaV04wYVc5dVJHVgo
  gIDJhV05sSWl3S0lDQWlZM1I1SWpvZ0ltRndjR3hwWTJGMGFXOXVMMjF0YlM5dllt
  cGxZM1FpTEFvZ0lDSkRjCiAgbVZoZEdWa0lqb2dJakl3TWpBdE1URXRNREpVTVRjN
  k5ERTZOREZhSW4wIn0sCiAgICAgICAgImV3b2dJQ0pEYjI1dVpXTjBhVzl1UkdWMm
  FXTmxJam9nZXdvZ0lDQWdJa1IKICBsZG1salpWTnBaMjVoZEhWeVpTSTZJSHNLSUN
  BZ0lDQWdJbFZrWmlJNklDSk5SRmcxTFVaQk5FSXRXa2ROTQogIHkxWlZsRTNMVXhQ
  UzFBdFJGVlFSaTAzTmxWUUlpd0tJQ0FnSUNBZ0lsQjFZbXhwWTFCaGNtRnRaWFJsY
  25NCiAgaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW14cFkwdGxlVVZEUkVnaU9pQjdDaU
  FnSUNBZ0lDQWdJQ0FpWTNKMkkKICBqb2dJa1ZrTkRRNElpd0tJQ0FnSUNBZ0lDQWd
  JQ0pRZFdKc2FXTWlPaUFpZVhNM1FWRk9VVzlXVEVsMmMycAogIHNkemxPZGxCclRY
  RXpSa2hCUW5sVFFsRm1XbDlGUzI1bWRXRm5lREJpTUZkT2FFRTBlZ29nSUc0NE5VM
  VRVCiAgVlk1WTFGWFlrRldRekZOV0RWRFpqaDVRU0o5Zlgwc0NpQWdJQ0FpUkdWMm
  FXTmxSVzVqY25sd2RHbHZiaUkKICA2SUhzS0lDQWdJQ0FnSWxWa1ppSTZJQ0pOUTF
  ORExWWkpXRVF0U2xKTU5pMDNWVFJVTFZRM05rVXRVekpSVwogIEMwM05sVklJaXdL
  SUNBZ0lDQWdJbEIxWW14cFkxQmhjbUZ0WlhSbGNuTWlPaUI3Q2lBZ0lDQWdJQ0FnS
  WxCCiAgMVlteHBZMHRsZVVWRFJFZ2lPaUI3Q2lBZ0lDQWdJQ0FnSUNBaVkzSjJJam
  9nSWxnME5EZ2lMQW9nSUNBZ0kKICBDQWdJQ0FnSWxCMVlteHBZeUk2SUNJd1h6bE5
  hVmRyVDJ0RWJ6RnVVVTUyVWxaclJUVkxSVU5vUW05MVNXMAogIHRMVlF6VlRSa1ZE
  VnJhRWcyU0MxbUxYSjVOa2hIQ2lBZ01qWm9Wa1ZhYWs1MVF6bHZaWFpOYWxwSVMzS
  XhXCiAgSGRCSW4xOWZTd0tJQ0FnSUNKRVpYWnBZMlZCZFhSb1pXNTBhV05oZEdsdm
  JpSTZJSHNLSUNBZ0lDQWdJbFYKICBrWmlJNklDSk5SRWhXTFRWU05GY3RUMFpVV2k
  xWE5FcFRMVTVhU1RVdFNsRlpXUzFLVlU5UUlpd0tJQ0FnSQogIENBZ0lsQjFZbXhw
  WTFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW14cFkwdGxlVVZEU
  kVnCiAgaU9pQjdDaUFnSUNBZ0lDQWdJQ0FpWTNKMklqb2dJbGcwTkRnaUxBb2dJQ0
  FnSUNBZ0lDQWdJbEIxWW14cFkKICB5STZJQ0pRTFVSc05uSktSMnhLYjA1UWQzUkl
  jM0pWWDJsak5UUnliek00Uld4Wk1UaEVkVUZQWkVsR1FYSQogIDFaVXAzZWpSMlFU
  Z3dDaUFnUkRaSWFtSkZRVEJXUjNJdFZFRnFWbXR3U0Y5b1kxTkJJbjE5ZlgxOSIsC
  iAgICAgICAgewogICAgICAgICAgInNpZ25hdHVyZXMiOiBbewogICAgICAgICAgIC
  AgICJhbGciOiAiUzUxMiIsCiAgICAgICAgICAgICAgImtpZCI6ICJNQlNXLUVZWTc
  tVjZLRS0zWk9SLVYzQUgtRE1NNS1KMlpNIiwKICAgICAgICAgICAgICAic2lnbmF0
  dXJlIjogIktDQXY2Wk9VQTNYeWZwWlcwSWN1YzRLZ3FBUFgxWmRLa2V4bmlKREtCS
  UttcmFRRjIKICA3Z082QnF1TXpWaU5ENUJfbU1uYVByV3hMUUFkUHliN0tBR2U4OX
  BqVS0zaVpOblBqM1V1MDVBNU5Bdy1JYgogIDBveVlnOE5yYzNjVUx4N1FTN2J4RVp
  UYzBEQ3NicDFsd1Rid0dnZ0lBIn1dLAogICAgICAgICAgIlBheWxvYWREaWdlc3Qi
  OiAiTlhZSWxqUWV5MjVqQ2RnVmlKUkJUX0VHRTlITDJkWmNOVWc5RHdJVHZzVC0zC
  iAgZTZObmctXzM3UnBYTWlLRnlWQ0VISXRBSUF0S1h3ZHphbjVqTVM0aWcifV0sCi
  AgICAgICJFbnZlbG9wZWRBY3RpdmF0aW9uRGV2aWNlIjogW3sKICAgICAgICAgICJ
  lbmMiOiAiQTI1NkNCQyIsCiAgICAgICAgICAiZGlnIjogIlM1MTIiLAogICAgICAg
  ICAgImtpZCI6ICJFQlFHLUtSR0wtU0tXSS1LQllBLUNWS1ItN0hBSC02STJGIiwKI
  CAgICAgICAgICJTYWx0IjogIk1QemhNY0dBTDllVGxCZVdraXdNVWciLAogICAgIC
  AgICAgInJlY2lwaWVudHMiOiBbewogICAgICAgICAgICAgICJraWQiOiAiTURCNy0
  zU0ZCLU5BM04tMllTUy1YVFVQLVJGTUQtRVRWMiIsCiAgICAgICAgICAgICAgImVw
  ayI6IHsKICAgICAgICAgICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgI
  CAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgICAgICAgICAiUHVibG
  ljIjogIlNWY1JoeWNhLV9QQkF3V1pHT2hlMVJoVnRWMHdySlRxRFlLUkdNNExKR2Q
  xVS1URlc2a3QKICBmYjIxT2MwcEJPRzJwUmZXYW5vaWR2UUEifX0sCiAgICAgICAg
  ICAgICAgIndtayI6ICJ0c0dWUjQ0bUYxVDk3LUpXa2NkZU5GX2RWb3I5dVEyaFRDZ
  GRmTFRjaXlfYnZVN1JWeVktSVEifV0sCiAgICAgICAgICAiQ29udGVudE1ldGFEYX
  RhIjogImV3b2dJQ0pOWlhOellXZGxWSGx3WlNJNklDSkJZM1JwZG1GMGFXOXVSR1Y
  KICAyYVdObElpd0tJQ0FpWTNSNUlqb2dJbUZ3Y0d4cFkyRjBhVzl1TDIxdGJTOXZZ
  bXBsWTNRaUxBb2dJQ0pEYwogIG1WaGRHVmtJam9nSWpJd01qQXRNVEV0TURKVU1UY
  zZOREU2TkRGYUluMCJ9LAogICAgICAgICJCRjZ4UmxqejZRVzRzSndocmhxMVZkSj
  FibHBsS0ZwMy0tcDVEelE4ZjdKCiAgYmVOZE1Jak1yQ2ZyTTBQYmhMdW9GWFdYQVJ
  1cW5QZ1FMTWFrR0JnMnMtMWRnX1RoSUo5SzdOb2RFMmlyS3gKICB1eDJ0YmhPRk1U
  TFBsM2FZTUtRUDN2aC0xNUV3YS1CTU9HWGhKSGJSbW00U3N4a3FBOFhwckFjWUx4a
  UNvcAogIDBZUl82aVlJdWtMelBNSjVEUm5WajRCMHJlbnZpaTNLZzVoRWdXU00xSH
  dER1laVkVWVzcwSDZzZnh5cTBNCiAgdWhybUtWdkpHRXZaRmxFOHFfVWMzVDZYUjJ
  fIiwKICAgICAgICB7CiAgICAgICAgICAic2lnbmF0dXJlcyI6IFt7CiAgICAgICAg
  ICAgICAgImFsZyI6ICJTNTEyIiwKICAgICAgICAgICAgICAia2lkIjogIk1CU1ctR
  VlZNy1WNktFLTNaT1ItVjNBSC1ETU01LUoyWk0iLAogICAgICAgICAgICAgICJzaW
  duYXR1cmUiOiAia3lqU3hqSUlBX3dzWlBqWllpWVIxQ1NKSThrMU52dTJZNldzdm5
  oekROa3UzZXgyVAogIFd3QmJXRmV1YnVGdGlVaTRrNEJSeU90NWpnQW01NkFYU1d5
  WnVxRnozZmVlb09GYk9zQ1dGV1dKS3ItNncxCiAgSGw0S3VTU3RpTWhGeld5YWRMe
  GxLV1E2RFhiMS04VTdhVkFxYi15RUEiLAogICAgICAgICAgICAgICJ3aXRuZXNzIj
  ogImdaczk2dnhkY25zcVpyRWpoNzdBQzRocXEzLWlZek96dkJXN0NRdkp5ZFkifV0
  sCiAgICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJnRkxJZ3I3UTd3cnRjbHBBWU1G
  UWlSYk9XcmdMNXNfMWN4aEZQcmlrN3N4SlIKICBwbkRhZlROS2pSTEp6ajB5cDZxe
  ExDNUxnMGNQd1pGc0VQcW5yVmdGUSJ9XSwKICAgICAgIkVudmVsb3BlZEFjdGl2YX
  Rpb25BY2NvdW50IjogW3sKICAgICAgICAgICJkaWciOiAiUzUxMiIsCiAgICAgICA
  gICAiQ29udGVudE1ldGFEYXRhIjogImV3b2dJQ0pOWlhOellXZGxWSGx3WlNJNklD
  SkJZM1JwZG1GMGFXOXVRV04KICBqYjNWdWRDSXNDaUFnSW1OMGVTSTZJQ0poY0hCc
  2FXTmhkR2x2Ymk5dGJXMHZiMkpxWldOMElpd0tJQ0FpUQogIDNKbFlYUmxaQ0k2SU
  NJeU1ESXdMVEV4TFRBeVZERTNPalF4T2pReFdpSjkifSwKICAgICAgICAiZXdvZ0l
  DSkJZM1JwZG1GMGFXOXVRV05qYjNWdWRDSTZJSHQ5ZlEiLAogICAgICAgIHsKICAg
  ICAgICAgICJzaWduYXR1cmVzIjogW3sKICAgICAgICAgICAgICAiYWxnIjogIlM1M
  TIiLAogICAgICAgICAgICAgICJraWQiOiAiTUJTVy1FWVk3LVY2S0UtM1pPUi1WM0
  FILURNTTUtSjJaTSIsCiAgICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJpaGZwUDl
  mUkd3ZFhFTkozck9GTFBCcHpycDBlQnVvS2NLamJKSGxkV01LSGg2azllCiAgMlhk
  QzMwNlAySVF0N19vRVFjNWxRXzhDeU1BWkp3R1FoVERuOUNEUzRwX0d3bFk0Rk9oT
  zlNejhQRUNydGcKICBscEVtWnFlU2xwWThpRFlsOVF6enRCdUY3TjJwbl9JalVleD
  N1VlFnQSJ9XSwKICAgICAgICAgICJQYXlsb2FkRGlnZXN0IjogInhnUjVqN05pVWJ
  EdktXalA3SWpJNEh1TUFQTEQ4LXJ1M2NNSVRtZ0lpUHVYOQogIGdoMWxsa3kxY2da
  UGMxelUwd3dZR0t1Y1Y2bUdlZ3NWNXdnN1pHWW9BIn1dfX19"
        ]
      ]}}

