Internet-Draft | Mesh Protocol Reference | October 2021 |
Hallam-Baker | Expires 28 April 2022 | [Page] |
The Mathematical Mesh 'The Mesh' is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. The core protocols of the Mesh are described with examples of common use cases and reference data.¶
[Note to Readers]¶
Discussion of this draft takes place on the MATHMESH mailing list (mathmesh@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=mathmesh.¶
This document is also available online at http://mathmesh.com/Documents/draft-hallambaker-mesh-protocol.html.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 April 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This document describes the Mesh Service protocol supported by Mesh Services, an account-based protocol that facilitates exchange of data between devices connected to a Mesh profile and between Mesh accounts.¶
Mesh Service Accounts support the following services:¶
A Mesh Profile MAY be bound to multiple Mesh Service Accounts at the same time but only one Mesh Service Account is considered to be authoritative at a time. Users may add or remove Mesh Service Accounts and change the account designated as authoritative at any time.¶
The Mesh Services are build from a very small set of primitives which provide a surprisingly extensive set of capabilities. These primitives are:¶
Hello
Describes the features and options provided by the service and provides a 'null' transaction which MAY be used to establish an authentication ticket without performing any action,¶
Manage the creation and deletion of accounts at the service.¶
Upload
Support synchronization of Mesh containers between the service (Master) and the connected devices (Replicas).¶
Initiate the process of connecting a device to a Mesh profile from the device itself.¶
Request that a Mesh Message be transferred to one or more Mesh Accounts.¶
Although these functions could in principle be used to replace many if not most existing Internet application protocols, the principal value of any communication protocol lies in the size of the audience it allows them to communicate with. Thus, while the Mesh Messaging service is designed to support efficient and reliable transfer of messages ranging in size from a few bytes to multiple terabytes, the near-term applications of these services will be to applications that are not adequately supported by existing protocols if at all.¶
This section presents the related specifications and standard, the terms that are used as terms of art within the documents and the terms used as requirements language.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
The terms of art used in this document are described in the Mesh Architecture Guide [draft-hallambaker-mesh-architecture].¶
The implementation status of the reference code base is described in the companion document [draft-hallambaker-mesh-developer].¶
The Mesh specifies two separate types of protocol interactions:¶
A synchronous protocol supporting interactions between devices and a Mesh Service Host and between Mesh Service hosts.¶
An asynchronous protocol that supports interactions between devices connected to the same account and between accounts.¶
The Mesh Messaging Protocol uses the Mesh Service Protocol as transport. The Mesh Service Protocol in turn makes use of Reliable UDP Datagram (RUD) [draft-hallambaker-mesh-rud] for framing and authentication of individual requests and responses. These RUS packets are in turn exchanged over either HTTPS (i.e. a Web Service) or directly over UDP.¶
Mesh Services MUST support the HTTPS binding and MAY support the UDP binding.¶
A Mesh Service is a minimally trusted service. In particular a user does not need to trust a Mesh service to protect the confidentiality or integrity of most data stored in the account catalogs and spools.¶
Unless the use of the Mesh Service is highly restricted, a user does need to trust the Mesh Service in certain respects:¶
A service could refuse to respond to requests to download data.¶
The use of Merkle Trees limits but does not eliminate the ability of a Mesh Service to respond to requests with stale data.¶
A service could reject requests to post messages to or accept messages from other mesh users.¶
This risk is a necessary consequence of the fact that the Mesh Service Provider is accountable to other Mesh Service Providers for abuse originating from their service.¶
A Mesh Service has knowledge of the number of Mesh Messages being sent and received by its users and the addresses to which they are being sent to or received from.¶
The need to trust the Mesh Service in these respects is mitigated by accountability and the user's ability to change Mesh Service providers at any time they choose with minimal inconvenience.¶
It is possible that some of these risks will be reduced in future versions of the Mesh Service Protocol but it is highly unlikely that these can be eliminated entirely without compromising practicality or efficiency.¶
The design of the Mesh Service model followed a quasi-formal approach in which the system was reduced to schemas which could in principle be rendered in a formal development method but without construction of proofs.¶
Like the contents of Mesh Accounts, a Mesh Service may be represented by a collection of catalogs and spools, for example:¶
Backup of the service MAY be implemented using the same container synchronization mechanism used to synchronize account catalogs and spools.¶
Mesh Services supporting a large number of accounts or large activity volume MAY partition the account catalog between one or more hosts using the usual tiered service model in which a front-end server receives traffic for any account hosted at the server and routes the request to the back-end service that provides the persistence store for that account.¶
In addition, the Mesh Service Protocol supports a 'direct connection' partitioning model in which devices are given a DNS name which MAY allow for direct connection to the persistence host or to a front-end service offering service that is in some way specific to that account.¶
The protocol binding maps the abstract protocol definition specified in this document to the network protocol format.¶
Currently only one protocol binding is specified: JSON-BCD Application Binding [draft-hallambaker-jsonbcd] over Reliable User Datagram (RUD) [draft-hallambaker-mesh-rud].¶
JSON-BCD Application Binding specifies the means by which data types such as 'integer' and 'datetime' etc. given in this document are serialized using JSON/JSON-B encoding.¶
Reliable User Datagram offers a presentation layer over a choice of HTTP or UDP transport.¶
The Mesh Service operations are divided into the following functional groups:¶
Describes the service.¶
Operations used to create, reclaim, and delete accounts.¶
Operations used to synchronize persistence store data across connected devices. [May be replaced in a future revision]¶
Operations used by devices requesting connection to the account.¶
Operations allowing a watched document to be posted to the service and claims made on the document returned to a device.¶
Cryptographic operations, including threshold operations performed by the service.¶
Exchange of messages between Mesh Services.¶
The Hello transaction is used to determine the features supported by the service and obtain the service profile.¶
The request payload only specifies that is is a request for the service description:¶
{ "HelloRequest":{}}¶
The response payload describes the service and the host providing that service:¶
{ "MeshHelloResponse":{ "Status":201, "Version":{ "Major":3, "Minor":0, "Encodings":[{ "ID":["application/json" ]} ]}, "EnvelopedProfileService":[{ "EnvelopeId":"MD36-Q4SC-S4YZ-KPRP-7W4P-SNR7-QMD2", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRDM2LVE0U0MtUz RZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml sZVNlcnZpY2UiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAg IkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0M1oifQ"}, "ewogICJQcm9maWxlU2VydmljZSI6IHsKICAgICJQcm9maWxlU2lnbmF0dX JlIjogewogICAgICAiVWRmIjogIk1EMzYtUTRTQy1TNFlaLUtQUlAtN1c0UC1TTlI 3LVFNRDIiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVi bGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgI CAgIlB1YmxpYyI6ICJHdWFlT0hOMXE5WDdkMW5PZEJIYTFFdUNSUkY3ZTlCZ0Y4b3 VwdXJDZGpjT1BreUZBTFhRCiAgQWd4c1BKU1FNNWVnQVZQRGtHbWhyNjZBIn19fSw KICAgICJTZXJ2aWNlQXV0aGVudGljYXRpb24iOiB7CiAgICAgICJVZGYiOiAiTUJH Wi03U1NULTRIWUstRkxNTS03TjVMLVdWQU0tUDNYNyIsCiAgICAgICJQdWJsaWNQY XJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgIC AgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiZW5tcE1WcElONVl fQ1N0SGZYU21aa1ZueGdYSjZwYkoxQUZuZjNaUVZza19XZG1GaERDagogIGpsbW4y bEcyWHZyNURFWUlpR0pObUs2QSJ9fX0sCiAgICAiU2VydmljZUVuY3J5cHRpb24iO iB7CiAgICAgICJVZGYiOiAiTUJCUi1LTEw0LVlSRlgtSzYzRS0yRENULTZVR1EtWj VKQyIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWN LZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQ dWJsaWMiOiAiVzJxaWw2Z1lKcmZOajV6R2pOMGd6U0VCRWd1N2tUaGZrR1NhR0Z5L UlBVDYzbktBLU12eQogIE5HSElvRTFsanpUaG4zcHpIblBOeVd1QSJ9fX0sCiAgIC AiU2VydmljZVNpZ25hdHVyZSI6IHsKICAgICAgIlVkZiI6ICJNQUdYLUMzTU4tREh OVC1ZVVNJLVpZUEgtVlE1Vy1DNVNXIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMi OiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogI kVkNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAieXFGOVdhQzlHendYUkxKOFFEVT RLX0w2UENzVnY1bzVUeHF5SWxHdEFCREgtSXB5RUtzZAogIHl2QWZaWndZRGsxalF Nb29HZEMxaVVPQSJ9fX19fQ", { "signatures":[{ "alg":"S512", "kid":"MD36-Q4SC-S4YZ-KPRP-7W4P-SNR7-QMD2", "signature":"M_zW4QfJQFlkOgwxMukD4rrJCSy4O42zNbSmUQV- -5IUedZeFq3t81SVe_8rpVa43oPKn75yyXkAq2vL86MdD2EW6_5c0qk6_TjetFNA2 W6nMpJrgSVqfAGSov1VpDST98tz8mZPULoXw7uGCuSHcSoA"} ], "PayloadDigest":"jmeKG0k9DNNN6eJYg_LN13Gh2SwGociO76OVJ6Q5 kG9XCOgTVEO_YXG1DZWSszhG6qXfEUU5QV8WiQXqFsEU9Q"} ]}}¶
The current revision of the specification is designed for small scale deployments in which the service is provided by a single host. The approach will require revision in future versions to fully support a service being provided by multiple hosts with accounts being transferred between the hosts to allow balancing of load.¶
There are three account management operations:¶
Create an account bound to a service address.¶
Delete an account bound to a service address¶
[TBS] Reclaim an account using a recovered primary secret.¶
The BindAccount operation is used to create User and Group accounts. Currently, these account types are distinct. This may change in future releases.¶
A User Account is bound to a Mesh Service by completing a BindAccount
operation with the service.¶
The BindAccount
transaction is unique in that it can fail to complete for reasons that are outside the scope of the Mesh specifications. Creation of an account might require payment to be made or authentication of the user's credentials. It is thus quite normal for the result of a CreateRequest to be the account being created in an 'on hold' state which can only be changed out of band.¶
If the request is at least partially successful, a BindResponse message is returned. In the case of partial success, a description of the request status and link to a Web page providing further details MAY be returned.¶
The request payload contains all the information needed to create the account:¶
Since there is no Access Catalog until the account is created, the Bind Account request and subsequent requests used to initialize the access catalog for the account MUST be authenticated by the Account Authentication key.¶
Alice requests creation of the account alice@example.com. The request payload is:¶
{ "BindRequest":{ "AccountAddress":"alice@example.com", "EnvelopedProfileAccount":[{ "EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0tUV hKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy ZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"}, "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIj ogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzLVU zQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGlj S2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgI lB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUkybW RJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKICA gICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vy dmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKI CAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhRSC 1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ldGV ycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYi OiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3FFQ zNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNSVm o0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogICA gICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLAog ICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNES CI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIj ogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwSGd Cbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbWlu aXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVFGW U0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIj ogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJ FZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2lN UjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTBza V9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsKIC AgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FIIiw KICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVD REgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpY yI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3OU 5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY2N vdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILVVK TjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKI CAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0ND giLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhenZ lNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF84 bC1SaUdBIn19fX19", { "signatures":[{ "alg":"S512", "kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA", "signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa8W Vr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In4R Z9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"} ], "PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fPbq u5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"} ]}}¶
The response payload currently reports the success or failure of the bind operation:¶
{ "BindResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "EnvelopedAccountHostAssignment":[{ "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY2NvdW50SG 9zdEFzc2lnbm1lbnQiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCI sCiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"}, "ewogICJBY2NvdW50SG9zdEFzc2lnbm1lbnQiOiB7CiAgICAiQWNjb3VudE FkZGVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiQWNjZXNzRW5jcnlwdCI 6IHsKICAgICAgIlVkZiI6ICJNQkJSLUtMTDQtWVJGWC1LNjNFLTJEQ1QtNlVHUS1a NUpDIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY 0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIl B1YmxpYyI6ICJXMnFpbDZnWUpyZk5qNXpHak4wZ3pTRUJFZ3U3a1RoZmtHU2FHRnk tSUFUNjNuS0EtTXZ5CiAgTkdISW9FMWxqelRobjNwekhuUE55V3VBIn19fX19" ]}}¶