The response payload:

{
  "TransactResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully"}}

6.6. Cryptographic

The Operate transaction is used to perform one or more cryptographic operations using private key material recorded in the Threshold Catalog. Such operations typically represent one part of a threshold key operation divided between the service and a device connected to an account.

As with all operations involving the Threshold catalog, the request MUST meet the authentication criteria specified by the catalog entry. These typically include the request being authenticated by a specific key.

6.6.1. Generate Key Shares

CryptographicOperationShare is used to request that a private key held by the service to be divided into two or more key shares. One key share is then encrypted under the encryption key of the service and the others are encrypted under public keys specified in the request. These parameters are returned in a CryptographicResultShare.

The request payload:

The response payload:

6.6.2. Key Agreement

CryptographicOperationKeyAgreement is used to request a threshold key agreement operation on a specified public key.

The request payload:

The response payload:

6.6.3. Sign

Threshold signature is not currently supported.

7. Message Transactions

Message transactions are interaction between devices connected to the same account and between accounts.

All messages are signed by the sender and encrypted under the encryption key of the recipient if this is known to the sender.

7.1. PIN Code

The PIN Code Message Transaction is used to register and validate PIN codes used to authenticate other message transactions. This is currently used as an option in the Device Connection and Contact Exchange transactions.

Derivation of the SaltedPin, MessageId and Witness values from their respective inputs is described in the Schema Reference [draft-hallambaker-mesh-schema].

7.1.1. Registration

To register a PIN code to an Account, a device:

  • Generates the PIN code value
  • Calculates the SaltedPin value for the specified Action
  • Calculates the PinId binding the specified SaltedPin to the Account.
  • Creates and signs MessagePin containing the SaltedPin , Action and Account values with the MessageId value PinId.
  • Appends the MessagePin value to the Administration Spool of the Account.

Note that this construction provides limited protection against forgery attacks by a party with access to the MessagePin. A party with such access can use it to construct the witness value required to authenticate a request.

PIN Code values consist of an opaque sequence of octets represented as a UDF nonce value. Codes are presented in canonical UDF form, i.e. Base32 encoding separated into groups of 4 characters. The PIN value is converted to binary form for calculation of the SaltedPin, thus ensuring that the canonical form of the PIN value is used.

7.1.2. Authentication

The PIN Code value is passed out of band to a user who will enter it into a device to authenticate a request made to the issuer.

A request that MAY be validated by means of a PIN is a subclass of MessagePinValidated and contains the following fields:

AuthenticatedData

A DARE Envelope containing the data that is authenticated.

ClientNonce

A nonce value used to prevent certain replay attacks.

PinId

Digest value binding the SaltedPin to the Account.

PinWitness

Witness value calculated as KDF (Device.UDF + AccountAddress, ClientNonce)

The device uses the PIN code and Action identifier corresponding to the desired request to calculate the SaltedPin value in the same manner as during registration. This value is then used to calculate the PinId and PinWitness values.

7.1.3. Validation

The PIN code is validated by performing the steps of:

  • Calculating the SaltedPin value from the PIN code and Action
  • Calculating PinId from SaltedPin and Account
  • Retrieving a MessagePin from the Administration spool with the MessageId PinId.
  • Calculating the PinWitness value from SaltedPin, ClientNonce and AuthenticatedData and checking this matches the value specified in the message.
  • Performing the requested action.
  • Posting a Complete message to the Administration Spool of the Account marking the PIN code as used.

This process can fail at multiple points resulting in different error results:

PinInvalid

No PIN code is specified, the Pin code indicates an unsupported algorithm or the calculated PinWitness does not match the one specified by the request.

PinUsed

The PIN code has been used previously.

PinExpired

The PIN code is no longer valid.

Note that in the case that an attempt is made to reuse a PIN, it is not automatically the case that the first use of the PIN was the one that was valid and only the second attempt was invalid. Implementations SHOULD alert the user to the attempted re-use so that this possibility can be considered and appropriate action taken.

Bob's client creates a PIN value and records it in his Local spool:

Missing example 40

The response from Alice's client is authenticated under the PIN:

Missing example 41

Bob's client can now check:

Some math here

7.2. Contact Exchange

The contact exchange transaction is used to support unilateral or mutual exchange of contact information. Contact exchange has three functions in the Mesh:

  • To exchange public key information to allow encryption of messages sent to and verification of signatures on messages sent from the contact subject.
  • To exchange contact information allowing use of other communication protocols (e.g. telephone, SMS, xmpp, SMTP, OpenPGP, S/MIME, etc).
  • To request that the recipient grant privileges to accept certain types of messages from the contact subject.

Registration of the subject's contact information in the Mesh Naming Service eliminates the need for the first of these functions but not the other two. To prevent abuse, every Mesh Message is subject to access control and a Mesh service will only accept a message from a sender if there is an entry in the Threshold Catalog of the account that expressly permits delivery of messages of the specified type that are authenticated by an authorized signature key.

7.2.1. Remote

The Remote Contact Exchange transaction consists of a sequence of MessageContact messages sent from the initiator to the responder, responder to the initiator, etc. While there is in principle no limit on the number of messages exchanged, most exchanges will be completed in three exchanges or less:

Initiator to Responder

Contains Initiator contact data without authentication context from the exchange.

Responder to Initiator (optional)

Contains Responder contact data authenticated under a PIN challenge presented in the previous message.

Initiator to Responder (optional)

Contains Initiator contact data authenticated under a PIN challenge presented in the previous message.

Each message provides the recipient with additional information which MAY motivate the recipient to provide additional contact information to the sender.