It is likely that a future revisions of the specification will specify the host(s) to which future account service operations are to be directed. This would allow the account management operations to be separated from the account maintenance operations without requiring the traditional tiered architecture in which every interaction with a service is first routed to a host that cannot perform the required action so that it can be directed to the host that can.¶
Mesh Group Accounts are created in the same manner as user accounts except that the ProfileGroup is specified.¶
Should all the administration devices be lost, an account MAY be recovered by the process of recovering the profile master secret and using it to access the account through the account authentication key.¶
An account registration is deleted using the UnbindAccount
transaction.¶
>>>> Unfinished ProtocolAccountDelete¶
The request payload:¶
The response payload:¶
Should a user wish to transfer their account to a new service provider, they first use the Bind Account operation to bind the account to the new service provider, then populate the account entry at the new account using the account authentication key.¶
Only after the new account binding has been completed and is ready for use, is the unbind operation used to delete the account entry at the old service provider.¶
Future versions of the protocol will elaborate on this mechanism so that the change of address can be signaled to connected devices and parties sending messages to the account.¶
Account recovery is necessary in the case that user has lost control of every administration device connected to the account and must re-create the account profile and bind a new set of administrative devices. Account transfer is the process of unbinding an account from one service and rebinding it to a new one.¶
These capabilities are both critical to the long term success of the Mesh but have been deleted from the current revision of the specification as their implementation is interdependent on the architecture of the callsign registry.¶
>>>> Unfinished ProtocolAccountRecover¶
[TBS]¶
All the state associated with a Mesh profile is stored as a sequence of DARE Messages in a Dare Container. The Mesh Service holding the master copy of the persistence stores and the devices connected to the profile containing complete copies (replicas) or partial copies (redactions).¶
Thus, the only primitive needed to achieve synchronization of the profile state are those required for synchronization of a DARE Container. These steps are:¶
To ensure a satisfactory user experience, Mesh Messages are intentionally limited in size to 32 KB or less, thus ensuring that an application can retrieve the most recent 100 messages almost instantaneously on a high bandwidth connection and without undue delay on a slower one.¶
The status transaction returns the status of the containers the device is authorized to access for the specified account together with the updated Device Connection Entry if this has been modified since the entry presented to authenticate the request was issued.¶
Alice adds an entry to her bookmark catalog. Before the bookmark can be added, the device synchronizes to the service. The synchronization process begins with a request for the status of all the stores associated with the account that it has access rights for:¶
{ "StatusRequest":{ "CatalogedDeviceDigest":"MDNG-A3QX-657G-UH45-KEKO-DIV2-4Q"}}¶
If the account has a very large number of stores, the device might only ask for the status of specific stores of interest.¶
The response specifies the status of each store specifying the index and Merkle tree apex digest values for each:¶
{ "StatusResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "ContainerStatus":[{ "Container":"MMM_Inbound", "Index":3}, { "Container":"MMM_Outbound", "Index":1, "Digest":"FEHy24Y6cLModDXWH31kVc2a3TdhjXPooKHpLAb2JbsO1YQ nJolmowXAYHhkOGY0kg3jrKNTjds0myf4Dw1sdg"}, { "Container":"MMM_Local", "Index":2}, { "Container":"MMM_Access", "Index":3}, { "Container":"MMM_Credential", "Index":4}, { "Container":"MMM_Device", "Index":3}, { "Container":"MMM_Contact", "Index":2}, { "Container":"MMM_Application", "Index":1}, { "Container":"MMM_Publication", "Index":1}, { "Container":"MMM_Bookmark", "Index":1}, { "Container":"MMM_Task", "Index":1} ]}}¶
Bug: The current version of the reference code is only returning the digest values for the outbound store.¶
The download transaction returns a collection of entries from one or more containers associated with the profile.¶
The service MAY limit the number of entries returned in an individual response for performance reasons.¶
The previous status operation has reported that a new envelope has been added to the credential store. The device requests this data from the service:¶
{ "DownloadRequest":{ "Select":[{ "Container":"MMM_Credential", "IndexMin":3, "IndexMax":4} ]}}¶
The response contains the requested envelope:¶
{ "DownloadResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "Updates":[{ "Container":"MMM_Credential", "Envelopes":[[{ "PayloadDigest":"scKJJY0e2llHKRImyYAHL98MSo62-eVSTz 8JkFFaicCDM1Nskxm5JW1WIUy4XhKdhYTYagTRFxNTsbABRAOT7w", "enc":"A256CBC", "dig":"S512", "Salt":"28sn1l7vROY1rqAjTNaxzg", "recipients":[{ "kid":"MC7F-DLCK-JI67-VFL7-BOHX-T62Q-KCVG", "epk":{ "PublicKeyECDH":{ "crv":"X448", "Public":"lGsU2MtoCW3h7kBLBfm4eN9xXqVSVbR_9 Es_47TEqVo2HYkeSOlkFE1hPNCz98yD-xFx_9omFj4A"}}, "wmk":"tyvbkB9eXzVAFqYyTn12vOcC18vtSIlIfmPR6hpS LPoAORyeVaD2rg"} ], "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICI6ZnRwLmV4 YW1wbGUuY29tIiwKICAiRXZlbnQiOiAiVXBkYXRlIiwKICAiRmlyc3QiOiAxLAogI CJQcmV2aW91cyI6IDF9", "SequenceInfo":{ "Index":3, "TreePosition":716}, "Received":"2021-10-25T15:48:48Z"}, "GnC2lneENSTxMbQ6W91xcsDRs1Ap9P5PRn7MHvCQ1hEMWiGWw91t r5llzPtdeZz1-FxF5Cc49FrdanP8dtWZVNMTg4yQMf5bbaRzte4CzUrKihFYdJ3SK GAm2EC317muijVLb29kqnkJkmdLUJu41yYZ4OLRe1rM_xR1t0VlkaE", {} ] ]} ]}}¶
Future: The current implementation of the download operation is limited by the capabilities of the HTTP binding of the RUD transport. A future binding allowing operations that consist of a single request followed by a sequence of responses will allow much greater flexibility.¶
Future versions of the protocol may support optional filtering criteria so that the service only returns objects matching specific criteria and/or only return certain parts of the selected messages.¶
The transact transaction appends envelopes to one or more stores. The operation is atomic, that is either all the changes specified will be made to the stores or none will. This ensures that simultaneous attempts to update a store do not result in race conditions allows Mesh stores to provide ACID (Atomicity, Consistency, Isolation, Durability) properties to the applications they serve.¶
Clients SHOULD check to determine if updates to a container conflict with pending updates on the device waiting to be uploaded. For example, if a contact that the user modified on the device attempting to synchronize was subsequently deleted. The means of resolving such conflicts is not in the scope of this specification.¶
Each update to a catalog or container specifies the expected container index and apex digest. This provides a strong guarantee of consistency. The service MUST verify each update to check that the Merkle Tree values specified are consistent with the store entries and that the signature on the apex value (if specified) is valid and correct.¶
Services MAY impose limits on the size and number of additions performed in response to a TransactRequest
message to ensure that processing time does not degrade performance for other users.¶
The request payload specifies the data to be appended to the stores.¶
{ "TransactRequest":{ "Updates":[{ "Container":"MMM_Bookmark", "Envelopes":[[{ "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJTaXRlcy4y IiwKICAiRXZlbnQiOiAiTmV3In0", "SequenceInfo":{ "Index":1, "TreePosition":0}}, "ewogICJDYXRhbG9nZWRCb29rbWFyayI6IHsKICAgICJVcmkiOiAi aHR0cDovL3d3dy5leGFtcGxlLm5ldCIsCiAgICAiVGl0bGUiOiAic2l0ZTIiLAogI CAgIlBhdGgiOiAiU2l0ZXMuMiJ9fQ", { "PayloadDigest":"gtpamSravs9YkD3Wi6-rIFqFOINwLFj8Q2 eGpMjmbyP-_TRCgRs9Hqpo3bJPhoRSgUmfIUsQTDNeiT414W56eA", "TreeDigest":"TpXg14cDEx_-1Qe-h1qiryihslO0MrUCLW0L7 wvq-YLCEWZfAIrp9FmBwNE0se8UN1nFY4h1aqXbN3yBuKfg9w"} ] ]} ]}}¶
The response reports successful completion:¶
{ "TransactResponse":{ "Status":201, "StatusDescription":"Operation completed successfully"}}¶
In order to support the wide range of affordances supported by devices, four device connection interactions are currently specified. The use of these mechanisms is described in [draft-hallambaker-mesh-architecture] and the interactions themselves are described in section ??? following.¶
Device connection operations are always issued by a device requesting connection to a Mesh account and must therefore be authenticated under the device profile rather than the account profile. Two device connection operations are currently defined:¶
Requests connection to the account.¶
Polls for completion of a connection request.¶
Since the second operation is merely polling for completion of the transaction requested by the first, it is likely that these will be combined in a future revision of the specification.¶
If the connection request is initiated by the device being connected, the device constructs a RequestConnection
message which is posted to the Mesh Service using the Connect operation.¶
If the Connect operation is accepted (i.e. the service determines it is not abuse), the service constructs an AcknowledgeConnection
message which is forwarded to the inbound spool of the account to which connection is requested. The requesting device receives a copy of the AcknowledgeConnection
message and the profile of the account it is requesting connection to.¶
As described in the following section, the AcknowledgeConnection message contains the request details presented by the device and a nonce value generated by the service. This nonce value is used to compute the witness value that will be used for mutual authentication of the device and account.¶
The connect request is made to the service, not the account. The payload contains the enveloped connection request:¶
{ "ConnectRequest":{ "EnvelopedRequestConnection":[{ "EnvelopeId":"MDKW-3KOD-ZTW6-MRIB-AARK-UACM-PDOZ", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQTQ2LUhTVkctTj VOVS1FWEtaLTRYN0ctR1NGNy1EVVdTIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowMloifQ"}, "ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOi AiTkE0Ni1IU1ZHLU41TlUtRVhLWi00WDdHLUdTRjctRFVXUyIsCiAgICAiQXV0aGV udGljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1DVk4tWExM VC1MTE5XLVU0SFItQk9NRy1SQTZaLVVXUlIiLAogICAgICAgICJkaWciOiAiUzUxM iIsCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKWk NJNklDSk5RMVpPTFZoTVRGUXRURXhPVnkxCiAgVk5FaFNMVUpQVFVjdFVrRTJXaTF WVjFKU0lpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxk bWxqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV 04wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJeExURXdMVEkxVkRFMU9qUT VPakF5V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V 3b2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNK VlpHWWlPaUFpVFVOV1RpMVlURXhVTFV4TVRsY3RWCiAgVFJJVWkxQ1QwMUhMVkpCT mxvdFZWZFNVaUlzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KIC BnZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0F nSUNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmli R2xqSWpvZ0ltUXpNbGcxYjNOSE1VdFBSVFZ2YldaCiAgV1RVWnFSRXMwTUY4NGVHS jVSVE5yWmxWM1QzZFVZbEJYTVhaSmVXOHpRME5PZGtvS0lDQTVhWEJzZVRGQk0KIC BsZzRUalZNZWpoWFNYUlRXbWwzUzBFaWZYMTlMQW9nSUNBZ0lrVnVZM0o1Y0hScGI yNGlPaUI3Q2lBZ0lDQQogIGdJQ0pWWkdZaU9pQWlUVVJOVnkxWFEwbFNMVVpLVFU4 dE4xcElOaTFEVGpOS0xVdFZXa3d0VWt4QldDSXNDCiAgaUFnSUNBZ0lDSlFkV0pzY VdOUVlYSmhiV1YwWlhKeklqb2dld29nSUNBZ0lDQWdJQ0pRZFdKc2FXTkxaWGwKIC BGUTBSSUlqb2dld29nSUNBZ0lDQWdJQ0FnSW1OeWRpSTZJQ0pZTkRRNElpd0tJQ0F nSUNBZ0lDQWdJQ0pRZAogIFdKc2FXTWlPaUFpYm5SZmNIVTBXVkppZVhJd1dVeE5Z MUpYZG1sTkxYSlVXbGhYWmxCMVVWaFdhMWgwVFdkCiAgdWQyaHdlVVZYZGpCSFVtc HNhQW9nSURsVmNuQlBjMjFqVlRJM0xXeHRlbmhKVDNkVFdHcEJRU0o5Zlgwc0MKIC BpQWdJQ0FpVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ01 sVXROa2ROTnkxUVNFawogIHpMVE5WVlU0dFRFbGFOaTFWVlVkS0xVbFhOVkVpTEFv Z0lDQWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljCiAgeUk2SUhzS0lDQWdJQ0FnS UNBaVVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjblkKIC BpT2lBaVJXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSlZibWs yTlVWWVkwUllZbVZYYQogIFcxUmJGazVPWGhoU0c1U1dtcGlTRnBCUzJsVU5tUmxa RFIwTVdwMlRHcEZWbWhNYjNsWUNpQWdWbEZyYVdSCiAgb1oxbHNWMjFmUkhNMk9EZ FBkVXBvWDFWQkluMTlmU3dLSUNBZ0lDSkJkWFJvWlc1MGFXTmhkR2x2YmlJNkkKIC BIc0tJQ0FnSUNBZ0lsVmtaaUk2SUNKTlFrbERMVUl5UzBRdFFrSlNXQzFITkZCRUx UUkpNazh0VUUxRVRpMQogIFhUMWRCSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21G dFpYUmxjbk1pT2lCN0NpQWdJQ0FnSUNBZ0lsQjFZCiAgbXhwWTB0bGVVVkRSRWdpT 2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJQ0EKIC BnSUNBZ0lsQjFZbXhwWXlJNklDSjVjR0pUVjFablNIRXdiMjVvVDJ0VVQxRjRNVU5 rWjNkSVJWUlFURWxTVAogIFZRMWFXMVNTMHBmTUdvelZ6Qktabmt0Vms1dUNpQWdP VEptVHpaclNGbDBNMmRUYjBoWFNtMDRUWFpXTkhkCiAgQkluMTlmWDE5IiwKICAgI CAgewogICAgICAgICJzaWduYXR1cmVzIjogW3sKICAgICAgICAgICAgImFsZyI6IC JTNTEyIiwKICAgICAgICAgICAgImtpZCI6ICJNQ1ZOLVhMTFQtTExOVy1VNEhSLUJ PTUctUkE2Wi1VV1JSIiwKICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJGUGpjQ3py N3MwRmJVSHJaT09oVUd1ZXNVTkJKT05YOUZlLUNfXzg3ZXlrSFc1VU95CiAgbExob mZ4ZmtVTFFWUklZM2dkRmdmTFNKNW1BTFlRM3Y5UkxKdGhkUGhNcHhEZnV5SWlEM1 Z0LWNobzJRR2EKICBTcTdpbU8tWmxLWkxQX2p3TzQ4QW5xY05abkp3Y2RLTUZoa3p aRGprQSJ9XSwKICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJIZ0tJNVZjY3psUmkw X0g5bUVlYnlfWWxrOHpDVGxlTG1oemVXVm9ma1djY2YKICBncENsSTFoUkgzZm5fS lVBSlpxYXU3Nm8yQWFVVFB1My1EZXU5VFhhdyJ9XSwKICAgICJDbGllbnROb25jZS I6ICItcHl1a0E4S0pxZHZWX2hlUElLRlpRIiwKICAgICJQaW5JZCI6ICJBQVBPLVB VQ0stQUlZWi1GU09YLU9CSTUtWVpaQi1SVlQyIiwKICAgICJQaW5XaXRuZXNzIjog IndWMDRjckJhZjdoLTVmY2xWQUdNSXN5NVpVWm5LY3FiUFhEVWJ1WmZYWW96dUk5W gogIEItZW1ld25xMmF3dnB3Nmk3b0Z2Z1ktb1cwalFyVVlxSlNUV0RnIiwKICAgIC JBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSJ9fQ" ]}}¶
The response payload contains the information the device requires to compute the witness value and to poll for completion. This is a copy of the request acknowledgement and a copy of the profile of the account the device has requested connection to:¶
{ "ConnectResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "EnvelopedAcknowledgeConnection":[{ "EnvelopeId":"MBQD-SAOO-FLPI-PKWI-WYR6-PNVY-VTC4", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICIyV1pQLUtOWkYtSk 1LTy1SUVNVLVdZVEgtVVUzNS1OV1hWIiwKICAiTWVzc2FnZVR5cGUiOiAiQWNrbm9 3bGVkZ2VDb25uZWN0aW9uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmpl Y3QiLAogICJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDJaIn0"}, "ewogICJBY2tub3dsZWRnZUNvbm5lY3Rpb24iOiB7CiAgICAiTWVzc2FnZU lkIjogIjJXWlAtS05aRi1KTUtPLVJRU1UtV1lUSC1VVTM1LU5XWFYiLAogICAgIkV udmVsb3BlZFJlcXVlc3RDb25uZWN0aW9uIjogW3sKICAgICAgICAiRW52ZWxvcGVJ ZCI6ICJNREtXLTNLT0QtWlRXNi1NUklCLUFBUkstVUFDTS1QRE9aIiwKICAgICAgI CAiQ29udGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpaQ0k2SUNKT1FUUT JMVWhUVmtjdFRqVk9WUzEKICBGV0V0YUxUUllOMGN0UjFOR055MUVWVmRUSWl3S0l DQWlUV1Z6YzJGblpWUjVjR1VpT2lBaVVtVnhkV1Z6ZAogIEVOdmJtNWxZM1JwYjI0 aUxBb2dJQ0pqZEhraU9pQWlZWEJ3YkdsallYUnBiMjR2YlcxdEwyOWlhbVZqZENJC iAgc0NpQWdJa055WldGMFpXUWlPaUFpTWpBeU1TMHhNQzB5TlZReE5UbzBPVG93TW xvaWZRIn0sCiAgICAgICJld29nSUNKU1pYRjFaWE4wUTI5dWJtVmpkR2x2YmlJNkl Ic0tJQ0FnSUNKCiAgTlpYTnpZV2RsU1dRaU9pQWlUa0UwTmkxSVUxWkhMVTQxVGxV dFJWaExXaTAwV0RkSExVZFRSamN0UkZWWFUKICB5SXNDaUFnSUNBaVFYVjBhR1Z1Z EdsallYUmxaRVJoZEdFaU9pQmJld29nSUNBZ0lDQWdJQ0pGYm5abGJHOQogIHdaVW xrSWpvZ0lrMURWazR0V0V4TVZDMU1URTVYTFZVMFNGSXRRazlOUnkxU1FUWmFMVlZ YVWxJaUxBb2dJCiAgQ0FnSUNBZ0lDSmthV2NpT2lBaVV6VXhNaUlzQ2lBZ0lDQWdJ Q0FnSWtOdmJuUmxiblJOWlhSaFJHRjBZU0kKICA2SUNKbGQyOW5TVU5LVm1KdGJIa GtWMVpLV2tOSk5rbERTazVSTVZwUFRGWm9UVlJHVVhSVVJYaFBWbmt4QwogIGlBZ1 ZrNUZhRk5NVlVwUVZGVmpkRlZyUlRKWGFURldWakZLVTBscGQwdEpRMEZwVkZkV2V tTXlSbTVhVmxJCiAgMVkwZFZhVTlwUVdsVlNFcDJXbTFzYzFvS0lDQlZVbXhrYld4 cVdsTkpjME5wUVdkSmJVNHdaVk5KTmtsRFMKICBtaGpTRUp6WVZkT2FHUkhiSFppY VRsMFlsY3dkbUl5U25GYVYwNHdTV2wzUzBsRFFRb2dJR2xSTTBwc1dWaAogIFNiRn BEU1RaSlEwbDVUVVJKZUV4VVJYZE1WRWt4VmtSRk1VOXFVVFZQYWtGNVYybEtPU0o 5TEFvZ0lDQWdJCiAgQ0FpWlhkdlowbERTbEZqYlRsdFlWZDRiRkpIVmpKaFYwNXNT V3B2WjJWM2IyZEpRMEZuU1d4Q2VXSXlXZ28KICBnSUhCaVIxWlVZVmRrZFZsWVVqR mpiVlZwVDJsQ04wTnBRV2RKUTBGblNVTktWbHBIV1dsUGFVRnBWRlZPVgogIDFScE 1WbFVSWGhWVEZWNFRWUnNZM1JXQ2lBZ1ZGSkpWV2t4UTFRd01VaE1Wa3BDVG14dmR GWldaRk5WYVVsCiAgelEybEJaMGxEUVdkSlEwcFJaRmRLYzJGWFRsRlpXRXBvWWxk V01GcFlTbnBKYW04S0lDQm5aWGR2WjBsRFEKICBXZEpRMEZuU1VOS1VXUlhTbk5oV jA1TVdsaHNSbEV3VWtsSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbAogIHRUbm xrYVVrMlNRb2dJRU5LUmxwRVVUQlBRMGx6UTJsQlowbERRV2RKUTBGblNVTkJhVlZ JVm1saVIyeHFTCiAgV3B2WjBsdFVYcE5iR2N4WWpOT1NFMVZkRkJTVkZaMllsZGFD aUFnVjFSVlduRlNSWE13VFVZNE5HVkhTalYKICBTVkU1eVdteFdNMVF6WkZWWmJFS llUVmhhU21WWE9IcFJNRTVQWkd0dlMwbERRVFZoV0VKelpWUkdRazBLSQogIENCc1 p6UlVhbFpOWldwb1dGTllVbFJYYld3elV6QkZhV1pZTVRsTVFXOW5TVU5CWjBsclZ uVlpNMG8xWTBoCiAgU2NHSXlOR2xQYVVJM1EybEJaMGxEUVFvZ0lHZEpRMHBXV2tk WmFVOXBRV2xVVlZKT1Zua3hXRkV3YkZOTVYKICBWcExWRlU0ZEU0eGNFbE9hVEZFV kdwT1MweFZkRlpYYTNkMFZXdDRRbGREU1hORENpQWdhVUZuU1VOQlowbAogIERTbE ZrVjBwellWZE9VVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2R KUTBwUlpGZEtjCiAgMkZYVGt4YVdHd0tJQ0JHVVRCU1NVbHFiMmRsZDI5blNVTkJa MGxEUVdkSlEwRm5TVzFPZVdScFNUWkpRMHAKICBaVGtSUk5FbHBkMHRKUTBGblNVT kJaMGxEUVdkSlEwcFJaQW9nSUZkS2MyRlhUV2xQYVVGcFltNVNabU5JVgogIFRCWF ZrcHBaVmhKZDFkVmVFNVpNVXBZWkcxc1RreFlTbFZYYkdoWVdteENNVlZXYUZkaE1 XZ3dWRmRrQ2lBCiAgZ2RXUXlhSGRsVlZaWVpHcENTRlZ0Y0hOaFFXOW5TVVJzVm1O dVFsQmpNakZxVmxSSk0weFhlSFJsYm1oS1YKICBETmtWRmRIY0VKUlUwbzVabGd3Y zBNS0lDQnBRV2RKUTBGcFZUSnNibUp0UmpCa1dFcHNTV3B2WjJWM2IyZAogIEpRME ZuU1VOQmFWWlhVbTFKYW05blNXc3hRMDFzVlhST2EyUk9Ubmt4VVZORmF3b2dJSHB NVkU1V1ZsVTBkCiAgRlJGYkdGT2FURldWbFZrUzB4VmJGaE9Wa1ZwVEVGdlowbERR V2RKUTBGcFZVaFdhV0pIYkdwVlIwWjVXVmMKICB4YkdSSFZubGpDaUFnZVVrMlNVa HpTMGxEUVdkSlEwRm5TVU5CYVZWSVZtbGlSMnhxVXpKV05WSlZUa1ZUUQogIDBrMl NVaHpTMGxEUVdkSlEwRm5TVU5CWjBsRFNtcGpibGtLSUNCcFQybEJhVkpYVVRCT1J HZHBURUZ2WjBsCiAgRFFXZEpRMEZuU1VOQlowbHNRakZaYlhod1dYbEpOa2xEU2xa aWJXc3lUbFZXV1Zrd1VsbFpiVlpZWVFvZ0kKICBGY3hVbUpHYXpWUFdHaG9VMGMxV TFkdGNHbFRSbkJDVXpKc1ZVNXRVbXhhUkZJd1RWZHdNbFJIY0VaV2JXaAogIE5Zak 5zV1VOcFFXZFdiRVp5WVZkU0NpQWdiMW94YkhOV01qRm1Va2hOTWs5RVpGQmtWWEJ 2V0RGV1FrbHVNCiAgVGxtVTNkTFNVTkJaMGxEU2tKa1dGSnZXbGMxTUdGWFRtaGtS MngyWW1sSk5ra0tJQ0JJYzB0SlEwRm5TVU4KICBCWjBsc1ZtdGFhVWsyU1VOS1RsR nJiRVJNVlVsNVV6QlJkRkZyU2xOWFF6RklUa1pDUlV4VVVrcE5hemgwVgogIFVVeF JWUnBNUW9nSUZoVU1XUkNTV2wzUzBsRFFXZEpRMEZuU1d4Q01WbHRlSEJaTVVKb1k yMUdkRnBZVW14CiAgamJrMXBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHNRakZaQ2lB Z2JYaHdXVEIwYkdWVlZrUlNSV2RwVDJsQ04KICAwTnBRV2RKUTBGblNVTkJaMGxEU VdsWk0wb3lTV3B2WjBsc1p6Qk9SR2RwVEVGdlowbERRV2RKUTBFS0lDQgogIG5TVU 5CWjBsc1FqRlpiWGh3V1hsSk5rbERTalZqUjBwVVZqRmFibE5JUlhkaU1qVnZWREo wVlZReFJqUk5WCiAgVTVyV2pOa1NWSldVbEZVUld4VFZBb2dJRlpSTVdGWE1WTlRN SEJtVFVkdmVsWjZRa3RhYm10MFZtczFkVU4KICBwUVdkUFZFcHRWSHBhY2xOR2JEQ k5NbVJVWWpCb1dGTnRNRFJVV0ZwWFRraGtDaUFnUWtsdU1UbG1XREU1SQogIGl3S0 lDQWdJQ0FnZXdvZ0lDQWdJQ0FnSUNKemFXZHVZWFIxY21Weklqb2dXM3NLSUNBZ0l DQWdJQ0FnSUNBCiAgZ0ltRnNaeUk2SUNKVE5URXlJaXdLSUNBZ0lDQWdJQ0FnSUNB Z0ltdHBaQ0k2SUNKTlExWk9MVmhNVEZRdFQKICBFeE9WeTFWTkVoU0xVSlBUVWN0V WtFMldpMVZWMUpTSWl3S0lDQWdJQ0FnSUNBZ0lDQWdJbk5wWjI1aGRIVgogIHlaU0 k2SUNKR1VHcGpRM3B5TjNNd1JtSlZTSEphVDA5b1ZVZDFaWE5WVGtKS1QwNVlPVVp sTFVOZlh6ZzNaCiAgWGxyU0ZjMVZVOTVDaUFnYkV4b2JtWjRabXRWVEZGV1VrbFpN MmRrUm1kbVRGTktOVzFCVEZsUk0zWTVVa3gKICBLZEdoa1VHaE5jSGhFWm5WNVNXb EVNMVowTFdOb2J6SlJSMkVLSUNCVGNUZHBiVTh0V214TFdreFFYMnAzVAogIHpRNF FXNXhZMDVhYmtwM1kyUkxUVVpvYTNwYVJHcHJRU0o5WFN3S0lDQWdJQ0FnSUNBaVV HRjViRzloWkVSCiAgcFoyVnpkQ0k2SUNKSVowdEpOVlpqWTNwc1Vta3dYMGc1YlVW bFlubGZXV3hyT0hwRFZHeGxURzFvZW1WWFYKICBtOW1hMWRqWTJZS0lDQm5jRU5zU 1RGb1VrZ3pabTVmU2xWQlNscHhZWFUzTm04eVFXRlZWRkIxTXkxRVpYVQogIDVWRm hoZHlKOVhTd0tJQ0FnSUNKRGJHbGxiblJPYjI1alpTSTZJQ0l0Y0hsMWEwRTRTMHB 4WkhaV1gyaGxVCiAgRWxMUmxwUklpd0tJQ0FnSUNKUWFXNUpaQ0k2SUNKQlFWQlBM VkJWUTBzdFFVbFpXaTFHVTA5WUxVOUNTVFUKICB0V1ZwYVFpMVNWbFF5SWl3S0lDQ WdJQ0pRYVc1WGFYUnVaWE56SWpvZ0luZFdNRFJqY2tKaFpqZG9MVFZtWQogIDJ4V1 FVZE5TWE41TlZwVldtNUxZM0ZpVUZoRVZXSjFXbVpZV1c5NmRVazVXZ29nSUVJdFp XMWxkMjV4TW1GCiAgM2RuQjNObWszYjBaMloxa3RiMWN3YWxGeVZWbHhTbE5VVjBS bklpd0tJQ0FnSUNKQlkyTnZkVzUwUVdSa2MKICBtVnpjeUk2SUNKaGJHbGpaVUJsZ UdGdGNHeGxMbU52YlNKOWZRIl0sCiAgICAiU2VydmVyTm9uY2UiOiAicU85UjNvVD I0RURPNUdDWWxZQ0JzZyIsCiAgICAiV2l0bmVzcyI6ICIyV1pQLUtOWkYtSk1LTy1 SUVNVLVdZVEgtVVUzNS1OV1hWIn19" ], "EnvelopedProfileAccount":[{ "EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0tUV hKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy ZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"}, "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIj ogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzLVU zQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGlj S2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgI lB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUkybW RJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKICA gICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vy dmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKI CAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhRSC 1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ldGV ycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYi OiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3FFQ zNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNSVm o0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogICA gICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLAog ICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNES CI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIj ogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwSGd Cbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbWlu aXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVFGW U0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIj ogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJ FZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2lN UjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTBza V9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsKIC AgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FIIiw KICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVD REgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpY yI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3OU 5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY2N vdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILVVK TjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKI CAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0ND giLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhenZ lNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF84 bC1SaUdBIn19fX19", { "signatures":[{ "alg":"S512", "kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA", "signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa8W Vr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In4R Z9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"} ], "PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fPbq u5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"} ]}}¶
The complete operation is used to complete the binding of a device to the account regardless of whether the operation is initiated by the administration device or the connecting device.¶
The complete request is made to the service, not the account. The payload specifies the account the device is requesting completion for and the identifier of the completion message.¶
{ "CompleteRequest":{ "AccountAddress":"alice@example.com", "ResponseID":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW"}}¶
The response payload:¶
{ "CompleteResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "EnvelopedRespondConnection":[{ "EnvelopeId":"MA5F-7LDW-G2AQ-N4PQ-N7XJ-243G-CH4B", "enc":"A256CBC", "Salt":"5N4XeR89WnRUPeNN9eehLw", "recipients":[{ "kid":"MDMW-WCIR-FJMO-7ZH6-CN3J-KUZL-RLAX", "epk":{ "PublicKeyECDH":{ "crv":"X448", "Public":"x4NzHBx1XxAiMAvIgZh2htXH9is-DGf71wwvqJh jlWZcZds2vBOGHhXCRI85oGRbSWr-rXRNSuYA"}}, "wmk":"DRB_GkoKIfvQZ7RTrJHrYxj5e82Npx6MPiXeae-tIrWhmP rA025oPw"} ], "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRFQzLVRNNjItRz NYTy1FU1lPLVdRWlgtSVIyQi1ZTkhXIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVzcG9 uZENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowM1oifQ", "SequenceInfo":{ "Index":3, "TreePosition":426}, "Received":"2021-10-25T15:49:03Z"}, "T1FrG5eIYXEffmfCQyyc6gUWlbLLzDyAboglNpOO6M8qoFT2MPW8xwZoqc sEOOl4nHsPbxOeFfs9VCOoS78oZBDxayLqSImKNQc6xs6thMCvRbnGyZ30TSj0DI9 -aKyr52FcC47d4ZUPS2u1-egzr3LUUHX623rBjbtz9eIu3jWaqBT2G2Fwa6AE7ekX R06xPsRK7exnHVTJZV2P-KMa4fSA11i5SZTgxnX7uIMbTmn4fA-alK7z-EalQ63wR L28xpqw5ajQp-1P8F4gXclo_MLZHRFtEvZC-dkhr_5iaB53UJH9tjxPRzgdiKy6nH saifrqReQcTrgkGDgUKcN2USIN33wUwIEnmr7dwiJIdFWxqFWMbE-8niOLL4PEkyp SNieWNxW1G4ED2sjcFL8wHjD1k892F7Qh6w2D9YlUCNNuoa6-f6o6i1f7h-2IgoVG B56yOYHYP7omRCaYk2-l8w-hqITzdsoj1xU1uqYBFF7rapyGAGS1FMHq4_wDI3YSF pRckLGEV_MzHPM6WKgXRYlRi-lPPooBDmr6PRerM7kI_EKx68r6XV0q43_dOFoMa6 VgEvu-kIXdlJLAN5ky-dNrdELfwgF8HFvshwNLvsMfXx9y93DzA8rRNqeJ9BCnsE9 pSAVzJ5S3eL6AKYsdQ6gJDtfD_Tfcxf0SEBq0w8gcO2Q6uIkRq2YOSVIR_LuqZSEC wTpWr8_VcK3iHXcCaoLrFf3_x92QSR5HcrRImBMY9CUCTGLJ45ry-G0Je0ZM8C7WQ MvufGTIKE-4z0YnrZKYwfgWmIMdKXv-G54QRHSM_sAxxEd7NF8r6bzuu_kwTJnjkZ zR5tDy6Bgsc6wf6Os-QlkJ52VpdBMxKzBDCchH_2JNv2k4rV7F5aQzYnLBP4jWsxh pwMXtYTTsvEeg3UTatSxeh04XuvhFeFtiqH9o6JJonJUq0KLw0TiULFnlGXqXIzxv PX5PzXfjbtbEFVlaadHX9K7k6ebzRmVSpwWn4h4io78elFkdyLjJR23_ID53IbEtB Vl4KqevNyuXLKy3WVZW9jWR1DggON-xG6h1WwyTq9JFBCPj6qkzjI6wz6wTUTiNxt PZoh_Rj8PbouzWD62ZmOCqFr9c9-9EHJZcMSMPQAilH0FROao9NiWUOYa_ye2helB CFgf8zTBTlL_kZXbpkvm1Qf0YaJUddkSkJRIASLBtreLhJF9QT-9ln42oEl_r61Y6 mv6hSG6nMBDkI7jlua_HbTq7c0dPfbC3wJki-oj0J_hHO7IuqtgrMDeHih8dsonhk mYKahV8k0-J_t02kI92h1iDYbNzAftM5FbfwbzMsu7E1xtMxKdhHemHUZzIlhI--G oipVdXUfoUtK4TQ31Q6X5afpnvZ_wBr9OUpWOrKUabQ1DRocie-pf6g_M337csJqN lLDpwXeItNuD9beZvjpT71K9HAI2uqDbZwwUXFquDbK_ZsU3N7NYFYRi1_CxgS5IO XyJNRI05H6_no9GGUy8rOpoP2gpEDKO1VKJlU90ztjHldc_tEG1iRuFrr8bfAvoW1 HLrijGIEXQDC7J8Dax_zJj1uRcH3PBhuNYOqQ-Ipa60PIQY-hwC5ylfBuB3bSMcua FYWKCmMQt0BX6Q4-JxvD-uYmyslXq3iQBA2VFaR8wCfZrahuUWdH1mmQSBikyk2i2 KD6AiuaS7RaOm0eHEx9n3dMzOGsL1OpfOUWHqGvLp7lwmpsHDOaYe6fpjVF3Rb4dn naGq6nzNH8AGqLglIB2GFf-GPqCaQp2y6fyjeIKFMWEZYpxiJ2fgkGMInN_1Q8WeI vUCEzJc-xqLEaVsyblYNKv8YXk8dd-Jw1qoia16YP0W7_aMMm-_wHDYMkU8W6q0GT ZVZZHXtZKVnESRC5RsI5wJBrUo-e2-0RO_5AUDKBdpJ1LJBAyF1nhkXA0beha07fa fEGLUS8b46pGxDiZs17mwF1PRmnR8bFyXPbs8lGBMYMOvR5NiDZE00kRbEMTbE_nM _HzyYAmzClyP4dPtpH3nDXT0hjkf81bxKJ6hMOHP-fX1jXciYqKJg-fJrWkCDLXRU k_Yh8G6Vzoh2lEKHhLdw_uHV8ivo4Ur8D1UY1DYsWhab3K2U6a1lFC6P5PSIHy00M 3GR3egXb56woJROsyiOx7zA1185Bk-2BQkMvlZcTtZOnmuK64yJBchHc0rFR4780p 4BXdhAfcuNy0q9dtY7Yw2s2NlJ9sbRgnqMfRRkOWChOZ8eDCgq-u5PoTdHAwek43S RV7jHn6LluvKl76_EaivyWwgwIKd67lqlvzw8o8yxeDiq3KScT1vDtC1-oYLmQ3Wc pqgs_PMbXTebtGgjKCengZ2ZxYPPkJLqU_O5tvFP-kI3SY0OzG73YeICbhAWfTEZ7 AwbZwxE210OWkJvNMWOsWv3bPfCaaYs63F0TqLz9tb0ASj3glOsWlJALJy-N033Vh FvzaUqETHNAAr12o5Zr3kPNtaQ2GtT9zDA2UGlFK0oDs5Z5GDzCRlmOmjfeAq7ITm dGBvn1vSjF3R9kX78vELK6JtUXVYTrDzdJbKRKoQFaxXKYFwxKnwaaYLEVafVThW_ Tis2G_9CVEvYx3oizzK3nn_jJZiCW7z7ajEcLTIJDEC3mPZZKIhb51yWA-aKQ_fbK 5iJVZbolQGZNmJvYDkpafNMcg49HQ8Nz-b3cYVzoMIEEIjlBDVwc_Xx60N6wjlYUA JA-Nnz1YrX2AvOyh5qeaYG6__9qdNTO0h1HXH2AtVJJ1wzvE2jQwFuU1ii__gYE5I 6RVcNM0sTM-JNNtQDhw2Z_utcWj-7xbCRuqzLqQ-lkKVzMoO63N7L7uPB3jOHCpN5 N3__lA12d-yeQR47b5JEWHYadeUO0kPSdmIwaEDoGZ7nHhNQhV4q23EOPQ4xYr315 7hXwtc0sJR7EcuNi-dXt6Mi1-08QxEiedGDORZbMzqhNIsiVL74gfK7YMuPQbwcTo MMvzydfSDWa0MZzjHVr-7_uP6fkGpGijB2sYnKzMIKYSneExdRuABNXEgESc0jKsS KGDpevK8iyOAqYCyHXXWjzWrrEUhLx8OZXsPTJlHu_IYTo5Ui_2Txgg-9Dp7YPuYi yXyl4GXrmmAFrUB0MMBIlt4o32MTugKlfQs6xnCUQLnbPj_vDLJkD4Sb21Jf40H4p uF3z8EvPQEOX32zUaL7ztDK4r8qs-BaeD6NaiMG5quE1kktKYPfYTrLWkV5pUTtI8 YJrZ2lqsTHQB9iaEaPSNaDExpfyiFpM3SdlAaUXoUXMUWm8BrTEf1QWAEWaP3Wrdh 3PhEUKjuE52zemrctLB5nQupLQzPK8nvODafjMZaIkypj53MORFh3Us8sHxRoauk4 9QwEg7Uhw-gDTirMIpW-xlUYzoG72AY01k7GgJOpr3F8ZxeBAzKN-Yv0DipnINAcc 0QnDtoRSnScQsrUWmn_KRyPg-zit6k1DQPNQc7-28nRkWqczMxqyK9O4ORdE-3cpF Wbc4N7Kd2iuQawPRRDmcCLd_JzmfowdL3UaLGzUTaxdKbvTirtPtgaGyi95V5lsq1 0yvI1B8d4VROuvFVwAl6TEYVeFhvtJyWQyWSLMwOG_8aVCyxI35rMSB2f8bjwxAiF LO50tSUen9waUV_wTIuax80VOjy4w5inXSF6BOSdXAJso4KJB9j42eW__ATXfQivf Bdz5bgvUXucQPS2GJTF-qkLUQ9nDnr7uSzB2hl8D9DCYtid5ahTDGUEsSAzjMk_KK qVw4fp3GMoTxhoXs1p708VFl6tjnqPhH6-EC1X3pmglW95raBZAEhc2TZTgjrD_Qj pPcWAsEqlouVbU3Q8dusGPGIx-WJfpGi0ZHznFoTqDoMvFfSu-UBeha7gHzudU_hQ FoOyvFBUij94F72hx8vVKbc-iLGXmw_tSicy3kHfCXBOTsoUaxKYowKMl-SsGHDbG jPFYU7XWD9DIXrYXwFgdqQ_bWh2lXLFi-Vvn0JxUEN6Psb6hYAA17vAg_P47NiAo5 0zkAPaoSh2BZLqQlYnAsFmy9zMOW2SceEIPhiqwkn9e1H5cSYnr_a3KSgaLxV-M6A Smr73KUzb-kdeHf4Yx-Hxm8inKhwkFNbIyudnyS-V7Wa80mvlgY8th-psFBqtGgpk Mpkj7pOM1-FoX5-E121Z95Zdw581VQ1iYg6V1MQXPk17qBbX7xUYPWgQcq5XxyTq3 zGKo_OIHNXaorhj3eDoUwso7YQeJhsONcxmrU5jiFM2JKVsLWxlsWaAjsJt07Coan kQCXZ2h8XS5jB-pKcPx-072s4chxwFEY48cEA4zadPJeqZ9DcUr5OQhfgVhdQrEt9 u7N4PbP0xuH7xINQ4hkgjfH-oRzPM96uRbEiDAFl1L62dV95JdKPr4NP9k2JN7QOq n1AoFLZB2Apz_nU1oT8EiJb1DzocQZ6e-xHQgdbUx5rz4fIREZSpQo5l_swknavfk wF52a2GZKk409OjBnrNKMA43iDA5gdmG_sMzKB9-0e1clj7hwaVOTamV06KNDzvnp fG6h_1nCoGubSxNurRmaNYfD5peV1D8icPOcDOtTJ7RpzmSqp8OAFWIZ7NU3cNsNd 9E_AowNSmL5kCfHz47vSgRGSnILJAxDlC9A-0cDl3q9vroUXggVU2nJztC8ngtL71 Yy3VIDhMjDmOV9aeCpLhKuzS9qjKLCrF_SexHWX6AfpgjoKvf9A88doKWapx6tgsi i4y9ms0YGgphjNgzDW-mXR5wW9QRH3iMYWw-lu6yUKTeg5pkZGEhMu12Ppql2ebej vgFYTWdGhT_2lwZbIFOOBhH5Gnn-bmqR3Ow7K0KhXb9XJtQUOgSkmW50OSQlT6ZNT 01OxGtLuROdMjj-DopqD2gJVKmWCPtjdsuVyv_HZKtgrce8bOCxS7OnsWDL05JdVu uel0wOsya3HwQScwaZRt7OQnEw6r1gYJ11hxlL1AKK2ZzyRSSVBl6WPfXjQnl39j0 mPooM5Q5NfdQaFkjIqjOlu0cMJCAMMeY7B80R3evBHGTV7oYvarbhtoDVDYfB9g-b O_5eICs9EDtD-vs7-VGW4TQNQOxuRmSzvYgIGZlXH8R1HWT7x6I62fBM0Kb0L2jMo 4G2WLGuhey_TK3yNb1G9ozxrMm-xZVrul20vkKmJu5AJZLGSUir4vm1aueDqC4pDh IbmVRPLk0NHDfib6ffUcgEpNhKpfaO4yr5Tzkajg6pIMZ6wrwZBaySRvNM8qhhHZK la1s2peaQ-ym2OIW4M_TDGiqj0E0rwCTsr3mLcMjRSUajHsNFtRhqmjsR6eQxdIJr Kjdk6rrKCzNYD_hg_oBb1Cn-NyLR-zUh0fyqBNr_OET1tr2HkO8rCqrItZdEheQSe q9of4XWcJE-VgW-VeGwlGQIHj4FVVGYaSr5OAJSJ6a84Tf4iizbBPzEfdqFpyvm0L N710E5_wdzwQZgXgSEnR3PXvecjIyg_gS47QBZc9k06rCnW6dgXK1lnYqsQqRt5bK