{
  "MessageContact":{
    "MessageId":"NACV-TW2M-ICI2-5VBJ-QKAS-44FO-BRIP",
    "Sender":"bob@example.com",
    "Recipient":"alice@example.com",
    "AuthenticatedData":[{
        "dig":"S512",
        "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb250YWN0UGVy
  c29uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmVhd
  GVkIjogIjIwMjAtMTEtMDJUMTc6NDE6MzVaIn0"},
      "ewogICJDb250YWN0UGVyc29uIjogewogICAgIkFuY2hvcnMiOiBbewogICAg
  ICAgICJVZGYiOiAiTUQ3Ny1CTlBKLUVOWVgtVU5UWC1BT1VMLVNGVVYtRDNLSCIsC
  iAgICAgICAgIlZhbGlkYXRpb24iOiAiU2VsZiJ9XSwKICAgICJOZXR3b3JrQWRkcm
  Vzc2VzIjogW3sKICAgICAgICAiQWRkcmVzcyI6ICJib2JAZXhhbXBsZS5jb20iLAo
  gICAgICAgICJFbnZlbG9wZWRQcm9maWxlQWNjb3VudCI6IFt7CiAgICAgICAgICAg
  ICJFbnZlbG9wZUlEIjogIk1ENzctQk5QSi1FTllYLVVOVFgtQU9VTC1TRlVWLUQzS
  0giLAogICAgICAgICAgICAiZGlnIjogIlM1MTIiLAogICAgICAgICAgICAiQ29udG
  VudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpSQ0k2SUNKTlJEYzNMVUpPVUV
  vdFJVNVpXQzEKICBWVGxSWUxVRlBWVXd0VTBaVlZpMUVNMHRJSWl3S0lDQWlUV1Z6
  YzJGblpWUjVjR1VpT2lBaVVISnZabWxzWgogIFZWelpYSWlMQW9nSUNKamRIa2lPa
  UFpWVhCd2JHbGpZWFJwYjI0dmJXMXRMMjlpYW1WamRDSXNDaUFnSWtOCiAgeVpXRj
  BaV1FpT2lBaU1qQXlNQzB4TVMwd01sUXhOem8wTVRvek5Wb2lmUSJ9LAogICAgICA
  gICAgImV3b2dJQ0pRY205bWFXeGxWWE5sY2lJNklIc0tJQ0FnSUNKUWNtOW1hV3gK
  ICBsVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxRU56Y3RRa
  zVRU2kxRlRsbFlMVlZPVgogIEZndFFVOVZUQzFUUmxWV0xVUXpTMGdpTEFvZ0lDQW
  dJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzCiAgS0lDQWdJQ0FnSUNBaVV
  IVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaVIK
  ICBXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSkxXR1IyYXpSd
  1ozaEtMVTlWT0ZFdE5HbwogIHlNMWxpWDJOdlVXcEhYM0ozZWpGRmRrTklSRmRoWn
  pSYVpFaE9TVGRJYVdwQkNpQWdMWFZMWjFwTWMwczNhCiAgVlozUTBaWlNEVkVkREp
  vUzFWQkluMTlmU3dLSUNBZ0lDSkJZMk52ZFc1MFFXUmtjbVZ6Y3lJNklDSmliMkoK
  ICBBWlhoaGJYQnNaUzVqYjIwaUxBb2dJQ0FnSWxObGNuWnBZMlZWWkdZaU9pQWlUV
  U16TXkxWFNsZEtMVWswTQogIDBFdFRrdENTeTFITWxVMUxVSlpSVmd0VGpOR1JpSX
  NDaUFnSUNBaVFXTmpiM1Z1ZEVWdVkzSjVjSFJwYjI0CiAgaU9pQjdDaUFnSUNBZ0l
  DSlZaR1lpT2lBaVRVRkdTQzFWUlZaUUxWbEpTRXN0TmxoTlR5MU1ORVpLTFVOWVIK
  ICBVRXRVRTFRUlNJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ
  2V3b2dJQ0FnSUNBZ0lDSgogIFFkV0pzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSU
  NBZ0lDQWdJbU55ZGlJNklDSllORFE0SWl3S0lDQWdJCiAgQ0FnSUNBZ0lDSlFkV0p
  zYVdNaU9pQWljV3RvUnpSTFJuVXhaRWR6YkRCMWVrRTBWVmhVWDJKeE5ERm9UekoK
  ICBvVDJoTlgxOTZaRzAzYTNCVFMzVlhOVU16Y1hkb1J3b2dJRkJsYVdsUmEyTnJXR
  k5UUVVOM1NsZFBhV3cyWgogIDE5elFTSjlmWDBzQ2lBZ0lDQWlRV1J0YVc1cGMzUn
  lZWFJ2Y2xOcFoyNWhkSFZ5WlNJNklIc0tJQ0FnSUNBCiAgZ0lsVmtaaUk2SUNKTlJ
  EYzNMVUpPVUVvdFJVNVpXQzFWVGxSWUxVRlBWVXd0VTBaVlZpMUVNMHRJSWl3S0kK
  ICBDQWdJQ0FnSWxCMVlteHBZMUJoY21GdFpYUmxjbk1pT2lCN0NpQWdJQ0FnSUNBZ
  0lsQjFZbXhwWTB0bGVVVgogIERSRWdpT2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oySW
  pvZ0lrVmtORFE0SWl3S0lDQWdJQ0FnSUNBZ0lDSlFkCiAgV0pzYVdNaU9pQWlTMWh
  rZG1zMGNHZDRTaTFQVlRoUkxUUnFNak5aWWw5amIxRnFSMTl5ZDNveFJYWkRTRVIK
  ICBYWVdjMFdtUklUa2szU0dscVFRb2dJQzExUzJkYVRITkxOMmxXZDBOR1dVZzFSS
  FF5YUV0VlFTSjlmWDBzQwogIGlBZ0lDQWlRV05qYjNWdWRFRjFkR2hsYm5ScFkyRj
  BhVzl1SWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxCiAgRFFVY3RWVm8yV2kxV1R
  WWldMVkZLUlVrdE5WSlhRUzFhVlZGS0xVRlVObEVpTEFvZ0lDQWdJQ0FpVUhWaWIK
  ICBHbGpVR0Z5WVcxbGRHVnljeUk2SUhzS0lDQWdJQ0FnSUNBaVVIVmliR2xqUzJWN
  VJVTkVTQ0k2SUhzS0lDQQogIGdJQ0FnSUNBZ0lDSmpjbllpT2lBaVdEUTBPQ0lzQ2
  lBZ0lDQWdJQ0FnSUNBaVVIVmliR2xqSWpvZ0lrSlpWCiAgMFl6U21zMmNscENkblJ
  1YzBNNE1tSXllVXhJWW1OdFducE5aVjlvVXpoRmFteFdOV2RMTldsSGJFaHdRVzQK
  ICB4UTJZS0lDQkRaeTFGZVhSelVVdDVTbTFHWHpKcU5tNDJVa0l3U1VFaWZYMTlMQ
  W9nSUNBZ0lrRmpZMjkxYgogIG5SVGFXZHVZWFIxY21VaU9pQjdDaUFnSUNBZ0lDSl
  ZaR1lpT2lBaVRVRkhWUzFaUTB4SExWcFVTMUV0VFRkCiAgT1ZpMVhORmxVTFZjM1I
  wWXRRVkZTU1NJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ2UK
  ICB3b2dJQ0FnSUNBZ0lDSlFkV0pzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUNBZ
  0lDQWdJbU55ZGlJNklDSgogIEZaRFEwT0NJc0NpQWdJQ0FnSUNBZ0lDQWlVSFZpYk
  dsaklqb2dJaTFrWWxKcFdtOUhiVTQyTkVSNVpIRlpiCiAgbVZNVFd4VFEwZGZjbEJ
  XZFZaSFVWZFhTaTF0YldkRk5WVjZRa1pHUm1SSlZHb0tJQ0J0TWtkcFEyRkZNbloK
  ICA2U1cxSU1UQmFSVkI1VGtoblZVRWlmWDE5ZlgwIiwKICAgICAgICAgIHsKICAgI
  CAgICAgICAgInNpZ25hdHVyZXMiOiBbewogICAgICAgICAgICAgICAgImFsZyI6IC
  JTNTEyIiwKICAgICAgICAgICAgICAgICJraWQiOiAiTUQ3Ny1CTlBKLUVOWVgtVU5
  UWC1BT1VMLVNGVVYtRDNLSCIsCiAgICAgICAgICAgICAgICAic2lnbmF0dXJlIjog
  InZOWV9jc05Zdjg3N2Myb2VtVnQzZEJ4Y25rVUtiQWtuYi01Znpsand6SmxCUjF3T
  TcKICBlWFE4dUt6Qkdrb3EtZjRDcTlKWjktYUU1c0FwSkdMczFUNzhxR0lnUkJqRD
  QwdXA4YklYU0lCeldkOUZ3LQogIG8zMUdEako2Q2VSV3Y4WHZFSW5KMzU4LWJJVGd
  memlvcW5VX1czeVFBIn1dLAogICAgICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJi
  UG9RdmFQM1RWSklPcmdsREptSndHOWRoa09iT2JfS2ppTk9EY1lfREFvX0IKICBDZ
  Hhqd3V0ZDZhdnQwRVo0aVg1MS1heFR3OU1rNTJNYXJrN09vSi05USJ9XSwKICAgIC
  AgICAiUHJvdG9jb2xzIjogW3sKICAgICAgICAgICAgIlByb3RvY29sIjogIm1tbSJ
  9XX1dfX0",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MAGU-YCLG-ZTKQ-M7NV-W4YT-W7GF-AQRI",
            "signature":"vLoD6-skGReAhu-iuI5iXuiaoaOQTjR7SaBE8xhNJU
  J41ja1-qZY40lmCwqmiavCNRo35GSLk_wACI7SzVYU98GeLLJ0WdAVk3kHVS0fh1c
  UlrT7gU7HUWxnRXuLdbvBk66EKU8Ubn6xFaylAAniPTAA"}
          ],
        "PayloadDigest":"y5fPwfjsg64veJqRI5Zkc_ET2Jf3aYqIM_c5E4KxAg
  Dt0OBtJL-ARkhxi0aCZw32LXFqWTK_tDRBR4kKl4YYoQ"}
      ],
    "Reply":true,
    "Subject":"alice@example.com",
    "PIN":"AADY-YL2H-5LIT-6PDV-USRI-74XS-YVJA"}}