vCzDVkXFjkcDieHv0D3z2XPyw2CM4wCaotLTD5puJzLwp2uweCq7HtfPulksyjnFD VoU0fM0FvH8rJaAoOMV-rnX4-MHcDwZmMK0RrmVZfFrJ0TJcR8Ar35PRAwh1F1Ur5 2XTtF74Fi2vhJOuc3_pO9AGrmobfd5zfkCtVXr0wM4dTvI87xVmFW1tgzMtgGOQzp BEZ6P20oJ7zr9ZxfYknis5bV7k-cF4ZEwO6fTtFl78heHTZY13uAk2vnKdMGmpDs9 cc8ulCDc0AOg0wQyyIxRL2WVPGJCpSNlib8e9eAtXLffYAiQZ4bb1ZlIUoH-G2QBs NL9tL8Gz85EB1fZU05TRF6X6pI8vgGgOcEQl0-9Lnwin0YLhr23iCwNOvQnh2WSnw vgcMsUup-FlX0OVrX1atcTBffJDCYNc3rZsTA2Qs3Qkl-JthYvZgAEIQXzxE_EMoS rIRpRbcKDFQnQ998yCh3dbJfQA3rayL6ZSqONhuWf_SqL17NOZCVPzPvGE3GOnSAa yCd0Uor3NZyXOdULkv3Tpi440CD6nOatAV97Hq40nnpI-K4vIWt6xIfBO-Tidshxi JgXwZQlwcKvzShL3WAUInFCPM4AF1UKqTuKdTQs1DXQuIoZZxFf4MkCt037zfdSR7 C_UQFbVdsGkEcRgpL2JE3WE8XTqN_LfBX4X0VspT-rJUXNKQDoFZChLFizNasAGyx n0DzzR7m-LLwHZY3-rnpwpiUKKRNT3a7VQtCAsIQazmh2sqM1QyCuaDisNl9_JIpl 32rMBYwvs6iMGVvPwyA6joKdUNBzMkLrIoK0e8MAEeCkk8DV-TNyYgNIEm8MRwA0N YHJ17fu9xlcjGiyMt9_g27mCgY3oBimsdRb1KEjGSGT3WHDrKCJNGpM77cp6KqyDm 63oKN5qLlt1vCDS8Ni9jtRIZbUn0PIDmTTgj-VKdLvUarNFnisyIZhxoNy8emjpsz ct3zCpLpQ8UU3rskSPBuJu02yQZimLiM9wGnhrlvADdxKY6k1VZIFeONv6U3676BZ eMzVUADZsIceBAzIpPf-uqCxFnpjWf8QyN5tg5n99NIvsVflwQUYp5hnVqdUBFg2_ 8jKWv3xJ9hLWnNigEvzrW4s3FuludlZkNdjs6i9sqeYvwSRyGZyjC-XtWhdALlsMU O_C4UhrS0vmLCpzGEvIUx3aUYQUOOvH_-_4t72mQIeNpZFEo-SMUxWxc4AUpte2fV Dpn30NvRNCIa5m7SyH08A92Yv5KusVeYYxUd98U5F-3YRh-9G_LFFbiyvc5-R3EIY sEIqJnT9op7o2ClRo12HnO6D13Q1tv1Qsu6AMDiAlU4BboteV1dzLpyaxwk_cy7Am lcuE2Jx6BQGH6n8oz-iGxXUNGy1-Q_kA0DtwvSL6yTEoL_KfmKNL2lSS1KEGeq-fQ -L9_FW8UjXvizNWDBTByGEMtxM6hE-3jJBGMvbgkp3oBF_jrlGB2Jyb0QpsFRTGDk 2x1mx1G7WGDL4c5-G1J4L_KpgazJ3D9FNJkKbCdKRxeHUTVgusv1LiXw1EN2pohyx U7Cnn8cYymTUWa2iF4t1d4HBfiRdWWzjTQjxYgYJh14xUPcPBfttqyNlFW-_32m50 Zo6N8LauuQjmAk-YMc-EEbL8rNrkCk5_aRV1icV2bpkPSR1EYAkF00ATbdVgGcnZE bJQaJHUFQYkfzSimhSs83rcNHHIz6_3gMJfZADdRMFuq5OfjrgttFehf00Cbo8glS EAtpAnaLKEUL9xzFiJE55Bkunn35LvhfZc0VhXZhhJXaNASwMxMIClJG-mT2nLFmy lVBwHncEdiMa6m8MXdGPCFAD9k_ndE78vBzdcy3RvQB1kqrkDWupPmEyr4Y36jidn rGmKeQTEQXB3h1m2N3X7nWW5hHNDSE22qZ_TK-_5zYnwtfRiDK6oQP0HX9jovPszG 35neiY40tiaK4Fac88te4haHretD-4lwnulNWK20LiGKKVLIogoy8rW4mtxu1gp9b zDV6ETbJ_QlswnIGpksy5lmyA9H80HrxXgzsV_Buf5vtE0y_hVDn5vmrL7wzVOjqU L4Co4M_E-jMvGDB1cgfVu91yY3VVC-MFp1ashLuFUdrzrwiHPwnCKB6wC4BmNgrrM UBvrV1gtevVXX1iKoZFHBOF4yk-LvRWejr7QNw6nsdjJiv9hN3vp0vAUsz4I_lMlT LYKfB9q6C825XytaXQ33_K66ds--4RNNGgz5Ua7EgCtTJhJO3xrlV3fmSLH2IDPzh 2aMnWpJb7AHZeeH56lJQAbrf8SlKdHwp0VM0i-6IpLrSO8g-5LJ20lM1ybZv6izem V70_785ejdrEby2CH_aYp_2JXHG5REbTTdi2-ckSMswsiR8FZfhYoRjpQjbauxGId 4SXU-phA94wiUqRnS6VryqwuLpjOna53E88ohyG6Dr_K9GeiXbd8vaL_zobZt1m2m O0V5J1pdxdOHmUwOZoVHPvDQSDeDR4s83lLDpsFUHJqkMZ2YTNGf3EsB8hFvqwaiB Aqu-G5o19dodlajRfcUkTemyqYpTEOq8hzhejYNWRt54f60vrK5GVqyoJIdnfXxcp 0cItIAuWh0dIyTtKJvdO2zm9Xg0lgvCkd7GhMeeMUxPe6_0TdpHT2c89WC5LnV3V6 xhPS1eJjY66OzGu-9XCxNLntyWXWqESHNOTg7ZMDA3qWr09pk2gBka1Jozi3UsH8i mnt4YKrLJ_jjnDtF1W7No2SuWpSYXnw2-7YflNtLluf-Hl95Ts82HY7QuCvDbCemW GBFppe1hsKQg8Xii-5O6AiiYO-XDsPxijzRACm2P_A_SBsYanrgQwz2-E3jGnfnMm DxTq0mWHWEc2k7Jm8fy3P8F_UWSL7rPr07VrEK6tS7UQOUiSnbd_B_ZSjtV3a0jeS T-t3v7irfzfVRkhlQiUIX-aDiBpNM1I99aT7iVFw1nxm_uQdOXGHqFPRGjTHxRqtd ogXXhbK2fqoVBk73eaDZAR7J-g-B15CnTxnIAoZEB3azd_Dp3At2PMpBuFiGmAqHj 2DgoJx1RWrQPPpX-ndBxlm7YVL0RI7FfNPSdXtd3prr33gw2v_tciuLLjaE8A8gpD oGKtgS2mvXnM2yDzwNQeZVtBmWOqEMnkXu3XbQjWWdptVFrl3K78KYvnaY8o4viJk D0eRQxGXq0JPD1u3g3uTjVkbkcvOmZXpBPhcNq91b5Cuvu7SjOx5ANy8Wh41Y9nBF JAllGKdeWyjKLZhWfBhGxEIimHFj32nJHYds2WJDmSAXAqQ_F32YF6UT9ZAegeGQs bLbX2ccyZLo-3RVDDZ2_1UGZYbx3wEH4M9XqOLf6RtGFfgW1_3PLF3v1N17-wJ6jb qt4CGrvIcEdXWsfw9PKcauH36081jFEQnh9khDoZ-1BWQnjDBFBEHQjwR1ivgwryS Y8YCTSWUhiSBreJ6fAgal5J2k-PrjIa913qIuOInZ-irBfG2zMtpPuN5p647VpRT4 lMl-NM-SV31gzE3va4vE17T1nZX4joqG55ASER1gtZKN2oS4OqiWvpr8dJ3b7IUPL CYYaRZEGXdAw38n68t7PyWvzFdWv8yUXQxiYHJRcF24ROGJeDBxjwkKTDJEzdapmI YKhXaElgzD0islRK8O5cQVwv1yvE4MY_cbnLMvcs4lVcQEiQqT6VuIrCiq3rrXvMA C3woX-bhn1-cT3BZIBKjlx0_wat7hm3ZGyNVE_jcuLoihgXBZ1PMNQFJGQED3PVhd xjqIxPy8b5wy6IEX37uL1PwY7jk0qawfizmn-sH6Nou-6QY-tqQCTjFG5BXZlkzaK hWKIaYd7CC965r_f1786rzLrLkY46Fz5wLS6qVbiKvcAGTbdkNhwAf8eVYWqbWOO4 2pgfQ8YYuTEJRZtULsVIzTaQTonW3dG_AwH_bUsRz3mrNPXImv22OPZsoqcrnETea 2hx7gVSWN3f0SJNHjvi4Tls2QLmO_nuCvgIlz7aK--PFT8u6DqYgtAF-dnHF0J_22 9_oSbXPasJlno4ajosMs3nE6lpJidLH-rOEaLlVmQJU8rGYaH4oqu6etg5dAkoHdT nLy_gNHGkArhPMqUQ8_eTg1GFw0SGZDWmmI-X50xyIJ0OMVVO_Ohr4ogphvZWunCG 2VB4FM_mn6VsmtiMrcy9o8swKi0kbS9hJqAC0dmIiDSCNougEReLmtxf-yRZnqxtl u9qwURK4EKHq8m1M2JiN-H9-HzQjEj8g7jZziv75l8gdwDrMM3uBSqtarni0VFs7F MRbg5YYofnZHy0VQH_zyH6wrRrjfpgbrU4yy7pAy3zFXraSHff1eHiBsikTzm9sBT HZrjJ8iiwtfIFiqUIEIUm_HCCcGG_wwMSsL42RpAQd40y0bFNlPUquQWf96Hb93ld MUJZHvSRoBvlVMdVdgcmbQpK1kYoxGf4MdupEwYXrNQnE67uu6ry3WHu66bhz6W4F bLutQXKzVpyjCiyOP94LmeKLSe5r6zHUT4wRqEEVNY2o3wA4R1cKIApCIknCRjDXK sw6WDkoO-FWgWKKMEGBwW8PizFKujnwPN6l_FGDgAS3pXiiGhd9NR3LQCKDYc1yGi m6quL-DXu3BGRq9f1BqILOw2Ibm_9XG_PaGspQPFCY6Y-5WjK3jODDzW2q-xnUw6Z 7MIphoX-GGICwQmybh47MqJlFVTsxna0xIi4q-ONBxKtmk2VRPE99KYZq3NkcHA2E 3F2Cfar2LZ7Hp648b8yBDG-GTuczVzSpMhPNnfYhYzCbjtXrni6DkVd-jQgy1rXW- -Ti5S-SxrMWLGo1S9zf0G-T8o1lEjCx1s7miY2Asf3R8GpU98DfIibJBj57B9xLFy latdfdR_oYIlHCQlaKVowF5qmOLeua2vCH4YqQpO8NeV4D1XdJSdMY1nq3XFSbyGe wLQnJ4UFEvvRiMcCCp4qPWWnFqwrNmJwKo5X2fy0eQaMXQf5SY6gxNCZG5reHjAzM uUrgs5czDZ54YAhUZDJ-1FWJAKY6g09X5byDGoISNKMzWqVOxCKUQJeIBreVk5fmp ZwkZPpYOC-uL8hGw-fvyzGBQ_sksLgrB6wkpPbwReDN2xlDx4WnzwA3CDY8IF6EzS YzDrVc0LwLfX3iTkSy6zh31cbvPZzEb_yPSMyUkC0bBLckrOTIizdRa6khtqTJmqI AM7YmeQF81MsquZfxD68o-op0Z77GQxapVADOjy_h6ZURpilVx-rUjW7ipeAjGplk VRJvuSkSf2KNywiwbcsZ62lJi6LKLrB_3-_wvI3VreBaZ_P3sNySMyi1Sqm7mirBe lAzIctYI4H9ajp0U17xLF4fLQFFj4YVlIrh9ObUFcQIG8OMbw0L-C_89kjaT_Mj7J AgrYhL_LHrVgE9LEW86H4f5n03vOlYw5eeunM-FGIjr46Kj0MdP9v2i6VlzFXm0jN fPmepOVPXBEqK1YHmXZCRXFm_ujfvsMXuuJs3Yx79OVdOIN-vQ16YOJu3F2v_p8BV UD-UQLhclrCanwPZhtpkkJp-XdwOLRNRicPPkbnxFL7nkatsYigWoQZGcaw8T2Nv_ NQ3UAzc_HsUvtYFW8C-xkIk8fdwDzBcLD1yAKnv2dQ-tw-9UtH45tri9r9t-Q1Wfg ugiHDEo69KNOLdNMdmjTSq3rNlO0IDCiWhYYvMQb6Ew9px7ALvBBT36sk8dJU1hby fO-_IdXYDMD_GdSIaEWlylBpasMpe0bFtUIpPDn-MKX0OLlBVkflUCF55y0fNC4zY a29oey0BNd3bCmvXXz7e1FZ_vy3s5wwYtIyYi460oU1QgMwaxVxRWUwQuH0VAhS4J F2FDYYAZJWxbAfSphYlYt4NuRgA-wadDq0DI8tShOICdIy4vB-_qgtSGjUzQbHYdh DzN-tMC5OzOlQCoCjO13f_045qAMnzE5MwOBehatGLyaPEmq4mDXZl3zjitJoMeph L7P-WX-ttlH0DdQEq9hhVtazd7Gd74oEZGTHsqJ6dBalpvIbdzzkWyb1D6zEvrY0- S4Pf9f6yK959m8MzLj6seBcME1Wwsu5Z9P_fncjs_EBqLs7ndJ6nzTqXC69I153ED L44kPXOT2k4FhU8T5IbWwiIzeE0WY1Z131ZrnWxHrxpn2pTlmeGSD-37hH3uJFFFQ Z2yvo2oFdlN6Pr7MNw40xNRNhO8DWnToh6PewUMk1_SsHyGjePhIIyuM7eoPtacwG _2isR8Kd_EMh22wJuPHmqOK6j-nh9FSt197E3Kmy7j3kBOTctm0RJVAKznNy5ymp1 jai901f7UrYgumRU-GjR2lovJqP5ooF8FAE_oeT9oc9z58o2qzLPBQdqGoZRUbbSL Q5KAlKDXUWLZVBUpGiFSV4qTpH9LIYtjao3egQHtpfcPZVYEsFn52y82zFs3s2t_5 IquRVJxYXHayR0JYzl45WGOS0TQrUI4SE3UsoEdRZHLsWO2WoRGDitx7u4GjvGgvz ROISFKGQHZDSw1m-ZzTaWNDLhD9qqnsOkswNG7cQA3MUh1hqo_uHKhdKhkiR9pvrl fuF-Ik8kSvQyYcqBMp4MFXQkadhYbFXRpMMxCO9ShqwLyQgkFGbiVc2RwKoz2XA7F hhNBK5PI7F4_z0sTcGYRFMYSuvL_uV9yCdweXblPpf5JkyTwRaPClYR_jJNeIRJ9a iYEvXbvQDigTQPMvC3rqu8JIGaB1G0O8wg0IHK-5--GOUKi1aeawbZ0mgFpqmFJp0 2W2L7kleUKBNT1LlHFVHOHZYNavKfgRf63uO1lI_hsONpm4QED_Og6xhq6jHqp7a1 0WdCSbzDpBpqzsPj5BNxO9nubaqVT8L81JUQrPxvMcVoXKwf8nFlI20zzad7yGnav Yye9eFJH-72gBCSZaXa-cJAx2Q6JTMbMeuFoCB_a9L0ENTzJG-aklTd3yiKILQpKn PCmCQm52LzKKdGsbT6eqdnAFYiDbWKoHV5f8KqfrdSwB3RmvuvQiW3W2j0Ycdbctz GxImGXCRNrteBbLCpr0k5pVxo0OdF_AFPhtL7t_Wg-xhjfg-u_Wy3uY5CnUGc1u7X nNEg00hhnc_8L2icwlIb_enrluwV2MgCEGP5IHXmdkILlLFatBWuZ7LO5Gp4F5Nxy sBPf_ESk5zyVMT9R01sXdjj8mfl5HKcyM3_orH5VPi25MBHAx9m9HW6lmKP6oz13E rhJEWFOTKLRwg4rAfKypXMATRO4ve9BcvIESoXwS3FI8pCy0zaaiEaH4kBU8at4fy uV4Ph7Guydy6brlZS0jOGGhNQ2LLlZ1SfN7Ye-q_MC9svxsbXwcxQXsWQQsWPKBYa 0TTCX0QYu3Jk3Oi8xAdCmTtssqvEKYSe9Sm_axauAQlISZDPsT53h1iiKbPRE7SCT ULWA5S2M9X_IAoZWj3NVTR-nD-A6ntO-hOdhhaZRth8OX_ZO9bXW8hp_-B0aF3-dM ArCboXMa2eOx3R11sQgnvRsQNeeT6mJutjdeEl7AnOj-cAUze5QEJc8EEHYWQyVnD ZSA4kGkC4hxdd1OCgKSg4hKEV8y8AyNYSHrKhrubPKLqeYg4-ye2niK57PH25uqir p6nnhLusFWnCZKNAWKGqWq5MgO5YUCbvTrJi9u5dy2Bv7mcGUdCIJyX8P9Fzcdj20 -XcdeoMMOygqOhWb29wqBnQtMzRHSFiIv9yMwxiNsJoWuoqMTWSkJosDy-vKul3Et mNjPSkEeyyo_MdMq17dJFE3kRlRluWypBFsa9FjzDwlAn7ztGkwyZpYACrwPkry7e dAmUQGyfAL7G68j8faRrVGHKsboal5ipZVX5pDOAmis7hUa5BEKvPEYqakm3T386O a_X3UKd9zPNgKEqghqM4SMm8GhTuR3rP3UaEgoIVj98JBz7Np2n3coAnUxertKFcv JZqadvj7_BTSVdKk4eEY4im5h1KJapIks0bFHzK9Pgt8cAzJOEYy2UCa4xvLY3VGk WYioBrNpdIWWCdMTGJrm4Q_bMWNbn_bcQL6osNxjLCs4Ra21yR6opbwZj4hiZQ0m4 ZjJQs92prkkNUR_dYjttHPCzaqMOhS2oBYZFaOvI3xhkgrYI8EIhxAiUaPvSy2g7i wfeF8fcUrTvA7nRLhJWsokj5GnDyZ4rK7a91zW4oaCvN1yLcFXvoJiXHPOAS5vB3H 1q5nqQkMMEP2dnxOlaNGkbNxcwfsU_D1jpJu92FL5N5wufAPHrD8gKjBOBRJAKj9- 3D_CWIexFq8CKM8bzWAUketQEBuML_6hLKLnECo8CD_0a6yoxlF6E_OhG8oI3PT2Z vh3T3PznbLJzquKV_h_nkDFHNJCtljLcTtckTj6KAlYrrI-nZHiXj3siK0N07tOuJ CorPLhy8XTMxawSzQ0OHLxjvKOhdg7XyATii39RNocazHl8kT9dtwWhkZrWFAYFGW Hb6_pwfWoziHPOQg_HLT-5l_xbM_4xVTFvfT4IRs8sQReM56Qn-jjb6xgFZu-6Wus 2sVX5YOxkBma_eQj-D5iR2KMyft5XX_JEtV-9tiGKamy5-I2RNK9DICNzYMysj99p WS4dduKlR9bd4c0zmHhODDo7iGXa94nliWSuNJoQhM6FghGlhYKuzRbv0JIF0WNgE ZLBJob8zoKh5K8zMuW_8ThFTjBeRIeGCR46tOaFmSau4cdzo5y0ojci8zNN_XYvTD CMoB5jUXJQTi2zHCgv7X0V7Zk2ZK8vzVCq705GiHJYOVsV2EEg7e7MYHEczt23Ek0 ar7uJV9Lo5XpeAT4tRjkETupu-EVePJEdrzDP5rZehRlfJ3GhmPiJFtEzkrXKhzcC c7PvU5BaQgoEtmMs36Kfrpxc4qj6x1UiJc_4yuA-8AQFmynmyN1D9LCFbY08DsOJ6 zxQa1hGZdRsDbhaqQqMozUovOd8UtIlIJAM1SsIHXseZpaDJ9Oke80g9Mxosn1cCC eb3Jn66Tuwe4zeMBJhPloIYLOCx-90LjIReXNtEc2RxTaQnUmIrRu6-RWJcH5_xjM 7zK-rkqCY1rPpZrJdQzWpaCKjYpdzZO0qhUBAzs2M63GjS19rwuyNSlaBYD6KOgRB KOCv3g5-SsLlmP-YKr4olIVUOQPiNtDONcYnvCgVj1Bv4V6noAxI0rdzMKy5YJlgN 38HyhpUHCG-RNM4nMshBLUGS9I3Eq7EbucH3Y17TOpGPryfCALnyL31DAzGc92ApI l-ByI1M2ZgIivCUIdDxwaSJSfgdUweELFx6ZnIdz3ZfctxPs5Enh-BBVa2KrI59Sn jjafNHosP-XFMM6lh3RmvtfuPTOIjxnsab7p9ybEiCDuF1ysG98vfk4uTgyCN4AvL sXlSFLUIkqwl2INBUqwJEP2KyZ0Xrp1MQXjkJ4E1PVI1jZ9EsOLL0O_0uCUPkhx9c f9OY6rpZRMvtTTuA5Sl4w2Ukp6QBkVI8q33BqWmhBYw4rtf5fWGDWRCy4_A1CVAPA WOx5bgecflHFQujVtzczrIJCOMqbJI2PsmOK8EyX7hi6sILpAcWqHE3n_LXekkde- OHgkSahJLrz9LvPkwgujTb4QFF9RSjClKvHVhtdQPRIlUmpPZ-mAbS99v_ddKY6ED c_ZC9VFuVtNsbyvlEXEzdUVVmXx0MDw4zHRDrXTaGUN7SbbxYYxRS_nrjk49ZpJ3D CWQ4ciyFFRXjkHWNbuWXQiVHM5pDBd7y93A6QsUQuc6ZhogLpGAXy_SQU49JtLFSg REVS5Ln_J1RLA2AAzIUaKNRKgcIVgFiBhtmj330UN0qxXb7tF43CZo5WhoFTjRfPX VySnHyClLNnaWkruZbtFzPDs3j8iti55s0xaYpS-DTuH_7vwN2N7AX8SuuLL7DSEs Nkux3o862Sk3xWSAnWuI02VO_YnkW0mvLwwlqUg9bD3oVxd8KWECiVCI-MRDZOu3L WSKXC2tptETrE-0evg0txQ7AN8pr-6Pc5ASY-kBQViCcszIdS358_pEUgzAntiEs4 jzmsYUwUrfQsGP6Wg7Y7K0pdK56UXxQQOvKulzGD0EK39T0GogXu3rY_5lNWi2tpu 6Yv7NHninziVhxBo-gAyQHqBuZgxNpV_7fH_JjW3aC6cxtigBMpW9orcG5PnuDUyy mFI6KQUYUqQbC4cSFU8KxC98xlF8aPtOxEPhasDE2jmmKlL7NPQkN1dRG026h9ZUY vaVexhl4zTca9b5mI6S3_AtdLzl2H_5-tm_3m0Kca_LxE4gzQjNKb-A4inLR4RWpA 0Dek6-X32cTP5_8RcsH1NCfjV5R0c-l7a2TaBAczfuIWIJZurNmuglDO1alZWYVT6 0rr6bU1N__gCkpaduRppzkQD5ED4TB7_OPcFYCu7l-qZVERsA91ZD2IYyKrKmjGpX n-ktC1S-FYObif7i0ixm_aKdX0AD1kL1O-nyn-bcb-pFuyj9u4iemuQHm13T4k_TX fSVh2wGp6Bwi4CUzlo_Cy_mA2nERQfPh5FST0nfQHU0A8L28bv87XXU7rPelhOZIn WOXRSlBh-y8SvvDKohTH5f4EFCg575K73iDTSa-Z_T-NzlD0zPK5mQPGULfnJafml AWZIaXdN8bOpK02iNO_iWUi6QOh1q2VNOnMgs2NYW3ieKk6gw9X-7E5CNxa4OGbBk snsWjdNLCELYUA7K-L4rNpGQHVrrMcmYeAe2dRyS3NykupS9fLNZuCr8QsiwnmYPM yivq50W3jTYpIjbx2iJHOA10yIMQsUrvQrTN7jEnhkaQMumsZnm53Jc51Udt976Nv RdArZKSd3elj5ceVAIDI1Nxs8Nsm9n4k3VtwvnaDBphcJk37djWWA4MyFpxODv5ee D-8uAPs3k3187x3LCP-gpeuXXLaCinb2BNvueJAvFkYG44arX42Xi4a7Adtq9zu26 KVt4jfYz0dTz_PbIEJM-zdyaBLkVcAfU7g_UqVo120BVblAKRoA8ZC6NE14823Xp6 -ch-B0B5OL-qRo5Ngi51qoXT5SKjwuykt3PYPu51ocpBO8UI8w_-lrUfMsRi7tjTG byUz3uO8dJhihSMAVQlhoPmP6i-_8gkl4jL4dOEAOImFxU-W6iq-a5EN2t7mifuIH D_2pX234jCmANNYqIlzKo_wzxJItaULf0006Y1eC_5a_vU2DfY4d8E-Uo7eYDCLQw et-oxcGsUJEuVyjru0VSeeTSOTdbCx6-7e9u_-n4P0lxIwnZmKlF5kAo4jrg9lXlT Sbfyq-wvW0uE35eTS2XEPAg-k6_4_CL-n11Pq8crBcDndaOfokp9qRIl7DePhh4lG hK9-f-qA9jg2oixToVxKzwceXxcC0vQYBd4fJhD0laLD_1uFZuxckvjUy9EifFmCm 45K_WtSJZ1POqgx-Wn2pPHPHLLU_CY_NDBaHHdyYZWwi13yntEN8-p0J_1lvjyM4j nb_hDNFJHeZaCigzwxbGOWLjBkqwdt9XALil87XrXff3CwGBlq_yteYIe4oEIXUrx Rm_58GEuZJ-qSC4QPZyKZ0aAZsw5e3BkvQpzdrP3yP3wc-bWDhpwjfwTMz0Ck3k5o ARWH_8iSEV6oYi_pT6lyOMyABg4Rp_IzYyK0kATghyxmjWr19E56bl32wJg207Aa6 IaMFggaagQ6LiD64nfmoUYQPOC2CQtIZQIl8OYfd9zZL9_zvAc9LlV6BTsd6IDpxl bs67SzUznVV9981fguO-uW55gK1mOvZFz_C4yd_IAKFWP_9VF90Tn7dJTzYVX-pkB rPylilg6iyM236GAFGoaOcvg1u6rRLZ_WO_I2T4idyzTdZp_QmCFsQ5kMdEsmlXxw ugU09uh8v2NPXy8jUbXwCZ1RGIan8d8QS91dXpHIcrD2mGcB1CggX-ujrjlRwO4Pq A8ssdnbBpIkW60Q9D32ojB5MlytqGvHdRkWAv8qgwV6EpyVsd90Bj24H6wAoH0Z8V 795lPw5bIzgsKuKmkbzEjtS5H0ltxqhaIvLRvaIYyDDdcCQHHkSOIwjwRw5QUnpat M6z-AhpWGeT3VDvqmDcXD0dVummwB_sc4k5UddrgTKGQ3I1jar2D0H5foB4fk-aBT VpCkRw2fbdUvE2Stu8mdcgq7k4w9f0g3VWTODglG_0auhijOpw7EkKX5l8l1N-9lE Bq0siez6TR9gWhquG8xvlZHCPKN0hVhvBw9jW_YX2jzaUgEsmoSJJcFOonM7Z9Dce MWLRfDgmYk1h5TCtOu7mqoITK5FSgP8FkUb040-49W99HakCgRxtKj-R3hT2Exyxx aGFBbc2bD6Rqhf6R4tWjxMwM3kSE8rV3saJUR6DKY19kXTmD1AHThs3a-1sE1JveD RzkzOWDhOop1TwSeTxoiqlU5VYGYSPvgpP-l5MUMjkDLh9_4EGs8B-Wm7keroEuVS NzAmaRL6BY2HaJIPeH5HiDFG-iui5-zfBI2Drq-l1Sfytp_EqMKY24uVsqx6bAstH YYfjvAhmLf7SEbGgAFMl2ezIIN7-N58kybi-Z4IoUtCHrtVhm-SXancjjxYsYMYS5 VXPfdj_KtHgildtUBdcnuXzrgsvfSXNx2KhZABn22yqBWefWOBBNmbi0s0_1qK-OE mZAjGeq09Kzxq7WpeuAIWVv597yUGEXqPJn80w0mXg_3jT2Wp3K8scZIiV3fWzTuc aw5v76paDewDPTVNjDk9IHDYEjBgwExZXHdHqQyvufGbwdKEWxzE0pfK2thHfDmSP 7apEwqZrJ-0szRR7P0MHDZAjj3qqS2hNQu_Owz_9oc-6pENXkQUg77HIjlTN13jPa z_E4fcofC8Gbcxycf0hhG-mZa2p33ld-Birz8hqF2iyspysRw_L_Kgx7POTYwT4o2 OmM-bHwPeiXayBm-H4Tv_iJpAhRVTIQ1Cgt8QbxA9kApyPg4LWRxcCe5vCByD_2PT nooHNDIbc9wlKpqxNFx6i7SczlCawCk5gBFakXiBiA5ZtwVXObPG3a82zKWHe-nxc F7BxfbDdiY0DOS9YBztYyfNTsR8cFASiVYNb-5f6vzjQn7CV_M-GDC6snSRJsUvKB OswpJ3JZMJNaXvXZtw3Mzix-pr0Wfw1T3wqBiAJcSwm57hqySotR1e4KDNJdmoQwO JNZ7KBLvV-ljF9acwvk4WeOBxXez8TnCOt1eIyptQqG7sJpFrlox6pS9nWFIAiRwk zA47udjY82O50vtupxBvQt-qkzS0u-Vm2X-ETG3tjPke5cuYi4IHmpCNmqVHvNdwW j2Yx3Zi6imLoxYmI69hm1bW6D61nRA6-TnzTfH9BsDx_-7p2-O6Q_yxwCJbEvwBEO JvU-XGu1b9C0XJQLV4hgT-ldl6OzUNOcYMAUWAvYoNKzqtO-NMzVk2j3GR_VKA23x A_iE9P9fnhzF_JazqeuCC_mX-03Zt8qRDYUdi3ht0WFrC3qxloD7Hc-_9iQqUOOw_ FvtmYls8qreZwzke6kA9-6EycwdTaAHFMVRcL9UnX3KPPP4IGXPuEpaWGxEPxdkdo _MdR9j3XLgOe5cjO16HOKPr9s50DbAyzzuYK4JyS1pUEurYp3cGf3sHLkdN-pWoig fTkqgCIRNtv3ivusjQ2AJtGSLemdooadQZJUJZtSXmZXZ7hY-pHwQCvvH6KzJQWsi czhy0zEREktO3qz7ea8V9UjW9wUisQGTczNSrl0NNgI2BQf34KtGJmh8cuZ3XQe3a 2gWH8u3pk3cgqYklfCn1Q2kZM5GpMFqyZWv0hak071fzA-dzQtSupBoItL0YuDLRb Lid03Y2kFkB10t3448hdArKJDEL8D7Alb2ljh6ZDzg051GaCdoPPMBmyF4WJCaP7g 22dNqMowYDrjHdF2hA_adeTswg4tZimUntRL4j8BwdA3lAiHFpAUt-gCk2i6e_RKQ p-6Umi3pwi6hLoU2V911jopD59AuKQtjm93O9RpR9OadrpOmfYsiGmlkn6BBLojDv RxouNaaEZzZXIDkGyk97ryHo2Dhh3ENHG6HSTtMIOV6gTTS6FgAzzC_rixtpkRyjl oPtkdkurpfRWw40r1l3xwAwZ80p1-csUnUJnCR5b00hgg9_stkU1OQzsLzYgYS7uH iRg5mDJhDS3X-tJ3FndPMT7W5_SrcsYMYJHYRymodF-cVn6E-94B5ynUUpaj8HCRQ U3uvQg2xMnKmZ9ExvWwNucbTwU80P2uJEoODctCc6c8FWifwBYcik9ObmYEGVs2YT 9zAI5PqiMvbdaT35O6zvXneKIOfeAfaorexf30BxITsqNGrFn39ZdZSCbuqZAzmnq BO2weQADlxfflsuJ3hycP8umq52IS9756t32l2baMA49mJC3wriCb4byFlpaVq5cb tCZRPV1Uss0k8QJdUbg5Myita30Mg2JvpRrpi2J7NPEjWwSkDUEQMXwMcKHlfKyb6 qW7WcK0c4lr0g3yHhuAGG5xYIq_Ej2xh947CwCTdG8X86MiL4Yx4-isn9y2TNhLpv Nd-B8tZ-imYRwsOsXBSzFVvcTtnUMSFlsNP6-h2RWn76Z-iBNNuofiH5Rgu_OnjXM PwLZD3HWsdidp0V75u_stzW6WE1KQ1drhQpjlJBqp59iRe5kN9KtIj9UFHEcVltRD dvXov0sn47la1fWIK-53Sd-LWZB1DV8T28lxW7LEYmb2OB9j2nSKTY6bJax7ezdm2 vsUmQwO7qVBlaWZpOneYjvz0NLPCqUc0PKWlwpBlXs8RBYYdbVmLxZ3-0J_1VUtHs wCzVouz_jI9ldpR65jDqK3v32DDRZzM-XIgFO1Vb4IsYkcKijEarjk1hMPjmHSmGm NxxePVwvtQBoeUzfA8bfotSYIZPhVQmUTGAGFppyCf6gXILPA0lxbVRe06TTnVwre kBQ5who1YyNJAyRgDzt7gYDhzFR2EjAlZon3rD_B7b4lT-5W-WpqQsP8h-Nq_Y_x2 