The Mesh Contact Exchange transaction does not provide for validation of the contact information beyond the binding to the Mesh Account Address used to perform the exchange.

7.2.2. PIN

Exchange of a PIN code out of band allows the initial MessageContact to be authenticated. This mode of authentication is particularly suited to in-person exchange of credentials where the PIN code and other information required to complete the transaction are passed by some means of short range communication such as Bluetooth or presentation of a QR code. In either case, the connection information is presented in the form of a URI combining the type of interaction (contact exchange), the contact address and the authentication data.

When they meet in person, Alice creates a pin code and presents it to Bob on her mobile.

QR code is yadda yaddda

The resulting contact exchange does not change the contact data itself but does change the valudation method. It is more difficult and riskier to falsify an in-person exchange than a remote one.

7.2.3. EARL

A MessageContact message MAY be published as an EARL. This allows contact data to be presented to the recipient on a printed document such as a business card in machine readable format such as a QR code.

Alice creates a contact and publishes it through her service.

QR code is yadda yaddda

7.3. Group Invitation

The GroupInvitation message is used to invite a recipient to join a Mesh Group. The message specifies the group name and the contact entry for the group. The contact entry includes the CapabilityDecryptServiced used to decrypt messages sent to the group when combined with information provided by the threshold service for the group.

Receipt of a GroupInvitation message does not require a response.

7.4. Confirmation

The confirmation transaction consists of a RequestConfirmation message from the initiator followed by a ResponseConfirmation from the responder.

The RequestConfirmation message specifies the action that is requested.

The ResponseConfirmation message contains the enveloped RequestConfirmation message signed by the initiator and the disposition of the responder, Accept = true if the request is accepted and Accept = false otherwise.

The service sends out the following challenge:

{
  "RequestConfirmation":{
    "MessageId":"NAII-QGL5-YARH-DJRY-VIBX-QPOE-RDZS",
    "Sender":"console@example.com",
    "Recipient":"alice@example.com",
    "Text":"start"}}

Alice accepts the challeng and returns the following response:

Missing example 43

8. Device Connection

Connection of a device to a Mesh Account combines synchronous and asynchronous elements and therefore uses a combination of Mesh Service Protocol and Mesh Messaging interactions.

Three connection mechanisms are currently defined. All three of which offer strong mutual authentication.

Device Authenticated

Pin Authenticated

EARL Connection Mode

The first two of these mechanisms are initiated from the device being connected which requires that the Mesh Service Account it is being connected to be entered into it. Use of these mechanisms thus requires keyboard and display affordances or accessibility equivalents.

The last mechanism is initiated from an administration device that is already connected to the account. It is intended for use in circumstances where the device being connected does not have the necessary affordances to allow the Device or PIN authenticated modes.

In either case, the connection request is completed by the device requesting synchronization with the Mesh Account using its device credential for authentication. If the connection request was accepted, the device will be provisioned with the Device Connection Assertion allowing it to complete the process.

The Device Connection Assertion includes an overlay device profile containing a set of private key contributions to be used to perform key cogeneration on the original set of device keys to create a new device profile to be used for all purposes associated with the Mesh Profile to which it has just been connected. This assures the user that the keys the device uses for performing operation in the context of their profile are not affected by any compromise that might have occurred during manufacture or at any point after up to the time it was connected to their profile.

8.1. Device Authenticated

The direct connection mechanism requires that both the administration device and the device originating the connection request have data entry and output affordances and that it is possible for the user to compare the authentication codes presented by the two devices to check that they are identical.

Missing example 44

The request payload:

{
  "ConnectRequest":{
    "EnvelopedRequestConnection":[{
        "EnvelopeID":"MDW7-EM2L-BHBZ-76DY-TLRJ-PYBG-MUL7",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJORDVCLVVINkgtT0tB
  RC1BM1o3LVJZWUwtN1NEQS02N1czIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWVzd
  ENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCi
  AgIkNyZWF0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMloifQ"},
      "ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOiAi
  TkQ1Qi1VSDZILU9LQUQtQTNaNy1SWVlMLTdTREEtNjdXMyIsCiAgICAiQXV0aGVud
  GljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlEIjogIk1DRUstTVlWUS
  1aSzNHLTdDRTQtWTVVVy1DS1Q0LUVGRTUiLAogICAgICAgICJkaWciOiAiUzUxMiI
  sCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKUkNJ
  NklDSk5RMFZMTFUxWlZsRXRXa3N6UnkwCiAgM1EwVTBMVmsxVlZjdFEwdFVOQzFGU
  mtVMUlpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxkbW
  xqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV04
  wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJd0xURXhMVEF5VkRFM09qUXhP
  ak15V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V3b
  2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNKVl
  pHWWlPaUFpVFVORlN5MU5XVlpSTFZwTE0wY3ROCiAgME5GTkMxWk5WVlhMVU5MVkR
  RdFJVWkZOU0lzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KICBn
  ZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0FnS
  UNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmliR2
  xqSWpvZ0ltWjFla1ZqYjI4NGMwdDNaR0ZLWVRkCiAgcVIzZGxiWEZJVkhCUmNHTmh
  RVGc0UzFCU01XZFlaR3gzTUdscWRVaEZNR2xEVEZZS0lDQjNVbUpIU1hGTE4KICBF
  dHVRbXh5TkRSVFpXcFZVazkwUjBFaWZYMTlMQW9nSUNBZ0lrSmhjMlZGYm1OeWVYQ
  jBhVzl1SWpvZ2V3bwogIGdJQ0FnSUNBaVZXUm1Jam9nSWsxQlRFc3RVbFpLTkMxTF
  ZrMVVMVkpOVFVRdFJUZElXUzFCUkZCR0xWZFJRCiAgMVlpTEFvZ0lDQWdJQ0FpVUh
  WaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzS0lDQWdJQ0FnSUNBaVVIVmliR2wKICBq
  UzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaVdEUTBPQ0lzQ
  2lBZ0lDQWdJQ0FnSQogIENBaVVIVmliR2xqSWpvZ0lsVjBhWHBmY1dJemVIQnhNWE
  JOVlRCcVVsUlhSbUY0VTIxRVRTMUpVRUk0VG1oCiAgUGVEWnhkekpMVXpkdVJXTnJ
  MVXg1UjFnS0lDQnFPVzB3WmxvelJYSkpXVFZ6VjJwR1NtRjZOeTEyTmtFaWYKICBY
  MTlMQW9nSUNBZ0lrSmhjMlZCZFhSb1pXNTBhV05oZEdsdmJpSTZJSHNLSUNBZ0lDQ
  WdJbFZrWmlJNklDSgogIE5RMU5hTFV4VlExTXRXamREUlMxRE1rTkxMVU5hTjFndF
  QxTTJXUzFKVlZJM0lpd0tJQ0FnSUNBZ0lsQjFZCiAgbXhwWTFCaGNtRnRaWFJsY25
  NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW14cFkwdGxlVVZEUkVnaU9pQjdDaUEKICBn
  SUNBZ0lDQWdJQ0FpWTNKMklqb2dJbGcwTkRnaUxBb2dJQ0FnSUNBZ0lDQWdJbEIxW
  W14cFl5STZJQ0ptTwogIFV0SU0xa3hjRnBRUldSVlpuUnBObU4xVEVSZmNVMWFRa3
  hPVGpsWVMyTlhZM1IyTUdnMFIycEpVWFJmVEVSCiAgUVNEVXRDaUFnU2twWGVISnR
  RMDk0ZDNOVlpIVnZkVFJQYmpKa1IzRkJJbjE5ZlN3S0lDQWdJQ0pDWVhObFUKICAy
  bG5ibUYwZFhKbElqb2dld29nSUNBZ0lDQWlWV1JtSWpvZ0lrMUNTVk10VkRNMFRTM
  URVbFF5TFRVeU5FVQogIHRUME5GVEMwMlZWRTJMVkpQTTBraUxBb2dJQ0FnSUNBaV
  VIVmliR2xqVUdGeVlXMWxkR1Z5Y3lJNklIc0tJCiAgQ0FnSUNBZ0lDQWlVSFZpYkd
  salMyVjVSVU5FU0NJNklIc0tJQ0FnSUNBZ0lDQWdJQ0pqY25ZaU9pQWlSV1EKICAw
  TkRnaUxBb2dJQ0FnSUNBZ0lDQWdJbEIxWW14cFl5STZJQ0pXYW5sbGVURjBaVEJoY
  1ROQlRqVlVORGRNVgogIGxvdE0xbFFhRW96ZDI4NWFreGplbE5PWVhkcldGUlNRbk
  5ZVjNSUmMxTmpDaUFnTlhsb2MwWmFNVTlOWjAxCiAgb09YQnllRVpFVVRsd1dWVkJ
  JbjE5ZlgxOSIsCiAgICAgIHsKICAgICAgICAic2lnbmF0dXJlcyI6IFt7CiAgICAg
  ICAgICAgICJhbGciOiAiUzUxMiIsCiAgICAgICAgICAgICJraWQiOiAiTUNFSy1NW
  VZRLVpLM0ctN0NFNC1ZNVVXLUNLVDQtRUZFNSIsCiAgICAgICAgICAgICJzaWduYX
  R1cmUiOiAiQ2NhWDYzTzZDd0E3ZXhTTVo0T2YtUE5kTTNTQ0lyN0otM1hNVWZfQXF
  NMmdKTldyeQogIHBfM012MzJ2dlFXUHhHcVUwZmdMUVVSc0xvQUFzT2ZaVUNtZ25D
  YXlBbTRFdDZtcFZDZjFEUl9OSkpfSS1kCiAgNHozRUFoemtwUmV1YTdkY203c1lQN
  HlJVDk3V05jUGhUaE92TmZ4d0EifV0sCiAgICAgICAgIlBheWxvYWREaWdlc3QiOi
  AiZldPZEFkWGZlRWl5ZEEteG4tZkNWSlJXcW04UmkyUUgzbUIyWHdUTkN4amMzCiA
  gVWh3OHlhWnVLYkRZQTBnZkZfVHdrMi1HQ3NldFBLc3ZnWmVuUEFzb1EifV0sCiAg
  ICAiQ2xpZW50Tm9uY2UiOiAiaEUxeFlzMVBGQjYzMzhGTEt0WlhMQSIsCiAgICAiQ
  WNjb3VudEFkZHJlc3MiOiAiYWxpY2VAZXhhbXBsZS5jb20ifX0"
      ]}}
Missing example 45