EwyV1JzjEdaO4RZQVJgmGsQdF7gIuVc9pQx5_RvXVhGta2Dqn1bf9DcqHMlr6jdJ2 Eroga-e3rj1MNfxbQs5q6pJ8bOEfHPkTjsPO2OQXY9Jh4INahe31pLa5LDKD0CkD6 ABNOLQFGhB4RWJU9-vqY2CgYaihF1V-7wn_g_r3TXM4qSQ3x6ra3K_rNTiDx__sp- Fq4KitNqqe3wEQ9rf57_sbkG65bKBUHbjpIMemAzRGybyFVcrd4iVHuEktC0sWCO0 73YeOjyCbf1D0l8mCbgNjP0331Lqj-h-vP6Bnk81xEvlDS7-rxBcxlCSOdyn9g3yH qpJVb0ODoN2r8Ha99Zoqm1RX-ghuXKoCk5WLN64rOPddT0Phw88yihCfwrCxQDLrF MWWxZoGDIu76DQKOIQSi5I-P6cT0_a1QkAaPYEs5sJWjy1dg4lCjzqZm4XwPjbuGG hv2Q4gRuaZEjC2K7qIYEylP9lN5hBn0ygb-z5ugdmwbwXmBRbySxUhCgAETahk-DD jWBHgzz81dueke12tvEnvc338fHqzd7N4lJdrLq94WlkfI2y-mQkOX3vG1yiTQ4qS tNdF4Q5fztHkqBKH7XQp9SHjJl_XUymA7Otrmm7GXJXMIEoPU2z4rPqKirqGGuCkd XN1-ONv6ccb5eP2mrC81nld9MFiQkWz_pGGrpALYrlOtIpqmqb6yJiayZux0Jvigl YWe7cYbWV4DhLQrJoM5HrORSBiybLxoG5dOgT59luFhkMR1gzs1eZXvTTx6xWOYF8 OxP5QTC47uqPOfEEQVNElABEqoNBk1GtZ77gUAQdLXOxHc60lKQ7aY-V4v_iQ8e7v oN4FI_02gnUbMLqYLndAZqhR8De_PXk2XWOCQMqtx4r9cl-LvTCWSonN_5jvbk-uL s-hcl90BtMIOWeikJCU0VCJfC58mH5RSgpVP0DTJE1TpFzrq23bA8q721ub1TequL oJK0dFb0k6XEL3OJelKXPGk4kuyhelSqhGdgaa_knZ69E5ysKRurw2NDN0PCJsOlI HRN5k-R7t32ykbi5bBfsJuXtWbDdrImgbL-J6YOZk2yHzjAbfFqrbqE1Phly2FBjy U6UGrkr_xzE0FKbmCSVb16N6NUTf_tJ_M8hDx3w40I8njHo07uyzq0sRf-j4REEw9 gXawrKzPBYyq-RnritGh1lPUFh18i9cE321Tl9ltL3PYrWYcdAwrbTH8wieypVoX5 LzPQ4c_sp_6-U-lhDAEEBV7C6yMLKeLVtX9sBvWEl7PDXwbEh66eTLzg5Mv_Hr6CJ K0e90wTyp3bl5vIQsxedT2ojbjAM6d9H2Ny0TVPSeCVpDtDPZa9a2NZNfKHhuisLC EhYxn2LQudzBlEzV1vTS-ajSeQclhna0_KeHugQl8COtsL7A7AtBm3uw5sQjw2X8E XhhVzOjxFwj2WRnYF8qgiTv2i6BFY1U_6hQCi4-711j_K8h84Fgxv6UWQKtqh1FWa 5oe-2Az6eJb4iNWR-S5RuRlSFAxSxLamTOv317CFMZ2E1AGXITfeifDL8I-jPYPoy bED4QpuPFl2kTA5MyvocDrrpXVhIC9z6-v7N72knS8s0W7UTM6Zj4Ii6dHpJ4NjSm N66MGp81uyPPlRU4R4CjkPPoaF5j8JpB3jA_iyI6Vru6NJKNPB70yqnlV8sbrMl9k y10Vn-Ro_ODcLCeIRgzkSQ3kjTevbHiHc5RrufK36ZxU2QpmTX8-PWCcHpx_3cIdl -SWtjfq5RIQndpz36Ho0S1XgQSmjsa2TDkTz4ICivGJN0DAwnYghWdTXzbTkG7gRz e2x8MlcGNvkk1t-r8TaWmeAOs7gmwYrQZyEVhuRRMxQty-w9_wTchoagKZt15u7gm IqaL1O86xYTRfJ2pZipTNHbA2ZtNEuuDnM5Wp8t4NPTSnhlLBw8bVwcZmLQSAapwa VkhbQC9V-EMmIUcJgKEpG_T6cFogE3mCiwfHM2NZtiEsIaKkUnCgZMurS-gN3jlZY uxTAcIaT8gpxIZK-j0fZ9lqsmTC9EsM4FR6w-8hsCLueBW-acpa9TC104AIUjYFzz NdhGrhO0630uTR62O7JzglQTF67pZy-1z-AYxA7xPdNCX297dXqoo5HYFD2t0T-xA wkCm-xCk5JLf3OE45O2TONfmqRXOt7iJ9h7oY-ejzq7byB8Mw2R56Y4esasg7k-hO CHcrbLT8IN9JVljStiOoKfrnImJwlj8iv_wAdyGrMS6-H_xGh1rJmqIO0Xl0pDuVd Mv2lHXmIrvTfOqSbDPb1002S0knx8uljjPu2ZqaEi2oy2NtQogxnTKImsWZS-v_B7 U_rOnioTdMgOf9vgFOZdSaPp1TjyVBqW97oHeAno-2EUuRTBf5SFVtyQdJFODvLdG 2eN7DktRwzI4Dm1GFWtxrIcLmh8EBu3CjbE6_KLhC2w0Fdc11OminR-Kx6pV5aCzq pWj5NCrZm2V9MY9CstwOcDNGkMp7QhrQD_q0MI9l8nqAYx6a2Q-ALJWxfoO68ae5- YxIe9S0kmj_q5_XaBlWxlIXy9g8lYuyd_OX0AeyZEyhUub-2ePkpY3ES3RiEh9DCM bGAE98deGm4Z2Y2xQRN8swGxgLIhpSDwlMDSztFU0XHeYrRiu0FpnSsBz9fus3E6K Y0HjLLZesKAdt54MKO1pfMUdQXmq6uxHGo3L3fb_E9mPTpaeOl4zFNFaEpBktZm0S 23lSGbgA0WOBEeWbUKkPUoZ5X76GnWu17S0j9jpgIwO1iNFM52BPxQ_okg2aFx3jY UG4AnehcHPu3mk6IWnUYOl-0mfEvZoLNUAHJF996Z5IKn8waBhAqV8UoF1FhVL_iA ll94xp75wqaP-pffhKMLJlOGj9FYZro75neIk6mEZvew0YSphrfEUZI0ZcdPWkQHq yfeyaOyRxEYy36hGr2M6dFYWUaVJWXxdKu26yDXVEViZyMEzT_scplDeGytX4i44S z8uR2CiC18_MjnedM5F1LC7B-F6mE9yf77wdWMlcTnvDbboX2ZDgPZi5GC2WbNAoc IPIp8IWVcCwf4BhFRuRqHJn5osJ-XSVG0fChle5wZH-Zn56aRroe8S4z1Bkv5tjmr -IXpCvdWO5VyXCudjc6qUbVMDSha0WogDlPrTSFbc5exmr0V-_oEu6dZMMmInOmPq SQtkFzc-yHSK059WPQWJadWHK1GBC4yjqBMAyVfhTWNtv-qAvMA_143jld_ybrXyo NEb4tY_RnOLyNsc4BptXwLbKlhLSppgiXlQb52N4AcaoHT_3QVyi6jwrd5HyBhkQC YnF7YGoy3TqA3RyAbItFXhK6LvZx6WIl1eKc6WAnwVMLJIP35jAo1ECr95KOsRIbt DStpQhJMxn7HZrEc3cYzejBx2gkifsrA96NJ7eeW1gDDCg_QcvQozcKhSValBl6z5 jtHeTsVMbsPk73Z_u2Rxyg05mc3vD1hTNWaJCXYNGK1jY4U4oIZK0RpmU0jBuqS01 RDwR_Pa0Nwhv9-OCymYZ4kYr6_6z4FDRiss-g1DeMvKJir-ljHhU3MRYlczXGWMM6 FRJjxiIkRwlRhYflcUYN2mZyaMq1A38GkKANhXRqE_FHbMzoq8DE-xiQBmSJUQb5- 3Uux_0eiMA_bzOHvROMTfEUqwWbnZer5NvDhmd1VVv0dH_lxFONcJHkvYU1-XC8sk Kmk8E_fs2y9QQVcnNNL4t6U0CbfiaUpx5SDKSM794YhfRylSdr6QUHr5PZX0GKtJS CKPYrpOLhRT9rgheOhVVHWn0XB2ydYJa6L7xHeSy-yx3vS-8Sk2FfNgdakS8vukQK y9TV8XhN1ggwA144dGueprz-eqY89G-wIh6oa_-1tGFls4eoh9EMDqhK46Bl2Q3Cw 58cdvBsiH_P2I3Lj2dsD7l9stOduskd0FDpfEcK3NX8sIG95ZopptHZhQCCyxHVXa AQt0oLpA8T7NP6aNoPMGcQYw2_WGWgPgyMan4rqF-13zBnWpo3hYY547WXnRoaJuo rYmoLeg25ZYhcTCNlC4U6rZu_W6lM3Rg_p3DwI4bSUzDRMLRJHW3YrLE4CFM8BWqA 3tdv4CZpIZQjeb51EGHg9Whwcf0_nBurdN8KZCJSI6-F1iL6j8GMr7kD_FN0TKqc8 mBKWBkLfwY4iAv8xxVcpOiEhyx-v9Iq2CumiXclG0GSrBtzVf2pXZDUomkaMSv4n8 SlrCZyvntuXJwi9jGEn8PpJtV84rZ_2hIt5g1xxtynwe_4v5T6DYhuChMg9S1Fo1T TTdnG1Wa78Irh7v5LsqE5CaLpGSeuopb0O1VjHPmtLxnuE5QFX5mTVp3YYyAwQ_W- gaN8AC9pmanTmPrxIHEu28fk2rSkWA53hRyvrGPENaJeioS0ec04iFcIlJFeU2S6Q pZqze2emOw2yruTSM1dEdGViUezcPQ5Bc4x7XuPJLIywXVLW3mOWlpdjkm7cOlGIv Pp_uPU2Byv1wnSxgd8xhqqT-ZMCcGF1G4jAqDH5wJ0NW_wdEIjHMmEpQlKd7ULTN1 oybhZlXx-JJgk0pbgF1ebs_LYUjq_nfgZEUzoEaNqRs3I6qTa6_KSAE0YyPMKyq1u rjKLYwxkHdcFMDXKYCWqjrccaKHaT3MrYd1t6hTy6JPoAB_bO8-_4KGg5yRf5opPU xzZ_mHeL2Fv8fOLSYoNYRWy40xw8Ep6eoNtnFMu7ECnJ_MtBoXTv4UEON_5ZORGKB 4QEqtMh2LwKN474u84ohHArgRLxFDCah_DESxG4xiNIgpT4x4408dE0-gdE6wp_GS kzrRCXgVi4yr1GNZLDo5roCEj38Mh5QxhgVPi3xl3tDYjCtjUPpcgE8N0nFKr5fi7 BuPMaNZrg7qaGT8KQAb5vSC27JOmHMePXvKkbqNx18tyqiOGBVnffzkLqJcS6IQwy mefiOv3rg9bz35bV6OhIB63CWba2VDaBceIrAgpul1G8Bz0AL0dGD_Hj3RIednYhe DNxlzUrLJ-Diz8aBsuszyt7J6No1LAsswuXZuDpyKNchhrLljgpDmDogm-qn7_qXz 6vKZVvw8HItLDLtVmF3_l0gFInOOC9vF2P8DMvlwdbW0tlqO9OpoZw1XFoA-lGjY7 gp_WAztAxykHwbKWmoWbpfrFu8Ii4kuLhAzxI0tk_CrELcU8qjAB_UXgdEJAKeZxi nvCqQ0E1ri-7Hcuui0VKidKQXBaEpg00DiEKZwmVe4YrG7uzdVPX0BxIabNnx2goJ 3wT9_DybwAjgOAtaYtRfQljRfsNVUy45LVn_WJzRw-CvSJPdxOdeIrwANNRM93L_O 1kWpDrp_YmlZMpNU8RvGVWm_f_rJLxNfpYFJ4ZE5Ydmf9QQ8jXwvsa6IlKO58jZwf SPNQjxnrZ0zcV8wlZTCQh7RD_BQeZK9yE1eOxup_3fTp1u9hwsQFSTH4dQ19oH6Ps NLfdI91BnRdpaOZbV4No0WAMTQdrF_sRxRwBJ3xod2dMCcNBtWdgopkRtLTnH4ndP k7tzjnE384ZN2iQVBgFlApWeK56Hzo-bjHFU-YjA2wdMX-uAIX63MM8kOy8j8H9IA UhzAL4wog10X_cRb5OnCL_7vkEjFKbUr-RL1kiANwGyA4OZk5zy_J5nmc6_nnacFg aFN2StnzIt13IAGM84tctObu43go1_rpmWCUSnMgLcvdOsLAroYUwUKWEkC3UhopS M9YpFtxWgcWjxYW2rYsoV7AOgDAwCFO1b-ZTjD-K00d56a-PC0Gu2s-2nKl-jY5q6 hNW2AHDTp1eWydGUQfNn9LKD0ihVwMlmjiBDkwBwlitMKPalsfUAg9lCYd5pMYo55 58lFdJMWJ4TScr2pUvTiYgVBT05sPz4ILOsCYn0eEIMPFRfiTSniarO1cRKv2O4EW qY3BY8DjfTdp9zuAH-eBdoQWy1tx1ilZwbe1ysLaR4Nx1DuSA8cCSA85xDpAknhHz 4Dop4Pt_hOLoYN6WxzJo9NcGxVjgrkfnZVfEQTjPlicP2kcsv8fi14VOfkuSBBEJP ClPrEfAwZRlcadElMGvZFTrfRc7ncDXRfGYcq801Xsuqo1OJnOfklxC_GXW1eudy1 2scazCBUD_DmSm2eVbMw7fbWojBhd1rmjtLDNZftTjXBdjHblUBbrh3cNahb9W1oP QPU-zT1LOYw5-cflPVaV6_RLFGd-ZYlcvu82S7WZgTTgMJi24xuaHUBTWRFrME5Xq R5ISpsAc0VmKRHlM0BgxL4BZR0dRGbcTOD-bZ1fgpjlQ7ctTnt4KVh4Nep7Jit3pe k-OxKzSKs5BZoVuz6IekbWC_89d_N7ljkY1JqnaFMQpL7DU9tkRlHzKhx2RNozrbB SDtmtqKGEsNIubTG3xxqQPwz--Po4HoIn4hMR4YQY71Ps-wU3MRbptyLzL2-C67BI pjACGMPRvhUhDm8H6YHlhTxp5ZqEtpj-OYn1mhVfIjE6pmRHrDcdqX6bICX-z6c_4 XSunM-46Mclkt6M1ebP7Rpwyj7chpnn2BMteyq-gFiyockWbciHlYaRpdhvuD_2M0 fNUYiJ8JPw--0YBj3eqIxCqdg8OS1-U6tACkIQXLqlbIMW6tnHqP_Fdf82pyjS19B QLOf-65Y345n-beHTmIeJViMheboaVmyt-mkGlQIElHN10h1Tmusg-NKaYU1LOkAz 5b5Izf5gdp-7YmeHXbNGpxKVDBs1ULOvadY3TboXPbbJIpNX2UNnlC8Bj9hAmG9O0 bRo5qYBUaGvitAl11DZ5tyifgj4aPGWoQpRHqXhqoa6T1OSmV02t4hgHHHcKC3u0- LrvpOyJLz0aIrCxtnroiEsEyc8F8UaMgqOHOXzilWlUFA5ShCGmSKFL8NPY2O7Ci5 kJMeqyJTOndVT6XQTkHNwvrbV3sTFu75ik7VUcS9cWShzYsgIVjfGBzHTqJI60QRz wS08bSIgi7oOuZ_ZQf9xTEOC6bbpTUMZGeZeZz1FC-3WqNIDIwdyVj4T4lRNzYIp- b49laGDtBplWZswn4mvi8n76eFLKSMs5Y6AfKwoUSWQRIkExkT80yHbPt8FGYyy4T ZSZd6euWeMl7tkT1egnovstgASeN3JO", {} ]}}¶
[Future: Consider eliminating this mechanism entirely and instead using messaging flows. The means of achieving this should become better apparent when the problem of publishing large messages via a pull mechanism is considered.]¶
The Publication mechanism allows content to be published through a Mesh Account and retrieved by means of the EARL mechanism described in Uniform Data Fingerprint [draft-hallambaker-mesh-udf]. This mechanism is used in certain flows supported by the Mesh Device Connection and Contact Exchange functions. There are two operations:¶
Content is published by appending an entry to an account's Publication catalog by means of a Transact operation. The content may then be retrieved by issuing a claim to the account specifying the publication identifier that is authenticated under the value specified in the EARL.¶
Use of the Publication catalog to post content necessarily requires that the content be smaller than the maximum message size imposed by the Mesh Service so that it can be uploaded to the service by means of a Transact transaction.¶
Publication of large data items will require modification of the protocol to support use of a detached message body. Transfer of a detached message body is outside the scope of this document.¶
The claim transaction is used to post a claim to a document published by means of an EARL. The claim interaction is used in the Static QR Code connection interaction but MAY be used for other purposes as required by Mesh applications.¶
A claim is made by sending a ClaimRequest
message to the service to which the publication is posted. The service responds with a ClaimRespose
message specifying the success or failure of the claim.¶
A device is preconfigured during manufacture and a Device Description published to the EARL:¶
The client claiming the publication creates a claim message specifying the resource being claimed and the address of the Mesh account making the claim.¶
{ "MessageClaim":{ "MessageId":"NCWK-7ON4-VB2S-3JOX-6QYI-EE5V-QIHM", "Sender":"alice@example.com", "Recipient":"maker@example.com", "PublicationId":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN", "ServiceAuthenticate":"ADQX-SBRA-6ACX-ZGGB-IU3L-2TZS-TIKZ", "DeviceAuthenticate":"ADNB-SNE2-GEL5-GQQS-JBUB-TY32-JGCC"}}¶
The message is signed by the claimant to make a RequestClaim to the service:¶
{ "ClaimRequest":{ "EnvelopedMessageClaim":[{ "EnvelopeId":"MAKC-IPPQ-POEQ-P2EL-N2FV-OLED-GPIH", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQ1dLLTdPTjQtVk IyUy0zSk9YLTZRWUktRUU1Vi1RSUhNIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD cmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDhaIn0"}, "ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiTWVzc2FnZUlkIjogIk5DV0 stN09ONC1WQjJTLTNKT1gtNlFZSS1FRTVWLVFJSE0iLAogICAgIlNlbmRlciI6ICJ hbGljZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogIm1ha2VyQGV4YW1w bGUuY29tIiwKICAgICJQdWJsaWNhdGlvbklkIjogIkVCUUstTFUzUC1WSkxULVpQR zctQjY2Ny1MNTNMLU1CRU4iLAogICAgIlNlcnZpY2VBdXRoZW50aWNhdGUiOiAiQU RRWC1TQlJBLTZBQ1gtWkdHQi1JVTNMLTJUWlMtVElLWiIsCiAgICAiRGV2aWNlQXV 0aGVudGljYXRlIjogIkFETkItU05FMi1HRUw1LUdRUVMtSkJVQi1UWTMyLUpHQ0Mi fX0", { "signatures":[{ "alg":"S512", "kid":"MBUX-YI5W-NTAH-UJN2-4FFC-4PAY-NI73", "signature":"fxh1PHK56aMoB9Qkbx3Kcv4UrPQkfGRCd9LwW4Un 3EcR_EqxpWaxZjcXFqdX6d4j9lEStBR2QxKAE_GCYpaXVOLOAVTbb4pwaV9fLDo8r FtlKfnFFoBZMslOfqcKsJrAnc4AQsT2H5nu6xZ0dq927jYA"} ], "PayloadDigest":"wMSgIvLpoj69Rw_P_YJ7yXYvo18eCvgU3Hd8DgJ_ 07Jv0nqIkC4sZMGFGW6Ntl_3PVwk7bAj51GVrPwqzZ12sg"} ]}}¶
The publication is found and the claim is accepted, the publication is returned in the response.¶
{ "ClaimResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "CatalogedPublication":{ "Id":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN", "Authenticator":"EAYS-MGDB-YH2G-DWVI-TTWV-4Z6P-UVLM-FENY-Z7MP -7ZYV-35EA-6GQK-CHBN-K", "EnvelopedData":[{ "enc":"A256CBC", "kid":"EBQA-ZKEC-3A4N-DSSH-TQMT-6GON-M6G3", "Salt":"9PKNerq6mIRxK2feTIUJ9g", "recipients":[{ "kid":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN", "wmk":"W-lDFznmpNx2ZcN6_eWCG0ja0VHFV25k5TVdBMMYbAPc ZGPZvLjlww"} ]}, "I01c378amieTGSky6lqXoT8infXsu_EwVamZ6Lp3Q_Ent97vfxdOY8m1 g_eUVW7ui1Ede6raopIeC7ZWHdZOlfHDV7agFF6-X_5CmpIDCTl10ouL-PIVkXJik 2FB2KOQGwVqMHPrPu6HpeK4mIro0OpJmGJksPiBezVxEq0NGzDw8nbANsxr9tSdsO 4sJuApk7IJUZGZ1mSaOdqUF8byioqACRFXDie0-ox23XItR7IOwZf--HUIHnPEtnv _cxEwCKdAiYus1x3n3WdAxZc9_rqAY-FgXic0qZetde6uHOapnUeCTdnHS3-x84DG 1XaBqthhHMhlwFz0CqftYsB85EjorNKIjw_mwqMmX2QnVSVkhLKW9NdA3w5_mzfd_ nJk0SisY97xeuIsl6-imXTM8LEdyQpuiilK7R5qr7ZaYFya9SCje6UiOmbL8dVqjF zvDTMQRQ2qnYJKAGDI_Z7P8ehqHkpRB2ZDF-5WQh3JnvnYyW5GTJwNgg1ig2iW2pS QqIXd-Oe_DCLITFgq8ncfM7mEhaXcJUQe01Fj_c4a3oOlhfmv2ts3iK9dieba65Kd LOWaHaU2P0TivQQImMg-3WhCWfU4MbpQlQ_3yEZ51QPGVeUIV0bj3kc1QbaBAlJaB ch0_E54A9TRWz2xmakyjrEuvSi5aPVd_s-U8DrSDR_YqXSedhMwSBdGqcW7nybFMK gOxomDZyHnEbNYvwN43vHFDuOyvQWs_dRRe97ylx27VTcAw7AhAt2s3rMZeBwJYfS rJptABHFEeXPE52g6oSuzrHrG3P_ryAalSh9YuoKEYV4UXG8_9B4d8sOD8s5O3j04 -7Ix1LhqIrSDVYBmn8l6l4nJzSs9_9sbBWtAUIozPNL8LqhbDd1-qOGNjNyt9sQqV QX76qD8HB6EtdrrZsoBewmwohlLIatHJH_909ANUD7tFJONkcyQAXaU64B-j9Z6rF 4vh-9UxYlbbHrOhi9C0kpbnsAsAUzltg8_IvnH8JSTZI4J13WYWkYTx4BUjggX8cV ekob4ZZupdcfS0UnNjKNqGDjQ8IJqrMWfqLllnnBQWpSxsRoRp-ernxQ_Ax8pnWtG oMXA8yc0WwAr4_S_YQQ0TVxA5KRdQZqF-NC7NX8tacAS8CdPfJwPhjebhDgKwJv0P ccyjqJ8HFtV9YsHxfQQjyxYyA4QT8bvgI4JtJsa_YQ5Zw92tyhb-SwKHNiwnhVrz3 _z6vQPfPdQJUfMtz6GC13eihC19_0vM3IPATyJcenZnQz3rLOm-cFseviCxoLgN5a LZGCrvlWrwtfN5-evHZF66guRy2fF3BSM4eUi71r2ehU0kYJ8vIjx6NVWzjL-Q2zX 1WHL_bJOaLp0yHV6_2jOTBnaj6QT69Dp0ikXwEEtVzpxVUKLHbmpje2EXXIzNVlFn MM65KPT4OzxyKONsq32-xxIi5sxS-woyXxtDv8atRbbE0KPLtLfgianqok9rx2WuN JpjjpGcIwKk8O_1MqFotKIlhVPwCPza688bi4lESyruslT917HfyVyqfKrDyTjAMK mYAGkVaa3ASVudNyhJP8rQWwwc_qxruMMQrCe51JvKh7FwsIL14dT6HFnaNcLXSDE LU7u0_jcViwpu-EysogSeXJ0Z31yG34ve0G_h3K5dN_hk_6PgfK-Soe1dhReVrOb1 JWM3oUmKUv0Kx-XYvsWB_KiuJWRqKePmIhWo9_uZaybh21PoJ75Ct5b3Qk9u49RKf _x17YE11VQBMdgsV7TS2Qpw0olk4yNg_J9ZjTu1d9UBjabTG0FqdYkeEscDPyIoIq 7DreogM3Y650nqLSpdvJRnueJI5r1a_J9UAVzmk2TAr33fA1VlgmpHptd_tl5i2KV TvMWkL1wmSncGcX-krfCQAIH9ZBmjyVwgurfR9Q6UwuDJYKiRgLLE14ZJmz9hn_j8 ki253lZaYCEYR5F7-nqQpj9lVrYzb476McYISLHzl2SDQkC7vkVo0OZWcsWBjrcWF MK9LPJMLu8EO6TCf_7rRwZ6SmoDOupGVCWikGuAczW7lvCtKty-r_oC1YNGeOxyqG 9lTij6EzXDdGS7CHRRolDtYnB6LDLdY8hYQ1cncW3A5g6RHrafChrEihem_0NLplw 2yPofZGIzhj_gMcHx7Sg_ExP_0cS32hU1LYX-Hcc0dK8bWQll4a7xsU8dHt8TNbLA 5VuP_bPAv95fTFQvW_Lj6-GGyh7gH2bO5QffpusKAddsisiIdGvjr-hNVF99EjsJF FetvlCP1CFipmCuxo8WgXiayK-_b32Rvav_BxZ4YIcZGRsrH5oI6JywKyg3O9TAwz f7853NMhqsvnmLyhGC6Ezs7tQ__WgYqNcfJfo0YG8y78nMvDN2np_pDLw7NRGFhJj FrVjtdsj7E2gCorPC52JdKJ9jUrQCYpSglZU06CGTRQHnQvMk-H2ftQ4AFVEBJrjO 6527KYwSylkZGMV2WBsrDsYu70Rs1SqI6e-u8pL_VdYPALWvD7SRVPCb90YoPX8lh gZR0BeCp_kNN6C30B9P9yWRR4JdTsG-LcWtK6iCs_igIOCjfelbsUBXTs7nxI0m1P mzlvPzkN3Acwrxa6HUEA_tOLulovb7i04IeDb8nKZgiO2Dyohi4aWoyFY2ExsQmgF qQLExsWPbYJiZEc5BM3idhRDzvjnON7aPkvqq568y-e3d3OsRXV9uKikFJghh89j5 HHZ3HhTeIHAQAfDKVx7vPUls_5-mleI2v_ZkSag3vXRb23XLfI3x33l_ZxW9MC7YX _kdJgEqQiJu64AvYWKiA-Fd8uEQMfaUpHamNDlO4GFQ8uLWJ7cKkuDbbbiOfiT5z- 77DQAMUiIjJ3mQ_kmileeTNb_qu2jEdJGzx-JQagB7ZIZxn0wZpBSCthhG0uXsERa XMFamXWLYZtWdWyUSL6AUzcgRf0RRmcvk7yvH-T3dGiIJn4TXOnDp0DBW-MByTeHv Wrk5k24lpPq07QI6WCdj4b2qSsY0L_eW6zbI9f7Aq8868WMxQ" ]}}}¶
The device waiting to be connected uses the PollClaim transaction to receive notification of a claim having been posted.¶
The PollClaim
transaction is used to discover if a claim has been posted to a published document.¶
When an authenticated, authorized request is made, the service responds with the latest claim posted to the publication.¶
The device in the example above periodically polls the service to which the device description is published to find if a claim has been registered.¶
The PollClaimRequest contains the account to which the document is published and the publication ID:¶
{ "PollClaimRequest":{ "PublicationId":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN", "TargetAccountAddress":"maker@example.com"}}¶
The response returns the latest claim made as signed message:¶
{ "PollClaimResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "EnvelopedMessage":[{ "PayloadDigest":"wMSgIvLpoj69Rw_P_YJ7yXYvo18eCvgU3Hd8DgJ_ 07Jv0nqIkC4sZMGFGW6Ntl_3PVwk7bAj51GVrPwqzZ12sg", "EnvelopeId":"MBQG-HNR6-TNS7-5N2M-BN4R-ECNA-6ETO", "dig":"S512", "signatures":[{ "alg":"S512", "kid":"MBUX-YI5W-NTAH-UJN2-4FFC-4PAY-NI73", "signature":"fxh1PHK56aMoB9Qkbx3Kcv4UrPQkfGRCd9LwW4Un 3EcR_EqxpWaxZjcXFqdX6d4j9lEStBR2QxKAE_GCYpaXVOLOAVTbb4pwaV9fLDo8r FtlKfnFFoBZMslOfqcKsJrAnc4AQsT2H5nu6xZ0dq927jYA"} ], "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQ1dLLTdPTjQtVk IyUy0zSk9YLTZRWUktRUU1Vi1RSUhNIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD cmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDhaIn0", "SequenceInfo":{ "Index":1, "TreePosition":0}, "Received":"2021-10-25T15:49:08Z"}, "ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiTWVzc2FnZUlkIjogIk5DV0 stN09ONC1WQjJTLTNKT1gtNlFZSS1FRTVWLVFJSE0iLAogICAgIlNlbmRlciI6ICJ hbGljZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogIm1ha2VyQGV4YW1w bGUuY29tIiwKICAgICJQdWJsaWNhdGlvbklkIjogIkVCUUstTFUzUC1WSkxULVpQR zctQjY2Ny1MNTNMLU1CRU4iLAogICAgIlNlcnZpY2VBdXRoZW50aWNhdGUiOiAiQU RRWC1TQlJBLTZBQ1gtWkdHQi1JVTNMLTJUWlMtVElLWiIsCiAgICAiRGV2aWNlQXV 0aGVudGljYXRlIjogIkFETkItU05FMi1HRUw1LUdRUVMtSkJVQi1UWTMyLUpHQ0Mi fX0", {} ]}}¶
The Operate transaction is used to perform one or more cryptographic operations using private key material recorded in the Threshold Catalog. Such operations typically represent one part of a threshold key operation divided between the service and a device connected to an account.¶
As with all operations involving the Access catalog, the request MUST meet the authentication criteria specified by the catalog entry. These typically include the request being authenticated by a specific key.Key Agreement¶
CryptographicOperationKeyAgreement
is used to request a threshold key agreement operation on a specified public key.¶
Alice added Bob to groupw@example.com as a member. This resulted in Bob receiving the invitation described in section ??? and the following access entry being added to the Access catalog of the group account:¶
{ "CatalogedAccess":{ "Capability":{ "CapabilityDecryptServiced":{ "Id":"MD6W-KDFX-PSF7-5NBQ-WFJE-34PL-7JWQ", "Active":true, "GranteeUdf":"bob@example.com", "EnvelopedKeyShare":[{ "enc":"A256CBC", "kid":"EBQL-CGOH-LPTR-WNYL-RXDU-7LK4-G4GZ", "Salt":"xUeBS0V_Z4GJV9s2N3OAPw", "recipients":[{ "kid":"MBBR-KLL4-YRFX-K63E-2DCT-6UGQ-Z5JC", "epk":{ "PublicKeyECDH":{ "crv":"X448", "Public":"2hYs3byJFTbFtPgYaBplYVgtBJOuYjMSvi8 BcCEFoOy8JRaOWg37ygj8m4hUjoZhPlC6bZ-MQEoA"}}, "wmk":"9iJlp63lB9Og5mog603Of1NJtrVsTFCC2GzUKDLv-P Hb3Dn9tNTepw"} ], "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJLZXlEYX RhIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmVhdGV kIjogIjIwMjEtMTAtMjVUMTU6NDk6MDBaIn0"}, "hY6vVvnbC6y-a5ULJNUh0aVv_YEIu1BRiTDS-gBY6nKX7tqs_oIMFR Qipj8bUHdtE46dYu2Ud0ue88CMOX3qsLTDP_5d7UgqKUk5yfr3nlSJzlKU7u3W7YF b9tOW-svw3sE4UncLN7vJ5V90bF9DUS_xek8s9SxnyeZxWY5z5GvCTJr0TxCO5hFh FR6Bwv2cwqG9eqyFhWCu4GrrgLUk-fk5rOdF9KTZW6g0wqg0xTUFDuY4tfTTwzp4N iffzB2rj88nOkvvW-6SwVVrExLY5E4l-7ClfnlBH-20Zz-z8faYy85gDl6zVGDyYd JelTPlRmlbM_tsW2NRyKNz4WCAreq_QZx3XBBqoKNi1CA4GdO2qiMOOE6NigTKB9C Rlc4EzUtwCU8Zdw6yUWxxCEtHoXVh8OpvWixTdmznouCLyDUVsvfx1dM-PIrSfbEl _K2v9IHZrtcgh5vahoaWY60ELJYLnARsvnWchyfZCgZMNbknDYiAyNAwxI_Wgm3xo 7vyTkF0ARe0-RWofxYlyzDcFk2yA6-edTAq0PHiOFSl3j90hVmcaWC903uI_keNGU 4egZ370UCWrFUz-O5woKJDllJu-GubgpJ5YTc628m-_6ASaVEw9G4uGiIx0oCcSqR SENXe9tnD90HkaZCCZhz2Cscfm8uRAVG9wasFrDjaKxUwf6N3nVjOmFVJwBl_G14i go4PmNHI2dgJBLqxlof76g" ]}}}}¶
The private key (in this case a key share) is encrypted under the service key.¶
To make use of the access entry, a request is made that specifies the key share to be operated on and the public key parameters to perform the agreement with.¶
The request payload:¶
{ "OperateRequest":{ "AccountAddress":"groupw@example.com", "Operations":[{ "CryptographicOperationKeyAgreement":{ "KeyId":"MD6W-KDFX-PSF7-5NBQ-WFJE-34PL-7JWQ", "PublicKey":{ "PublicKeyECDH":{ "crv":"X448", "Public":"mNrpSHZmFqcMBHYAwEyp0tUshHkBafWjCe3mDMcoV PIuqBhrbj5ZIpQdgfcS1BWgb5cwGXmIEPcA"}}}} ]}}¶
The service checks to see if the request is authorized and if so, performs the operation and returns the result:¶
{ "OperateResponse":{ "Status":201, "StatusDescription":"Operation completed successfully", "Results":[{ "CryptographicResultKeyAgreement":{ "KeyAgreement":{ "KeyAgreementECDH":{ "Curve":"X448", "Result":"JmEGQN2398IzXNI4j1CG4ZWtLVk1u8P8SnBw1_cEQ Os5INanZUEewbDxEQp5ocl_QP0EnBoSdUMA"}}}} ]}}¶
Future: Currently, the access catalog is encrypted under the service encryption key. It would be better to encrypt the catalog under an encryption key specified by the service during the process of account binding. This would allow a service to assign a unique encryption key to each account and limit access to that key to the hosts servicing that specific account.¶
Threshold signature is planned but not currently supported.¶
Mesh Messaging is an asynchronous messaging service that allows exchange of information between devices connected to a Mesh account and between Mesh users.¶
To enable effective abuse mitigation, Mesh Messaging enforces a four-corner communication model in which all outbound and inbound messages pass through a Mesh Service which accredits and authorizes the messages on the user's behalf.¶
The Post transaction is only used to exchange messages between services. The client sends and receives messages through interactions with the outbound and inbound spools of the account.¶
To send a message, the client creates the Mesh Message structure, encapsulates it in a DARE Message and appends the message to the Outbound
spool of the account using the Transact operation..¶
The DARE Message MUST be signed under the account signature key.¶
The Mesh Service receiving the message from the user's device MAY attempt immediate retransmission or queue it to be sent at a future time. Mesh Services SHOULD forward messages without undue delay.¶
The Post transaction forwarding the message to the destination service carries the same payload as the original request but is authenticated by the service forwarding it. This authentication MAY be my means of either profile or ticket authentication.¶
>>>> Unfinished ProtocolPostServiceService¶
[Not Yet Implemented]¶
After the message has been sent, the service updates the message status on the outbound spool.¶
Services SHOULD implement Denial of Service mitigation strategies including limiting the maximum time taken to complete a transaction and refusing connections from clients that engage in patterns of behavior consistent with abuse.¶
The limitation in message size allows Mesh Services to aggressively time out connections that take too long to complete a transaction. A Mesh Service that hosted on a 10Mb/s link should be able to transfer 20 messages a second. If the service is taking more than 5 seconds to complete a transaction, either the source or the destination service is overloaded or the message itself is an attack.¶
Imposing hard constraints on Mesh Service performance requires deployments to scale and apply resources appropriately. If a service is attempting to transfer 100 messages simultaneously and 40% are taking 4 seconds or more, this indicates that the number of simultaneous transfers being attempted should be reduced. Contrawise, if 90% are completed in less than a second, the number of threads allocated to sending outbound messages might be increased.¶
The inbound service MUST subject inbound messages to Access Control according to the credentials presented in the DARE Message payload.¶
After verifying the signature and checking that the key is properly accredited in accordance with site policy, the service applies authorization controls taking account of:¶
[This section to be expanded in future drafts]¶
Access control is effected through the usual division of authentication and authorization.¶
Authentication of operation requests is performed by the RUD layer [draft-hallambaker-mesh-rud] .¶
If the authentication key presented has a matching Access Catalog entry, the device is authorized to perform operations as specified in that entry.¶
Message interactions are asynchronous interactions that occur between devices connected to the same account or between accounts.¶
All messages are signed by the sender and encrypted under the encryption key of the recipient if this is known to the sender.¶
The Message PIN Interaction is used to register and validate PIN codes used to authenticate certain transactions. This interaction allows a PIN code issued by one device to be consumed by another allowing for greater convenience in managing devices or contact exchange.¶
For example, Alice might delegate the PIN code issue privilege to her mobile device without delegating the administration privilege to that device. This would allow Alice to use her mobile device to initiate the connection of a large number of devices to her Mesh as her house is being built and approve them later using her administrative device.¶
Use of the Message PIN interaction is optional. An application that issues a PIN code to authenticate a message MAY store the PIN value within the application without persisting it to external storage.¶
Derivation of the SaltedPin, MessageId and Witness values from their respective inputs is described in the Schema Reference [draft-hallambaker-mesh-schema].¶
To register a PIN code to an Account
, a device:¶
PIN
code value¶
SaltedPin
value for the specified Action
¶
PinId
binding the specified SaltedPin
to the Account
.¶
MessagePin
containing the SaltedPin
, Action
and Account
values with the MessageId
value PinId
.¶
MessagePin
value to the Administration
Spool of the Account
.¶
Note that this construction provides limited protection against forgery attacks by a party with access to the MessagePin
. A party with such access can use it to construct the witness value required to authenticate a request.¶
PIN Code values consist of an opaque sequence of octets represented as a UDF nonce value. Codes are presented in canonical UDF form, i.e. Base32 encoding separated into groups of 4 characters. The PIN value is converted to binary form for calculation of the SaltedPin
, thus ensuring that the canonical form of the PIN value is used.¶
The PIN Code value is passed out of band to a user who will enter it into a device to authenticate a request made to the issuer.¶
A request that MAY be validated by means of a PIN is a subclass of MessagePinValidated and contains the following fields:¶
A DARE Envelope containing the data that is authenticated.¶
A nonce value used to prevent certain replay attacks.¶
Digest value binding the SaltedPin
to the Account
.¶
Witness value calculated as KDF (Device.UDF + AccountAddress, ClientNonce)¶
The device uses the PIN code and Action identifier corresponding to the desired request to calculate the SaltedPin
value in the same manner as during registration. This value is then used to calculate the PinId
and PinWitness
values.¶
The PIN code is validated by performing the steps of:¶
SaltedPin
value from the PIN code and Action
¶
PinId
from SaltedPin
and Account
¶
MessagePin
from the Administration spool with the MessageId
PinId
.¶
PinWitness
value from SaltedPin
, ClientNonce
and AuthenticatedData
and checking this matches the value specified in the message.¶
Complete
message to the Administration
Spool of the Account
marking the PIN code as used.¶
This process can fail at multiple points resulting in different error results:¶
PinInvalid
No PIN code is specified, the Pin code indicates an unsupported algorithm or the calculated PinWitness
does not match the one specified by the request.¶
PinUsed
The PIN code has been used previously.¶
PinExpired
The PIN code is no longer valid.¶
Note that in the case that an attempt is made to reuse a PIN, it is not automatically the case that the first use of the PIN was the one that was valid and only the second attempt was invalid. Implementations SHOULD alert the user to the attempted re-use so that this possibility can be considered and appropriate action taken.¶
Alice connects a device using a QR code presented by her administrative device.¶
The administration device creates a PIN code and records it to the Local spool. The message specifies the salted pin value used to verify attempts to use the PIN, the action for which it is authorized. Since this PIN has been issued to authorize a device connection, the roles for which the device are authorized as well. This allows the connection request to be accepted without asking for further input from the user.¶
{ "MessagePin":{ "MessageId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2", "Account":"alice@example.com", "Expires":"2021-10-26T15:49:02Z", "Automatic":true, "SaltedPin":"ADL6-MGFR-DK2V-XMCH-Y4VK-FG4R-AIDL", "Action":"Device", "Roles":["threshold" ]}}¶
Completion messages are dummy messages that are added to a Mesh Spool to mark a change the status of messages previously posted. Any message that is in the inbound spool and has not been erased or redacted MAY be marked as read
, unread
or deleted
. Any message in the outbound spool MAY be marked as sent
, received
or deleted
.¶
Services MAY erase or redact messages in accordance with local site policy. Since messages are not removed from the spool on being marked deleted, they may be undeleted by marking them as read or unread. Marking a message deleted MAY make it more likely that the message will be removed if the sequence is subsequently purged.¶
After using the PIN code to authenticate connection of a device in the previous example, the corresponding MessagePin is marked as having been used by appending a completion message to the Local spool.¶
{ "MessageComplete":{ "MessageId":"NCGB-6PXA-YG6T-GSC3-37HF-5QG2-SC43", "References":[{ "MessageId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2", "ResponseId":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW", "Relationship":"Closed"} ]}}¶
The completion message is added to the spool in the same upload transaction that adds the device to the device catalog. This ensures that both operations occur or neither occurs.¶
The contact exchange interaction is used to support unilateral or mutual exchange of contact information. Contact exchange has three functions in the Mesh:¶
Registration of the subject's contact information in a registry service eliminates the need for the first of these functions but not the other two. To prevent abuse, every Mesh Message is subject to access control and a Mesh service will only accept a message from a sender if there is an entry in the Threshold Catalog of the account that expressly permits delivery of messages of the specified type that are authenticated by an authorized signature key.¶