The response payload:

{
  "ConnectResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "EnvelopedAcknowledgeConnection":[{
        "EnvelopeID":"MDVL-XLOH-2F52-7QOD-OPC2-7MGO-FFAS",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJSUkhLLTI3UFEtWEpY
  TS1BSkQ1LTVZNjctREpaWi1LRUNIIiwKICAiTWVzc2FnZVR5cGUiOiAiQWNrbm93b
  GVkZ2VDb25uZWN0aW9uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3
  QiLAogICJDcmVhdGVkIjogIjIwMjAtMTEtMDJUMTc6NDE6MzJaIn0",
        "ContainerInfo":{
          "Index":1,
          "TreePosition":0},
        "Received":"2020-11-02T17:41:32Z"},
      "ewogICJBY2tub3dsZWRnZUNvbm5lY3Rpb24iOiB7CiAgICAiTWVzc2FnZUlk
  IjogIlJSSEstMjdQUS1YSlhNLUFKRDUtNVk2Ny1ESlpaLUtFQ0giLAogICAgIkVud
  mVsb3BlZFJlcXVlc3RDb25uZWN0aW9uIjogW3sKICAgICAgICAiRW52ZWxvcGVJRC
  I6ICJNRFc3LUVNMkwtQkhCWi03NkRZLVRMUkotUFlCRy1NVUw3IiwKICAgICAgICA
  iQ29udGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpSQ0k2SUNKT1JEVkNM
  VlZJTmtndFQwdEJSQzEKICBCTTFvM0xWSlpXVXd0TjFORVFTMDJOMWN6SWl3S0lDQ
  WlUV1Z6YzJGblpWUjVjR1VpT2lBaVVtVnhkV1Z6ZAogIEVOdmJtNWxZM1JwYjI0aU
  xBb2dJQ0pqZEhraU9pQWlZWEJ3YkdsallYUnBiMjR2YlcxdEwyOWlhbVZqZENJCiA
  gc0NpQWdJa055WldGMFpXUWlPaUFpTWpBeU1DMHhNUzB3TWxReE56bzBNVG96TWxv
  aWZRIn0sCiAgICAgICJld29nSUNKU1pYRjFaWE4wUTI5dWJtVmpkR2x2YmlJNklIc
  0tJQ0FnSUNKCiAgTlpYTnpZV2RsU1dRaU9pQWlUa1ExUWkxVlNEWklMVTlMUVVRdF
  FUTmFOeTFTV1ZsTUxUZFRSRUV0TmpkWE0KICB5SXNDaUFnSUNBaVFYVjBhR1Z1ZEd
  sallYUmxaRVJoZEdFaU9pQmJld29nSUNBZ0lDQWdJQ0pGYm5abGJHOQogIHdaVWxF
  SWpvZ0lrMURSVXN0VFZsV1VTMWFTek5ITFRkRFJUUXRXVFZWVnkxRFMxUTBMVVZHU
  lRVaUxBb2dJCiAgQ0FnSUNBZ0lDSmthV2NpT2lBaVV6VXhNaUlzQ2lBZ0lDQWdJQ0
  FnSWtOdmJuUmxiblJOWlhSaFJHRjBZU0kKICA2SUNKbGQyOW5TVU5LVm1KdGJIaGt
  WMVpLVWtOSk5rbERTazVSTUZaTVRGVXhXbFpzUlhSWGEzTjZVbmt3QwogIGlBZ00x
  RXdWVEJNVm1zeFZsWmpkRkV3ZEZWT1F6RkdVbXRWTVVscGQwdEpRMEZwVkZkV2VtT
  XlSbTVhVmxJCiAgMVkwZFZhVTlwUVdsVlNFcDJXbTFzYzFvS0lDQlZVbXhrYld4cV
  dsTkpjME5wUVdkSmJVNHdaVk5KTmtsRFMKICBtaGpTRUp6WVZkT2FHUkhiSFppYVR
  sMFlsY3dkbUl5U25GYVYwNHdTV2wzUzBsRFFRb2dJR2xSTTBwc1dWaAogIFNiRnBE
  U1RaSlEwbDVUVVJKZDB4VVJYaE1WRUY1VmtSRk0wOXFVWGhQYWsxNVYybEtPU0o5T
  EFvZ0lDQWdJCiAgQ0FpWlhkdlowbERTbEZqYlRsdFlWZDRiRkpIVmpKaFYwNXNTV3
  B2WjJWM2IyZEpRMEZuU1d4Q2VXSXlXZ28KICBnSUhCaVIxWlVZVmRrZFZsWVVqRmp
  iVlZwVDJsQ04wTnBRV2RKUTBGblNVTktWbHBIV1dsUGFVRnBWRlZPUgogIGxONU1V
  NVhWbHBTVEZad1RFMHdZM1JPQ2lBZ01FNUdUa014V2s1V1ZsaE1WVTVNVmtSUmRGS
  lZXa1pPVTBsCiAgelEybEJaMGxEUVdkSlEwcFJaRmRLYzJGWFRsRlpXRXBvWWxkV0
  1GcFlTbnBKYW04S0lDQm5aWGR2WjBsRFEKICBXZEpRMEZuU1VOS1VXUlhTbk5oVjA
  1TVdsaHNSbEV3VWtsSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbAogIHRUbmxr
  YVVrMlNRb2dJRU5LUmxwRVVUQlBRMGx6UTJsQlowbERRV2RKUTBGblNVTkJhVlZJV
  m1saVIyeHFTCiAgV3B2WjBsdFdqRmxhMVpxWWpJNE5HTXdkRE5hUjBaTFdWUmtDaU
  FnY1ZJelpHeGlXRVpKVmtoQ1VtTkhUbWgKICBSVkdjMFV6RkNVMDFYWkZsYVIzZ3p
  UVWRzY1dSVmFFWk5SMnhFVkVaWlMwbERRak5WYlVwSVUxaEdURTRLSQogIENCRmRI
  VlJiWGg1VGtSU1ZGcFhjRlpWYXprd1VqQkZhV1pZTVRsTVFXOW5TVU5CWjBsclNta
  GpNbFpHWW0xCiAgT2VXVllRakJoVnpsMVNXcHZaMlYzYndvZ0lHZEpRMEZuU1VOQm
  FWWlhVbTFKYW05blNXc3hRbFJGYzNSVmIKICBGcExUa014VEZack1WVk1Wa3BPVkZ
  WUmRGSlVaRWxYVXpGQ1VrWkNSMHhXWkZKUkNpQWdNVmxwVEVGdlowbAogIERRV2RK
  UTBGcFZVaFdhV0pIYkdwVlIwWjVXVmN4YkdSSFZubGplVWsyU1VoelMwbERRV2RKU
  TBGblNVTkJhCiAgVlZJVm1saVIyd0tJQ0JxVXpKV05WSlZUa1ZUUTBrMlNVaHpTMG
  xEUVdkSlEwRm5TVU5CWjBsRFNtcGpibGwKICBwVDJsQmFWZEVVVEJQUTBselEybEJ
  aMGxEUVdkSlEwRm5TUW9nSUVOQmFWVklWbWxpUjJ4cVNXcHZaMGxzVgogIGpCaFdI
  Qm1ZMWRKZW1WSVFuaE5XRUpPVmxSQ2NWVnNVbGhTYlVZMFZUSXhSVlJUTVVwVlJVa
  zBWRzFvQ2lBCiAgZ1VHVkVXbmhrZWtwTVZYcGtkVkpYVG5KTVZYZzFVakZuUzBsRF
  FuRlBWekIzV214dmVsSllTa3BYVkZaNlYKICBqSndSMU50UmpaT2VURXlUbXRGYVd
  ZS0lDQllNVGxNUVc5blNVTkJaMGxyU21oak1sWkNaRmhTYjFwWE5UQgogIGhWMDVv
  WkVkc2RtSnBTVFpKU0hOTFNVTkJaMGxEUVdkSmJGWnJXbWxKTmtsRFNnb2dJRTVST
  VU1aFRGVjRWCiAgbEV4VFhSWGFtUkVVbE14UkUxclRreE1WVTVoVGpGbmRGUXhUVE
  pYVXpGS1ZsWkpNMGxwZDB0SlEwRm5TVU4KICBCWjBsc1FqRlpDaUFnYlhod1dURkN
  hR050Um5SYVdGSnNZMjVOYVU5cFFqZERhVUZuU1VOQlowbERRV2RKYgogIEVJeFdX
  MTRjRmt3ZEd4bFZWWkVVa1ZuYVU5cFFqZERhVUVLSUNCblNVTkJaMGxEUVdkSlEwR
  nBXVE5LTWtsCiAgcWIyZEpiR2N3VGtSbmFVeEJiMmRKUTBGblNVTkJaMGxEUVdkSm
  JFSXhXVzE0Y0ZsNVNUWkpRMHB0VHdvZ0kKICBGVjBTVTB4YTNoalJuQlJVbGRTVmx
  wdVVuQk9iVTR4VkVWU1ptTlZNV0ZSYTNoUFZHcHNXVk15VGxoWk0xSQogIHlUVWRu
  TUZJeWNFcFZXRkptVkVWU0NpQWdVVk5FVlhSRGFVRm5VMnR3V0dWSVNuUlJNRGswW
  kROT1ZscElWCiAgblprVkZKUVltcEthMUl6UmtKSmJqRTVabE4zUzBsRFFXZEpRMH
  BEV1ZoT2JGVUtJQ0F5Ykc1aWJVWXdaRmgKICBLYkVscWIyZGxkMjluU1VOQlowbER
  RV2xXVjFKdFNXcHZaMGxyTVVOVFZrMTBWa1JOTUZSVE1VUlZiRkY1VAogIEZSVmVV