The communication of unsolicited information afforded by the contact exchange interaction is deliberately limited so that a majority of users can accept contact exchange requests without prior authorization. It is however likely that some users will receive a considerable volume of requests forcing them to require contact requests be authorized through some form of third party accreditation.¶
The Remote Contact Exchange transaction consists of a sequence of MessageContact
messages sent from the initiator to the responder, responder to the initiator, etc. While there is in principle no limit on the number of messages exchanged, most exchanges will be completed in three exchanges or less:¶
Contains Initiator contact data without authentication context from the exchange.¶
Contains Responder contact data authenticated under a PIN challenge presented in the previous message.¶
Contains Initiator contact data authenticated under a PIN challenge presented in the previous message.¶
Each message provides the recipient with additional information which MAY motivate the recipient to provide additional contact information to the sender.¶
{ "MessageContact":{ "MessageId":"NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT", "Sender":"bob@example.com", "Recipient":"alice@example.com", "AuthenticatedData":[{ "dig":"S512", "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb250YWN0UG Vyc29uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmV hdGVkIjogIjIwMjEtMTAtMjVUMTU6NDg6NTJaIn0"}, "ewogICJDb250YWN0UGVyc29uIjogewogICAgIkFuY2hvcnMiOiBbewogIC AgICAgICJVZGYiOiAiTUJYVy1OUFdWLVY3SlEtUVI3Ri1GUDVLLVA1U0EtSkI0SCI sCiAgICAgICAgIlZhbGlkYXRpb24iOiAiU2VsZiJ9XSwKICAgICJOZXR3b3JrQWRk cmVzc2VzIjogW3sKICAgICAgICAiQWRkcmVzcyI6ICJib2JAZXhhbXBsZS5jb20iL AogICAgICAgICJFbnZlbG9wZWRQcm9maWxlQWNjb3VudCI6IFt7CiAgICAgICAgIC AgICJFbnZlbG9wZUlkIjogIk1CWFctTlBXVi1WN0pRLVFSN0YtRlA1Sy1QNVNBLUp CNEgiLAogICAgICAgICAgICAiZGlnIjogIlM1MTIiLAogICAgICAgICAgICAiQ29u dGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpaQ0k2SUNKTlFsaFhMVTVRV jFZdFZqZEtVUzEKICBSVWpkR0xVWlFOVXN0VURWVFFTMUtRalJJSWl3S0lDQWlUV1 Z6YzJGblpWUjVjR1VpT2lBaVVISnZabWxzWgogIFZWelpYSWlMQW9nSUNKamRIa2l PaUFpWVhCd2JHbGpZWFJwYjI0dmJXMXRMMjlpYW1WamRDSXNDaUFnSWtOCiAgeVpX RjBaV1FpT2lBaU1qQXlNUzB4TUMweU5WUXhOVG8wT0RvMU1sb2lmUSJ9LAogICAgI CAgICAgImV3b2dJQ0pRY205bWFXeGxWWE5sY2lJNklIc0tJQ0FnSUNKUWNtOW1hV3 gKICBsVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ1dGY3R UbEJYVmkxV04wcFJMVkZTTgogIDBZdFJsQTFTeTFRTlZOQkxVcENORWdpTEFvZ0lD QWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzCiAgS0lDQWdJQ0FnSUNBa VVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaV IKICBXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSmZXR2RaY21 WdGJFUnBiVU5JTjB3d1kxcAogIE9jREkzUW10NlFsSXdZalJYTVVaa01GSlNjbG8y YUZaNmFtSjFRbnBWY0hWaUNpQWdUVlZFUzJWa2FraFhZCiAgblY1TVVWMmMzcG5ib U5CWmsxQkluMTlmU3dLSUNBZ0lDSkJZMk52ZFc1MFFXUmtjbVZ6Y3lJNklDSmliMk oKICBBWlhoaGJYQnNaUzVqYjIwaUxBb2dJQ0FnSWxObGNuWnBZMlZWWkdZaU9pQWl UVVF6TmkxUk5GTkRMVk0wVwogIFZvdFMxQlNVQzAzVnpSUUxWTk9VamN0VVUxRU1p SXNDaUFnSUNBaVJYTmpjbTkzUlc1amNubHdkR2x2YmlJCiAgNklIc0tJQ0FnSUNBZ 0lsVmtaaUk2SUNKTlFWZFZMVXBQTlZNdFVWVk5VUzFJUkROUExVaFZUa3d0VHpkSF UKICBTMUpTMFJLSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21GdFpYUmxjbk1pT2l CN0NpQWdJQ0FnSUNBZ0lsQgogIDFZbXhwWTB0bGVVVkRSRWdpT2lCN0NpQWdJQ0Fn SUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJCiAgQ0FnSUNBZ0lsQjFZb XhwWXlJNklDSnpjaTF0U0dKQkxWWTVWV0ZqVjNkcE1sZElNVTh4UkhaT1dtMUhNam QKICBUUWpkSU4yWXRiRUpGTmpaWWJtWnNWRWRMT1dKTkNpQWdObXhCWDFKRmRFa3l VSGQ1VkVKeVkwNXdZbXRmYQogIEdWQkluMTlmU3dLSUNBZ0lDSkJZMk52ZFc1MFJX NWpjbmx3ZEdsdmJpSTZJSHNLSUNBZ0lDQWdJbFZrWmlJCiAgNklDSk5RMFJSTFVKV 1Z6VXRVazVTVmkxR1ZFTlpMVWhHVlRZdFVVbFBNaTFIUkZkUUlpd0tJQ0FnSUNBZ0 kKICBsQjFZbXhwWTFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW1 4cFkwdGxlVVZEUkVnaU9pQgogIDdDaUFnSUNBZ0lDQWdJQ0FpWTNKMklqb2dJbGcw TkRnaUxBb2dJQ0FnSUNBZ0lDQWdJbEIxWW14cFl5STZJCiAgQ0p1WjNaMlpXcFhVM Ws1V0hwNVVFTkdibkpIVFVwSldFNXlVelF0UzJWMFZIbHhTemhOVW5nek1FVmpiMl IKICB1VFU5a1QyVm1DaUFnVm1WMVpscFZNMGhNV2tkT1NrTnJhbEZpUkZrMWRGVkJ JbjE5ZlN3S0lDQWdJQ0pCWgogIEcxcGJtbHpkSEpoZEc5eVUybG5ibUYwZFhKbElq b2dld29nSUNBZ0lDQWlWV1JtSWpvZ0lrMUJUelF0VlU5CiAgRk5DMU5TalpGTFZsV FVFTXRVMVpFVVMxTlJqUTNMVXBHUzBzaUxBb2dJQ0FnSUNBaVVIVmliR2xqVUdGeV kKICBXMWxkR1Z5Y3lJNklIc0tJQ0FnSUNBZ0lDQWlVSFZpYkdsalMyVjVSVU5FU0N JNklIc0tJQ0FnSUNBZ0lDQQogIGdJQ0pqY25ZaU9pQWlSV1EwTkRnaUxBb2dJQ0Fn SUNBZ0lDQWdJbEIxWW14cFl5STZJQ0kxVDJwMVRqazNTCiAgVlpwY0VGTlYyNVVlR 2gyU21VNWVIZFNiSFl0VEVOSVlUSXdWVlpCTmxKU1ZWWXpXbXAzWVZsbFpXNWxDaU EKICBnTTBweVdERkJNMTlLYzFwTU16SldRVUp3WWtSTlRWZEJJbjE5ZlN3S0lDQWd JQ0pCWTJOdmRXNTBRWFYwYQogIEdWdWRHbGpZWFJwYjI0aU9pQjdDaUFnSUNBZ0lD SlZaR1lpT2lBaVRVRktOUzFLVGtwTExUVkJXRFV0V0VGCiAgVlJ5MVhUVFJPTFZVM VRGWXRXa0pKU2lJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ2 UKICB3b2dJQ0FnSUNBZ0lDSlFkV0pzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUN BZ0lDQWdJbU55ZGlJNklDSgogIFlORFE0SWl3S0lDQWdJQ0FnSUNBZ0lDSlFkV0pz YVdNaU9pQWlTbEIzVVZZdFJVNWpSR05UTXpCNWFXNXRUCiAgV0ZpVUVKQlFuZ3hUV Gx4V0dvMFJVcHBOekJaVlVJMlJsUjBZMU42YTBadVl3b2dJRVp6VmpOeWVHRlVaMl YKICBNV2xwTWVEUm9SRE5DUjFwbFFTSjlmWDBzQ2lBZ0lDQWlRV05qYjNWdWRGTnB aMjVoZEhWeVpTSTZJSHNLSQogIENBZ0lDQWdJbFZrWmlJNklDSk5RbFZhTFRSTVUx Z3RRVWRTUmkwMFZVWldMVUZSVlRJdFZGRkJSeTFXV0V4CiAgRklpd0tJQ0FnSUNBZ 0lsQjFZbXhwWTFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW14cF kKICAwdGxlVVZEUkVnaU9pQjdDaUFnSUNBZ0lDQWdJQ0FpWTNKMklqb2dJa1ZrTkR RNElpd0tJQ0FnSUNBZ0lDQQogIGdJQ0pRZFdKc2FXTWlPaUFpYjFCQlNXOVZNWFZU TFhvME9GRmFPVjkwV2xCMk4yeHlSR3RvUTBOd1NYQk9kCiAgV1JLYjFOS2JXbDRkV 1JTZURCeVEwNVdXQW9nSUc1WVMzUmZUR2xHVG5WbVUySnBjMDF3WWxRNFowTTRRU0 oKICA5ZlgxOWZRIiwKICAgICAgICAgIHsKICAgICAgICAgICAgInNpZ25hdHVyZXM iOiBbewogICAgICAgICAgICAgICAgImFsZyI6ICJTNTEyIiwKICAgICAgICAgICAg ICAgICJraWQiOiAiTUJYVy1OUFdWLVY3SlEtUVI3Ri1GUDVLLVA1U0EtSkI0SCIsC iAgICAgICAgICAgICAgICAic2lnbmF0dXJlIjogIjNISnlVall2MWQyVXlIMGlIUE 9rTEdXWHZ6UFZBR1Fwak5FZEkyc2k3Tl9nTXZCeTgKICBLVFJWLV80ZnptZ2tvWkw 0NnlOdGhCRHkyU0F2ZFVLdFVWUTc0c0NsQlY1aDFLSFpkcm41Wl84ekk3d0lGbAog IHM3MTZVUnFOa0tvdlV0OWhkQnN0emw2WURfZllWWjhSUExkMDlQQjhBIn1dLAogI CAgICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJDUDMxdlhrdUtFQS0tNUdaWWJ1TV VMZHV4dFdmZmYyZEs3RUFCLVRZX0RCSzEKICB0ZnB2Z2FiMm5zRjh4Y3JYRGZDRUp KQllFamd4TzFXbHJGMWl6amV2QSJ9XSwKICAgICAgICAiUHJvdG9jb2xzIjogW3sK ICAgICAgICAgICAgIlByb3RvY29sIjogIm1tbSJ9XX1dfX0", { "signatures":[{ "alg":"S512", "kid":"MBUZ-4LSX-AGRF-4UFV-AQU2-TQAG-VXLE", "signature":"DbnBy9SoZHXD9EUbFvBpQW7KEKnNm-EUKMdvNE_b J6QU-8gVevRj1BQbnnnTt8EtA6WiTl-vMQ2ATfDuFXt8r9FtataQKWOSBq_zWqXBY KQiQtP0ROgYAr7b8VavWhXpJbScrFg_RDrdVo8PIPdsmDkA"} ], "PayloadDigest":"ZFUZc0MO__xinLcbyzTF33GyMZ3pqFe1WQhimoDJ YCGrwEvyBnsMTV4LDG3oYbwYJQQzyEF2LRC3pD76R4AcrQ"} ], "Reply":true, "Subject":"alice@example.com", "PIN":"AAIE-IVI5-54XO-5PHG-VE62-FFS7-62GQ"}}¶
The Mesh Contact Exchange transaction does not provide for validation of the contact information beyond the binding to the Mesh Account Address used to perform the exchange.¶
Contact exchange requests MAY be authenticated by a PIN code. Initial contact exchange requests SHOULD include a PIN code value that can be used to authenticate a response (if given). PIN codes MAY also be exchanged out of band.¶
A MessageContact
authenticated by means of a PIN code is authenticated as described in the PIN Interaction section above.¶
The GroupInvitation
interaction is used to invite a recipient to join a Mesh Group. The interaction is essentially a form of contact exchange except that a sender SHOULD NOT send group invitations unless there is an existing relationship. Thus the 'first trust' issues intrinsic to the contact exchange interaction do not apply.¶
The message specifies the group name and the contact entry for the group. The contact entry includes the CapabilityDecryptServiced
used to decrypt messages sent to the group when combined with information provided by the threshold service for the group.¶
Receipt of a GroupInvitation
message does not require a response.¶
>>>> Unfinished ProtocolGroupInvite¶
Missing example 3¶
The confirmation interaction consists of a RequestConfirmation
message from the initiator followed by a ResponseConfirmation
from the responder.¶
The RequestConfirmation
message specifies the action that is requested.¶
The ResponseConfirmation
message contains the enveloped RequestConfirmation message signed by the initiator and the disposition of the responder, Accept = true
if the request is accepted and Accept = false
otherwise.¶
The service sends out the following request:¶
{ "RequestConfirmation":{ "MessageId":"NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ", "Sender":"console@example.com", "Recipient":"alice@example.com", "Text":"start"}}¶
Alice accepts the request and returns the following response:¶
{ "ResponseConfirmation":{ "MessageId":"MCT4-SVZ2-BL5Y-DR5B-TF4S-WIGH-CJTM", "Sender":"alice@example.com", "Recipient":"console@example.com", "Request":[{ "EnvelopeId":"MDVA-HSIH-UJBT-PEVO-GZNQ-JF3O-YHTM", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOREFELUtMSlktQz VKTy1KR1hMLVZVV0ctWTZQUC1QU0ZKIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV zdENvbmZpcm1hdGlvbiIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0 IiwKICAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ4OjU3WiJ9", "SequenceInfo":{ "Index":4, "TreePosition":6201}, "Received":"2021-10-25T15:48:57Z"}, "ewogICJSZXF1ZXN0Q29uZmlybWF0aW9uIjogewogICAgIk1lc3NhZ2VJZC I6ICJOREFELUtMSlktQzVKTy1KR1hMLVZVV0ctWTZQUC1QU0ZKIiwKICAgICJTZW5 kZXIiOiAiY29uc29sZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogImFs aWNlQGV4YW1wbGUuY29tIiwKICAgICJUZXh0IjogInN0YXJ0In19", {} ], "Accept":true}}¶
Connection of a device to a Mesh Account combines synchronous and asynchronous elements and therefore uses a combination of Mesh Service Protocol and Mesh Messaging interactions.¶
Four connection interactions are currently defined support connection of devices with different affordances:¶
For connecting devices that provide data entry and display affordances and are connected to a network. The account the device is to be connected to is entered into the device which displays a witness code. This code is then compared with a code displayed on the administration device to authenticate the request, after which both devices can complete the interaction.¶
A variation of the Witness Authenticated interaction in which the connection process is initiated by creating a PIN value which is communicated to the device by some out of band means and used to authenticate the connection request.¶
For connecting devices that provide a camera affordance. The user sets the administration device into 'add device' mode, causing a QR code to be displayed. The QR code is scanned by the device being connected after which both devices can complete the interaction. Implementation of this mechanism is identical to the PIN authenticated scheme except that the PIN code is presented to the connecting device by means of a QR code.¶
For connecting devices that have been preconfigured with a device profile identified by means of a QR Code containing an EARL. The QR code is scanned by the administration device after which both devices can complete the interaction.¶
Each of these interactions provide strong mutual authentication with minimal user effort.¶
The witness authenticated connection interaction is intended for use in cases in which the device is already connected to a network. The QR code interactions are intended to provide support for acquisition of networking capabilities as part of the connection process. These functions are not currently specified. The Static QR Code Authenticated interaction is intended to support Internet of Things (IoT) devices which provide minimal interaction affordances.¶
In each case, the objectives of the device connection interaction are the same:¶
The connection of the device to the Mesh Account is achieved through the creation of the ActivationDevice, ConnectionDevice and CataloguedDevice records described in [draft-hallambaker-mesh-schema]. These are created by the administration device in the third phase of each of the connection interactions described below and acquired by the onboarding device in the fourth phase.¶
The witness authenticated, PIN authenticated, and Dynamic QR code interactions all follow a common interaction pattern.¶
The Dynamic QR Code (PIN) Authenticated interaction comprises four phases as follows:¶
A PIN code is created and registered with the PIN Registration interaction described earlier and transmitted to the user by an out of band communication. In the case of the Dynamic QR code interaction, this is a QR code that is scanned by the connecting device.¶
The onboarding device creates a RequestConnect message. In the PIN authenticated and Dynamic QR Code interactions, the RequestConnect is authenticated by the Device Authentication key and the PIN issued earlier. In the Witness Authenticated interaction, it is authenticated by the Device Authentication key alone.¶
The onboarding device presents the RequestConnect message to the service by means of a Connect operation to the service servicing the account. This results in the exchange of the account and device profiles and the computation of a witness value from the two profile fingerprints and two nonce values specified by the onboarding device and the service. An AcknowledgeConnection message is posted to the Inbound spool of the account and returned to the connecting device.¶
The account holder authenticates RequestConnect message and uses an administrative device to accept or reject the connection request.¶
If the RequestConnect message has been authenticated by a PIN code, the connection request can be accepted automatically without additional user interaction.¶
The onboarding device periodically polls the service for acceptance of the request by the administration device using the Complete transaction.¶
The use of the PIN code to authenticate the request message is shown in $$$$.¶
The PIN code MAY be presented to the onboarding device in any format accepted by the device. Administration MAY support presentation of the account address PIN code as a URI code. Administration devices SHOULD support presentation of the account address PIN code as a QR code containing the corresponding URI.¶
Alice> account pin /threshold PIN=ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM (Expires=2021-10-26T15:49:02Z)¶
The registration of this PIN value was shown earlier in section $$$¶
The URI containing the account address and PIN is:¶
mcu://alice@example.com/ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM¶
The onboarding device scans the QR code to obtain the account address and PIN code. The PIN code is used to authenticate a connection request:¶
Alice3> device request alice@example.com /pin ^ ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM Device UDF = MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR Witness value = 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV¶
The device generates a RequestConnect message as follows:¶