  NUZWUW9nSUhSVU1FNUdWRU13TWxaV1JUSk1Wa3BRVFRCcmFVeEJiMmRKUTBGblNVT
  kJhVlZJVm1sCiAgaVIyeHFWVWRHZVZsWE1XeGtSMVo1WTNsSk5rbEljMHRKQ2lBZ1
  EwRm5TVU5CWjBsRFFXbFZTRlpwWWtkc2EKICBsTXlWalZTVlU1RlUwTkpOa2xJYzB
  0SlEwRm5TVU5CWjBsRFFXZEpRMHBxWTI1WmFVOXBRV2xTVjFFS0lDQQogIHdUa1Ju
  YVV4QmIyZEpRMEZuU1VOQlowbERRV2RKYkVJeFdXMTRjRmw1U1RaSlEwcFhZVzVzY
  kdWVVJqQmFWCiAgRUpvWTFST1FsUnFWbFZPUkdSTlZnb2dJR3h2ZEUweGJGRmhSVz
  k2WkRJNE5XRnJlR3BsYkU1UFdWaGtjbGQKICBHVWxOUmJrNVpWak5TVW1NeFRtcER
  hVUZuVGxoc2IyTXdXbUZOVlRsT1dqQXhDaUFnYjA5WVFubGxSVnBGVgogIFZSc2Qx
  ZFdWa0pKYmpFNVpsZ3hPU0lzQ2lBZ0lDQWdJSHNLSUNBZ0lDQWdJQ0FpYzJsbmJtR
  jBkWEpsY3lJCiAgNklGdDdDaUFnSUNBZ0lDQWdJQ0FnSUNKaGJHY2lPaUFpVXpVeE
  1pSXNDaUFnSUNBZ0lDQWdJQ0FnSUNKcmEKICBXUWlPaUFpVFVORlN5MU5XVlpSTFZ
  wTE0wY3ROME5GTkMxWk5WVlhMVU5MVkRRdFJVWkZOU0lzQ2lBZ0lDQQogIGdJQ0Fn
  SUNBZ0lDSnphV2R1WVhSMWNtVWlPaUFpUTJOaFdEWXpUelpEZDBFM1pYaFRUVm8wV
  DJZdFVFNWtUCiAgVE5UUTBseU4wb3RNMWhOVldaZlFYRk5NbWRLVGxkeWVRb2dJSE
  JmTTAxMk16SjJkbEZYVUhoSGNWVXdabWQKICBNVVZWU2MweHZRVUZ6VDJaYVZVTnR
  aMjVEWVhsQmJUUkZkRFp0Y0ZaRFpqRkVVbDlPU2twZlNTMWtDaUFnTgogIEhvelJV
  Rm9lbXR3VW1WMVlUZGtZMjAzYzFsUU5IbEpWRGszVjA1alVHaFVhRTkyVG1aNGQwR
  WlmVjBzQ2lBCiAgZ0lDQWdJQ0FnSWxCaGVXeHZZV1JFYVdkbGMzUWlPaUFpWmxkUF
  pFRmtXR1psUldsNVpFRXRlRzR0WmtOV1MKICBsSlhjVzA0VW1reVVVZ3piVUl5V0h
  kVVRrTjRhbU16Q2lBZ1ZXaDNPSGxoV25WTFlrUlpRVEJuWmtaZlZIZAogIHJNaTFI
  UTNObGRGQkxjM1puV21WdVVFRnpiMUVpZlYwc0NpQWdJQ0FpUTJ4cFpXNTBUbTl1W
  TJVaU9pQWlhCiAgRVV4ZUZsek1WQkdRall6TXpoR1RFdDBXbGhNUVNJc0NpQWdJQ0
  FpUVdOamIzVnVkRUZrWkhKbGMzTWlPaUEKICBpWVd4cFkyVkFaWGhoYlhCc1pTNWp
  iMjBpZlgwIl0sCiAgICAiU2VydmVyTm9uY2UiOiAiVGw0NXozMkN2OFZzVTByMTA2
  b2xNdyIsCiAgICAiV2l0bmVzcyI6ICJSUkhLLTI3UFEtWEpYTS1BSkQ1LTVZNjctR
  EpaWi1LRUNIIn19",
      {}
      ],
    "EnvelopedProfileAccount":[{
        "EnvelopeID":"MCVI-2KFD-AQTG-FX4N-O4RN-5OIS-BH5E",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJRCI6ICJNQ1ZJLTJLRkQtQVFU
  Ry1GWDROLU80Uk4tNU9JUy1CSDVFIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZmlsZ
  VVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNyZW
  F0ZWQiOiAiMjAyMC0xMS0wMlQxNzo0MTozMloifQ"},
      "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIjog
  ewogICAgICAiVWRmIjogIk1DVkktMktGRC1BUVRHLUZYNE4tTzRSTi01T0lTLUJIN
  UUiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2
  V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB
  1YmxpYyI6ICI4dUZ1TmhjRHFhZXROVVY5S01YWnRHcXlQMWl1WWVYTE5uOVBDamR3
  dHVoZVFVcWJmblhGCiAgSXIzX2lxamt5SUw4VEcyS2JtcWZ2TUlBIn19fSwKICAgI
  CJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vydm
  ljZVVkZiI6ICJNQzMzLVdKV0otSTQzQS1OS0JLLUcyVTUtQllFWC1OM0ZGIiwKICA
  gICJBY2NvdW50RW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNRFlELUFEWlQt
  Q1JKRy1IT0lELUhHSUctQ0tMNC03TTJUIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlc
  nMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2Ij
  ogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJLelBFajNGOGpwc0lkLUpzV3F
  1SnktLTUydnRKLWFnNEtlVXdrZDhIeVpDeUNGc0gxYk5nCiAgR0xIUlJrN0ZkMzI0
  Q1d3N0dHUnJHRkdBIn19fSwKICAgICJBZG1pbmlzdHJhdG9yU2lnbmF0dXJlIjoge
  wogICAgICAiVWRmIjogIk1DVkktMktGRC1BUVRHLUZYNE4tTzRSTi01T0lTLUJINU
  UiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V
  5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1
  YmxpYyI6ICI4dUZ1TmhjRHFhZXROVVY5S01YWnRHcXlQMWl1WWVYTE5uOVBDamR3d
  HVoZVFVcWJmblhGCiAgSXIzX2lxamt5SUw4VEcyS2JtcWZ2TUlBIn19fSwKICAgIC
  JBY2NvdW50QXV0aGVudGljYXRpb24iOiB7CiAgICAgICJVZGYiOiAiTUFINS1GVFd
  QLTRDNEgtSU9EUS1KV1lJLUhJS1QtQVJPViIsCiAgICAgICJQdWJsaWNQYXJhbWV0
  ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNyd
  iI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiandZdWpLeTQ1Um1rTmNKan
  U1R0EzazdVRGRyem5xb1lrOGhFS2hZOV9zd1F4NnpTSE43SgogIDBLZjB6SENzOE9
  rMG5QMXRnQXRVdFBDQSJ9fX0sCiAgICAiQWNjb3VudFNpZ25hdHVyZSI6IHsKICAg
  ICAgIlVkZiI6ICJNQ1FDLU1EWlItM0hDTC1TVklVLTUzUU0tQlQ0RC1LN0ZFIiwKI
  CAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDRE
  giOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQdWJsaWM
  iOiAiYlhwa1F4UFBNbTE4UVBvN0JTSnk5alVEeHd6VW9hTnhVYnZMZ2V5SHpTTmRP
  SUFzbDZlOAogIDRaV0xIOE15VWVDLWVuSnBZMVUwRzJVQSJ9fX19fQ",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MCVI-2KFD-AQTG-FX4N-O4RN-5OIS-BH5E",
            "signature":"NAOTClRNF51SazbgbIJAdlLx8r4qwXSHr4rdeql-sw
  9fIb5fDsmW4jbG-DiKP0S5x8ax1Z6ao6sAYrjGGXrFFRFfgAB2lhC823Pu9uox30d
  vTIS0JSLM_IxOg9khTPLCBr22HUBhyyksvHMqH6zwwwwA"}
          ],
        "PayloadDigest":"CPW9V4gBCAv-rH-EkTtX8aOXZH4nJFkqSZtw84c94_
  FDWL-aetsptBePjOYqttZxnz7VP6KpnXSUfaqvGC9J2Q"}
      ]}}

Alice reads her pending messages, notes that the witness value matches the one displayed earlier and approves the connection request.

Missing example 46

This is then fetched...

8.2. PIN Authenticated

The PIN Connection mechanism is similar to the Direct connection mechanism except that the process is initiated on an administration device by requesting assignment of a new authentication PIN. The PIN is then input to the connecting device to authenticate the request.

{
  "MessagePin":{
    "MessageId":"ADL6-WU4C-QQPP-XQKR-IFLJ-GVS4-DGW3",
    "Account":"alice@example.com",
    "Expires":"2020-11-03T17:41:37Z",
    "Automatic":true,
    "SaltedPin":"AAEF-6MYB-TTAO-4OQG-APVQ-XNCI-NFRZ",
    "Action":"Device"}}

8.3. EARL connection mode

The EARL/QR code connection mechanisms are used to connect a constrained device to a Mesh profile by means of an Encrypted Authenticated Resource Locator, typically presented as a QR code on the device itself or its packaging.

[To be specified]

9. Protocol Schema

HTTP Well Known Service Prefix: /.well-known/mmm

Every Mesh Portal Service transaction consists of exactly one request followed by exactly one response. Mesh Service transactions MAY cause modification of the data stored in the Mesh Service or the Mesh itself but do not cause changes to the connection state. The protocol itself is thus idempotent. There is no set sequence in which operations are required to be performed. It is not necessary to perform a Hello transaction prior to any other transaction.

9.1. Request Messages

A Mesh Portal Service request consists of a payload object that inherits from the MeshRequest class. When using the HTTP binding, the request MUST specify the portal DNS address in the HTTP Host field.

9.1.1. Message: MeshRequest

Base class for all request messages.

[No fields]

9.1.2. Message: MeshRequestUser

Base class for all request messages made by a user.

Inherits: MeshRequest
Account: String (Optional)

The fully qualified account name (including DNS address) to which the request is directed.

EnvelopedProfileDevice: Enveloped (Optional)

Device profile of the device making the request.

9.2. Response Messages

A Mesh Portal Service response consists of a payload object that inherits from the MeshResponse class. When using the HTTP binding, the response SHOULD report the Status response code in the HTTP response message. However the response code returned in the payload object MUST always be considered authoritative.

9.2.1. Message: MeshResponse

Base class for all response messages. Contains only the status code and status description fields.

[No fields]

9.3. Imported Objects

The Mesh Service protocol makes use of JSON objects defined in the JOSE Signatgure and Encryption specifications and in the DARE Data At Rest Encryption extensions to JOSE.

9.4. Common Structures

The following common structures are used in the protocol messages:

9.4.1. Structure: KeyValue

Describes a Key/Value structure used to make queries for records matching one or more selection criteria.

Key: String (Optional)

The data retrieval key.

Value: String (Optional)

The data value to match.

9.4.2. Structure: ConstraintsSelect

Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.

Container: String (Optional)

The container to be searched.

IndexMin: Integer (Optional)

Only return objects with an index value that is equal to or higher than the value specified.

IndexMax: Integer (Optional)

Only return objects with an index value that is equal to or lower than the value specified.

NotBefore: DateTime (Optional)

Only data published on or after the specified time instant is requested.

Before: DateTime (Optional)

Only data published before the specified time instant is requested. This excludes data published at the specified time instant.

PageKey: String (Optional)

Specifies a page key returned in a previous search operation in which the number of responses exceeded the specified bounds.

When a page key is specified, all the other search parameters except for MaxEntries and MaxBytes are ignored and the service returns the next set of data responding to the earlier query.

9.4.3. Structure: ConstraintsData

Specifies constraints on the data to be sent.

MaxEntries: Integer (Optional)

Maximum number of entries to send.

BytesOffset: Integer (Optional)

Specifies an offset to be applied to the payload data before it is sent. This allows large payloads to be transferred incrementally.

BytesMax: Integer (Optional)

Maximum number of payload bytes to send.

Header: Boolean (Optional)

Return the entry header

Payload: Boolean (Optional)

Return the entry payload

Trailer: Boolean (Optional)

Return the entry trailer

9.4.4. Structure: PolicyAccount

Describes the account creation policy including constraints on account names, whether there is an open account creation policy, etc.

Minimum: Integer (Optional)

Specifies the minimum length of an account name.

Maximum: Integer (Optional)

Specifies the maximum length of an account name.

InvalidCharacters: String (Optional)

A list of characters that the service does not accept in account names. The list of characters MAY not be exhaustive but SHOULD include any illegal characters in the proposed account name.

9.4.5. Structure: ContainerStatus

Container: String (Optional)
Index: Integer (Optional)
Digest: Binary (Optional)

9.4.6. Structure: ContainerUpdate

Inherits: ContainerStatus
Envelopes: DareEnvelope [0..Many]

The entries to be uploaded.

9.5. Transaction: Hello

Request: HelloRequest
Response: MeshHelloResponse

Report service and version information.

The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.

The PostConstraints field MAY be used to advise senders of a maximum size of payload that MAY be sent in an initial Post request.

9.5.1. Message: MeshHelloResponse

ConstraintsUpdate: ConstraintsData (Optional)

Specifies the default data constraints for updates.

ConstraintsPost: ConstraintsData (Optional)

Specifies the default data constraints for message senders.

PolicyAccount: PolicyAccount (Optional)

Specifies the account creation policy

EnvelopedProfileService: Enveloped (Optional)

The enveloped master profile of the service.

EnvelopedProfileHost: Enveloped (Optional)

The enveloped profile of the host.

9.6. Transaction: BindAccount

Request: BindRequest
Response: BindResponse

Request creation of a new service account or group.

Attempt

9.6.1. Message: BindRequest

Request binding of an account to a service address.

Inherits: MeshRequest
AccountAddress: String (Optional)

The service account to bind to.

EnvelopedProfileAccount: Enveloped (Optional)

The signed assertion describing the account.

9.6.2. Message: BindResponse

Inherits: MeshResponse

Reports the success or failure of a Create transaction.

Reason: String (Optional)

Text explaining the status of the creation request.

URL: String (Optional)

A URL to which the user is directed to complete the account creation request.

9.7. Transaction: UnbindAccount

Request: UnbindRequest
Response: UnbindResponse

Request deletion of a service account.

9.7.1. Message: UnbindRequest

Request creation of a new portal account. The request specifies the requested account identifier and the Mesh profile to be associated with the account.

Inherits: MeshRequestUser

[No fields]

9.7.2. Message: UnbindResponse

Inherits: MeshResponse

Reports the success or failure of a Delete transaction.

[No fields]

9.8. Transaction: Connect

Request: ConnectRequest
Response: ConnectResponse

Request information necessary to begin making a connection request.

9.8.1. Message: ConnectRequest

Inherits: MeshRequest
EnvelopedRequestConnection: Enveloped (Optional)

The connection request generated by the client

Rights: String [0..Many]

List of named access rights.

9.8.2. Message: ConnectResponse

Inherits: MeshResponse
EnvelopedAcknowledgeConnection: Enveloped (Optional)

The connection request generated by the client

EnvelopedProfileAccount: Enveloped (Optional)

The user profile that provides the root of trust for this Mesh

9.9. Transaction: Complete

Request: CompleteRequest
Response: CompleteResponse

9.9.1. Message: CompleteRequest

Inherits: StatusRequest
AccountAddress: String (Optional)
ResponseID: String (Optional)

9.9.2. Message: CompleteResponse

Inherits: MeshResponse
EnvelopedRespondConnection: Enveloped (Optional)

The signed assertion describing the result of the connect request

9.10. Transaction: Status

Request: StatusRequest
Response: StatusResponse

9.10.1. Message: StatusRequest

Inherits: MeshRequestUser
DeviceUDF: String (Optional)
ProfileMasterDigest: Binary (Optional)
Catalogs: String [0..Many]
Spools: String [0..Many]

9.10.2. Message: StatusResponse

Inherits: MeshResponse
EnvelopedProfileAccount: Enveloped (Optional)

The account profile providing the root of trust for this account.

EnvelopedCatalogedDevice: Enveloped (Optional)

The catalog device entry

ContainerStatus: ContainerStatus [0..Many]

9.11. Transaction: Download

Request: DownloadRequest
Response: DownloadResponse

Request objects from the specified container with the specified search criteria.

9.11.1. Message: DownloadRequest

Inherits: MeshRequestUser

Request objects from the specified container(s).

A client MAY request only objects matching specified search criteria be returned and MAY request that only specific fields or parts of the payload be returned.

Select: ConstraintsSelect [0..Many]

Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.

ConstraintsPost: ConstraintsData (Optional)

Specifies the data constraints to be applied to the responses.

9.11.2. Message: DownloadResponse

Inherits: MeshResponse

Return the set of objects requested.

Services SHOULD NOT return a response that is disproportionately large relative to the speed of the network connection without a clear indication from the client that it is relevant. A service MAY limit the number of objects returned. A service MAY limit the scope of each response.

Updates: ContainerUpdate [0..Many]

The updated data

9.12. Transaction: Transact

Request: TransactRequest
Response: TransactResponse

Attempt an atomic transaction on the containers and spools associated with an account.

9.12.1. Message: TransactRequest

Inherits: MeshRequestUser

Upload entries to a container. This request is only valid if it is issued by the owner of the account

Updates: ContainerUpdate [0..Many]

The data to be updated

Accounts: String [0..Many]

The account(s) to which the request is directed.

Outbound: Enveloped [0..Many]

The messages to be sent to other accounts

Inbound: Enveloped [0..Many]

Messages to be appended to the user's inbound spool. this is typically used to post notifications to the user to mark messages as having been read or responded to.

Local: Enveloped [0..Many]

Messages to be appended to the user's local spool. This is used to allow connecting devices to collect activation messages before they have connected to the mesh.

9.12.2. Message: TransactResponse

Inherits: MeshResponse

Response to an upload request.

Entries: EntryResponse [0..Many]

The responses to the entries.

ConstraintsData: ConstraintsData (Optional)

If the upload request contains redacted entries, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.

9.12.3. Structure: EntryResponse

IndexRequest: Integer (Optional)

The index value of the entry in the request.

IndexContainer: Integer (Optional)

The index value assigned to the entry in the container.

Result: String (Optional)

Specifies the result of attempting to add the entry to a catalog or spool. Valid values for a message are 'Accept', 'Reject'. Valid values for an entry are 'Accept', 'Reject' and 'Conflict'.

ConstraintsData: ConstraintsData (Optional)

If the entry was redacted, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.

9.13. Transaction: Post

Request: PostRequest
Response: PostResponse

Request to post to a spool from an external party. The request and response messages are extensions of the corresponding messages for the Upload transaction. It is expected that additional fields will be added as the need arises.

9.13.1. Message: PostRequest

Inherits: MeshRequest
Accounts: String [0..Many]

The account(s) to which the request is directed.

Messages: Enveloped [0..Many]

The messages to be sent to the addresses specified in Accounts.

9.13.2. Message: PostResponse

Inherits: TransactResponse

[No fields]

9.14. Transaction: Claim

Request: ClaimRequest
Response: ClaimResponse

Claim a publication

9.14.1. Message: ClaimRequest

Inherits: MeshRequest
EnvelopedMessageClaim: Enveloped (Optional)

The claim message

9.14.2. Message: ClaimResponse

Inherits: MeshResponse
CatalogedPublication: CatalogedPublication (Optional)

The encrypted device profile

9.15. Transaction: PollClaim

Request: PollClaimRequest
Response: PollClaimResponse

Check party making claim

9.15.1. Message: PollClaimRequest

Inherits: MeshRequest
PublicationId: String (Optional)

The envelope identifier formed from the PublicationId.

TargetAccountAddress: String (Optional)

Account to which the claim is directed

9.15.2. Message: PollClaimResponse

Inherits: MeshResponse
EnvelopedMessage: Enveloped (Optional)

The claim message

9.15.3. Structure: CryptographicOperation

KeyId: String (Optional)

The key identifier

KeyCoefficient: Binary (Optional)

Lagrange coefficient multiplier to be applied to the private key

9.15.4. Structure: CryptographicOperationSign

Inherits: CryptographicOperation
Data: Binary (Optional)

The data to sign

PartialR: Binary (Optional)

Contribution to the R offset.

9.15.5. Structure: CryptographicOperationKeyAgreement

Inherits: CryptographicOperation

[No fields]

9.15.6. Structure: CryptographicOperationGenerate

Inherits: CryptographicOperation

[No fields]

9.15.7. Structure: CryptographicOperationShare

Inherits: CryptographicOperation
Threshold: Integer (Optional)
Shares: Integer (Optional)

9.15.8. Structure: CryptographicResult

Error: String (Optional)

9.15.9. Structure: CryptographicResultKeyAgreement

Inherits: CryptographicResult

[No fields]

9.15.10. Structure: CryptographicResultShare

Inherits: CryptographicResult

[No fields]

9.16. Transaction: Operate

Request: OperateRequest
Response: OperateResponse

Perform a set of cryptographic operations

9.16.1. Message: OperateRequest

Inherits: MeshRequest
AccountAddress: String (Optional)

The service account the capability is bound to

9.16.2. Message: OperateResponse

Inherits: MeshResponse

[No fields]

10. Security Considerations

The security considerations for use and implementation of Mesh services and applications are described in the Mesh Security Considerations guide [draft-hallambaker-mesh-security].

11. IANA Considerations

All the IANA considerations for the Mesh documents are specified in this document

12. Acknowledgements

A list of people who have contributed to the design of the Mesh is presented in [draft-hallambaker-mesh-architecture].

13. Normative References

[draft-hallambaker-mesh-architecture]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part I: Architecture Guide", Work in Progress, Internet-Draft, draft-hallambaker-mesh-architecture-14, , <https://tools.ietf.org/html/draft-hallambaker-mesh-architecture-14>.
[draft-hallambaker-mesh-schema]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part IV: Schema Reference", Work in Progress, Internet-Draft, draft-hallambaker-mesh-schema-05, , <https://tools.ietf.org/html/draft-hallambaker-mesh-schema-05>.
[draft-hallambaker-mesh-security]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part VII: Security Considerations", Work in Progress, Internet-Draft, draft-hallambaker-mesh-security-05, , <https://tools.ietf.org/html/draft-hallambaker-mesh-security-05>.
[draft-hallambaker-mesh-udf]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part II: Uniform Data Fingerprint.", Work in Progress, Internet-Draft, draft-hallambaker-mesh-udf-10, , <https://tools.ietf.org/html/draft-hallambaker-mesh-udf-10>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3339]
Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, , <https://www.rfc-editor.org/rfc/rfc3339>.
[RFC4648]
Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, , <https://www.rfc-editor.org/rfc/rfc4648>.
[RFC7230]
Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, , <https://www.rfc-editor.org/rfc/rfc7230>.
[RFC8446]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/rfc/rfc8446>.

14. Informative References

[draft-hallambaker-mesh-developer]
Hallam-Baker, P., "Mathematical Mesh: Reference Implementation", Work in Progress, Internet-Draft, draft-hallambaker-mesh-developer-10, , <https://tools.ietf.org/html/draft-hallambaker-mesh-developer-10>.
[ECMA-262]
Ecma International, "ECMAScript(R) 2017 Language Specification", .