{ "RequestConnection":{ "MessageId":"NA46-HSVG-N5NU-EXKZ-4X7G-GSF7-DUWS", "AuthenticatedData":[{ "EnvelopeId":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQ1ZOLVhMTFQtTE xOVy1VNEhSLUJPTUctUkE2Wi1VV1JSIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi Q3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAyWiJ9"}, "ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1cm UiOiB7CiAgICAgICJVZGYiOiAiTUNWTi1YTExULUxMTlctVTRIUi1CT01HLVJBNlo tVVdSUiIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJs aWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgI CAiUHVibGljIjogImQzMlg1b3NHMUtPRTVvbWZWTUZqREs0MF84eGJ5RTNrZlV3T3 dUYlBXMXZJeW8zQ0NOdkoKICA5aXBseTFBMlg4TjVMejhXSXRTWml3S0EifX19LAo gICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTURNVy1XQ0lSLUZKTU8t N1pINi1DTjNKLUtVWkwtUkxBWCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjoge wogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYND Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAibnRfcHU0WVJieXIwWUxNY1JXdmlNLXJ UWlhXZlB1UVhWa1h0TWdud2hweUVXdjBHUmpsaAogIDlVcnBPc21jVTI3LWxtenhJ T3dTWGpBQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CM lUtNkdNNy1QSEkzLTNVVU4tTElaNi1VVUdKLUlXNVEiLAogICAgICAiUHVibGljUG FyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICA gICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJVbmk2NUVYY0RY YmVXaW1RbFk5OXhhSG5SWmpiSFpBS2lUNmRlZDR0MWp2TGpFVmhMb3lYCiAgVlFra WRoZ1lsV21fRHM2ODdPdUpoX1VBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IH sKICAgICAgIlVkZiI6ICJNQklDLUIyS0QtQkJSWC1HNFBELTRJMk8tUE1ETi1XT1d BIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tl eUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Y mxpYyI6ICJ5cGJTV1ZnSHEwb25oT2tUT1F4MUNkZ3dIRVRQTElSTVQ1aW1SS0pfMG ozVzBKZnktVk5uCiAgOTJmTzZrSFl0M2dTb0hXSm04TXZWNHdBIn19fX19", { "signatures":[{ "alg":"S512", "kid":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR", "signature":"FPjcCzr7s0FbUHrZOOhUGuesUNBJONX9Fe-C__87 eykHW5UOylLhnfxfkULQVRIY3gdFgfLSJ5mALYQ3v9RLJthdPhMpxDfuyIiD3Vt-c ho2QGaSq7imO-ZlKZLP_jwO48AnqcNZnJwcdKMFhkzZDjkA"} ], "PayloadDigest":"HgKI5VcczlRi0_H9mEeby_Ylk8zCTleLmhzeWVof kWccfgpClI1hRH3fn_JUAJZqau76o2AaUTPu3-Deu9TXaw"} ], "ClientNonce":"-pyukA8KJqdvV_hePIKFZQ", "PinId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2", "PinWitness":"wV04crBaf7h-5fclVAGMIsy5ZUZnKcqbPXDUbuZfXYozuI9 ZB-emewnq2awvpw6i7oFvgY-oW0jQrUYqJSTWDg", "AccountAddress":"alice@example.com"}}¶
The service receives the conenct request and authenticates the message under the device key. The service cannot authenticate the message under the PIN code because that is not know to the service as the service cannot decrypt the local spool.¶
Having authenticated the connect request, the service generates a random nonce value. The random nonce together with the device and account profiles are used to calculate the witness value.¶
The AcknowledgeConnection message is created by the service:¶
{ "AcknowledgeConnection":{ "MessageId":"2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV", "EnvelopedRequestConnection":[{ "EnvelopeId":"MDKW-3KOD-ZTW6-MRIB-AARK-UACM-PDOZ", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQTQ2LUhTVkctTj VOVS1FWEtaLTRYN0ctR1NGNy1EVVdTIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowMloifQ"}, "ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOi AiTkE0Ni1IU1ZHLU41TlUtRVhLWi00WDdHLUdTRjctRFVXUyIsCiAgICAiQXV0aGV udGljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1DVk4tWExM VC1MTE5XLVU0SFItQk9NRy1SQTZaLVVXUlIiLAogICAgICAgICJkaWciOiAiUzUxM iIsCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKWk NJNklDSk5RMVpPTFZoTVRGUXRURXhPVnkxCiAgVk5FaFNMVUpQVFVjdFVrRTJXaTF WVjFKU0lpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxk bWxqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV 04wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJeExURXdMVEkxVkRFMU9qUT VPakF5V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V 3b2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNK VlpHWWlPaUFpVFVOV1RpMVlURXhVTFV4TVRsY3RWCiAgVFJJVWkxQ1QwMUhMVkpCT mxvdFZWZFNVaUlzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KIC BnZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0F nSUNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmli R2xqSWpvZ0ltUXpNbGcxYjNOSE1VdFBSVFZ2YldaCiAgV1RVWnFSRXMwTUY4NGVHS jVSVE5yWmxWM1QzZFVZbEJYTVhaSmVXOHpRME5PZGtvS0lDQTVhWEJzZVRGQk0KIC BsZzRUalZNZWpoWFNYUlRXbWwzUzBFaWZYMTlMQW9nSUNBZ0lrVnVZM0o1Y0hScGI yNGlPaUI3Q2lBZ0lDQQogIGdJQ0pWWkdZaU9pQWlUVVJOVnkxWFEwbFNMVVpLVFU4 dE4xcElOaTFEVGpOS0xVdFZXa3d0VWt4QldDSXNDCiAgaUFnSUNBZ0lDSlFkV0pzY VdOUVlYSmhiV1YwWlhKeklqb2dld29nSUNBZ0lDQWdJQ0pRZFdKc2FXTkxaWGwKIC BGUTBSSUlqb2dld29nSUNBZ0lDQWdJQ0FnSW1OeWRpSTZJQ0pZTkRRNElpd0tJQ0F nSUNBZ0lDQWdJQ0pRZAogIFdKc2FXTWlPaUFpYm5SZmNIVTBXVkppZVhJd1dVeE5Z MUpYZG1sTkxYSlVXbGhYWmxCMVVWaFdhMWgwVFdkCiAgdWQyaHdlVVZYZGpCSFVtc HNhQW9nSURsVmNuQlBjMjFqVlRJM0xXeHRlbmhKVDNkVFdHcEJRU0o5Zlgwc0MKIC BpQWdJQ0FpVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ01 sVXROa2ROTnkxUVNFawogIHpMVE5WVlU0dFRFbGFOaTFWVlVkS0xVbFhOVkVpTEFv Z0lDQWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljCiAgeUk2SUhzS0lDQWdJQ0FnS UNBaVVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjblkKIC BpT2lBaVJXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSlZibWs yTlVWWVkwUllZbVZYYQogIFcxUmJGazVPWGhoU0c1U1dtcGlTRnBCUzJsVU5tUmxa RFIwTVdwMlRHcEZWbWhNYjNsWUNpQWdWbEZyYVdSCiAgb1oxbHNWMjFmUkhNMk9EZ FBkVXBvWDFWQkluMTlmU3dLSUNBZ0lDSkJkWFJvWlc1MGFXTmhkR2x2YmlJNkkKIC BIc0tJQ0FnSUNBZ0lsVmtaaUk2SUNKTlFrbERMVUl5UzBRdFFrSlNXQzFITkZCRUx UUkpNazh0VUUxRVRpMQogIFhUMWRCSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21G dFpYUmxjbk1pT2lCN0NpQWdJQ0FnSUNBZ0lsQjFZCiAgbXhwWTB0bGVVVkRSRWdpT 2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJQ0EKIC BnSUNBZ0lsQjFZbXhwWXlJNklDSjVjR0pUVjFablNIRXdiMjVvVDJ0VVQxRjRNVU5 rWjNkSVJWUlFURWxTVAogIFZRMWFXMVNTMHBmTUdvelZ6Qktabmt0Vms1dUNpQWdP VEptVHpaclNGbDBNMmRUYjBoWFNtMDRUWFpXTkhkCiAgQkluMTlmWDE5IiwKICAgI CAgewogICAgICAgICJzaWduYXR1cmVzIjogW3sKICAgICAgICAgICAgImFsZyI6IC JTNTEyIiwKICAgICAgICAgICAgImtpZCI6ICJNQ1ZOLVhMTFQtTExOVy1VNEhSLUJ PTUctUkE2Wi1VV1JSIiwKICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJGUGpjQ3py N3MwRmJVSHJaT09oVUd1ZXNVTkJKT05YOUZlLUNfXzg3ZXlrSFc1VU95CiAgbExob mZ4ZmtVTFFWUklZM2dkRmdmTFNKNW1BTFlRM3Y5UkxKdGhkUGhNcHhEZnV5SWlEM1 Z0LWNobzJRR2EKICBTcTdpbU8tWmxLWkxQX2p3TzQ4QW5xY05abkp3Y2RLTUZoa3p aRGprQSJ9XSwKICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJIZ0tJNVZjY3psUmkw X0g5bUVlYnlfWWxrOHpDVGxlTG1oemVXVm9ma1djY2YKICBncENsSTFoUkgzZm5fS lVBSlpxYXU3Nm8yQWFVVFB1My1EZXU5VFhhdyJ9XSwKICAgICJDbGllbnROb25jZS I6ICItcHl1a0E4S0pxZHZWX2hlUElLRlpRIiwKICAgICJQaW5JZCI6ICJBQVBPLVB VQ0stQUlZWi1GU09YLU9CSTUtWVpaQi1SVlQyIiwKICAgICJQaW5XaXRuZXNzIjog IndWMDRjckJhZjdoLTVmY2xWQUdNSXN5NVpVWm5LY3FiUFhEVWJ1WmZYWW96dUk5W gogIEItZW1ld25xMmF3dnB3Nmk3b0Z2Z1ktb1cwalFyVVlxSlNUV0RnIiwKICAgIC JBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSJ9fQ" ], "ServerNonce":"qO9R3oT24EDO5GCYlYCBsg", "Witness":"2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV"}}¶
The AcknowledgeConnection message is appended to the Inbound spool of the account to which connection was requested so that the user can approve the request. The ConnectResponse message is returned to the device containing the AcknowledgeConnection message and the profile of the account.¶
The device generates the witness value, verifies it against the value provided by the server and presents it to the user as seen in the console example above.¶
The user synchronizes their pending messages:¶
Alice> message pending MessageID: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV Connection Request:: MessageID: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV To: From: Device: MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR Witness: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV MessageID: NCVP-LUEL-F3OI-QOAM-HND2-WG5Z-346D Group invitation:: MessageID: NCVP-LUEL-F3OI-QOAM-HND2-WG5Z-346D To: alice@example.com From: alice@example.com MessageID: NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ Confirmation Request:: MessageID: NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ To: alice@example.com From: console@example.com Text: start MessageID: NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT Contact Request:: MessageID: NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT To: alice@example.com From: bob@example.com PIN: AAIE-IVI5-54XO-5PHG-VE62-FFS7-62GQ Alice> account sync /auto¶
The administration device determines that the device connection request is authenticated by a PIN code. The PIN code is retrieved and the message authenticated. This is shown in the PIN registration interation example in section $$$ above.¶
Bug: This command is currently showing superflous pending messages due to the failure to clear messages processed in earlier examples.¶
The Cataloged device record is created from the public key values corresponding to the combination of the public keys in the device profile and those defined by the activation.¶
This is returned to the onboarding device by wrapping it in a RespondConnection message posted to the local spool of the account.¶
{ "RespondConnection":{ "MessageId":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW", "Result":"Accept", "CatalogedDevice":{ "DeviceUdf":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR", "EnvelopedProfileUser":[{ "EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0t UVhKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ mlsZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIk NyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"}, "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJl IjogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzL VUzQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibG ljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICA gIlB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUky bWRJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKI CAgICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2 VydmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiw KICAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhR SC1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ld GVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcn YiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3F FQzNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNS Vmo0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogI CAgICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLA ogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUN ESCI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGlj IjogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwS GdCbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbW luaXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVF GWU0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJz IjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6I CJFZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2 lNUjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTB zaV9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsK ICAgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FII iwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleU VDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Ymx pYyI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3 OU5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY 2NvdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILV VKTjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHs KICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0 NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhe nZlNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF 84bC1SaUdBIn19fX19", { "signatures":[{ "alg":"S512", "kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA", "signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa 8WVr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In 4RZ9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"} ], "PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fP bqu5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"} ], "EnvelopedProfileDevice":[{ "EnvelopeId":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQ1ZOLVhMTFQt TExOVy1VNEhSLUJPTUctUkE2Wi1VV1JSIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ mlsZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKIC AiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAyWiJ9"}, "ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1 cmUiOiB7CiAgICAgICJVZGYiOiAiTUNWTi1YTExULUxMTlctVTRIUi1CT01HLVJBN lotVVdSUiIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdW JsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICA gICAiUHVibGljIjogImQzMlg1b3NHMUtPRTVvbWZWTUZqREs0MF84eGJ5RTNrZlV3 T3dUYlBXMXZJeW8zQ0NOdkoKICA5aXBseTFBMlg4TjVMejhXSXRTWml3S0EifX19L AogICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTURNVy1XQ0lSLUZKTU 8tN1pINi1DTjNKLUtVWkwtUkxBWCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjo gewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJY NDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAibnRfcHU0WVJieXIwWUxNY1JXdmlNL XJUWlhXZlB1UVhWa1h0TWdud2hweUVXdjBHUmpsaAogIDlVcnBPc21jVTI3LWxten hJT3dTWGpBQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1 CMlUtNkdNNy1QSEkzLTNVVU4tTElaNi1VVUdKLUlXNVEiLAogICAgICAiUHVibGlj UGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgI CAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJVbmk2NUVYY0 RYYmVXaW1RbFk5OXhhSG5SWmpiSFpBS2lUNmRlZDR0MWp2TGpFVmhMb3lYCiAgVlF raWRoZ1lsV21fRHM2ODdPdUpoX1VBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6 IHsKICAgICAgIlVkZiI6ICJNQklDLUIyS0QtQkJSWC1HNFBELTRJMk8tUE1ETi1XT 1dBIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0 tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB 1YmxpYyI6ICJ5cGJTV1ZnSHEwb25oT2tUT1F4MUNkZ3dIRVRQTElSTVQ1aW1SS0pf MGozVzBKZnktVk5uCiAgOTJmTzZrSFl0M2dTb0hXSm04TXZWNHdBIn19fX19", { "signatures":[{ "alg":"S512", "kid":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR", "signature":"FPjcCzr7s0FbUHrZOOhUGuesUNBJONX9Fe-C__ 87eykHW5UOylLhnfxfkULQVRIY3gdFgfLSJ5mALYQ3v9RLJthdPhMpxDfuyIiD3Vt -cho2QGaSq7imO-ZlKZLP_jwO48AnqcNZnJwcdKMFhkzZDjkA"} ], "PayloadDigest":"HgKI5VcczlRi0_H9mEeby_Ylk8zCTleLmhzeWV ofkWccfgpClI1hRH3fn_JUAJZqau76o2AaUTPu3-Deu9TXaw"} ], "EnvelopedConnectionAddress":[{ "dig":"S512"}, "e7QRQ29ubmVjdGlvbkFkZHJlc3N7tA5BdXRoZW50aWNhdGlvbnu0EFB1 YmxpY1BhcmFtZXRlcnN7tA1QdWJsaWNLZXlFQ0RIe7QDY3J2gARYNDQ4tAZQdWJsa WOIOdulr0WkJsqoELzV6ZGITa3QJhpT6D22IPFeUSgiSp-K8l1msYOAPUExAKdsvR WgGhs_oOv7o4kEgH19fbQHQWNjb3VudIARYWxpY2VAZXhhbXBsZS5jb219fQ", { "signatures":[{ "alg":"S512", "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5", "signature":"03oFK4MzMkSRYzgImz6WJw3JSZ4fmU7djU63aS oQWhCmzNDCf4XCKfx-bKoJesukT_VTGq5bW-AAWqO_2ZfO3pqjr5CwSH9yOKBzH0t pPFDAeKi7oBM43kk5rqljTNOf4EtcaiEqYFohIVoPbn75NAwA"} ]} ], "EnvelopedConnectionService":[{ "dig":"S512", "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0 aW9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI CAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAzWiJ9"}, "e7QRQ29ubmVjdGlvblNlcnZpY2V7tA5BdXRoZW50aWNhdGlvbnu0A1Vk ZoAiTURCVy03TjVTLUpJWUUtT0JPNi1HWlROLURLUTYtRDNTSLQQUHVibGljUGFyY W1ldGVyc3u0DVB1YmxpY0tleUVDREh7tANjcnaABFg0NDi0BlB1YmxpY4g526WvRa QmyqgQvNXpkYhNrdAmGlPoPbYg8V5RKCJKn4ryXWaxg4A9QTEAp2y9FaAaGz-g6_u jiQSAfX19fX0", { "signatures":[{ "alg":"S512", "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5", "signature":"9m0vcnmYQFNYfzGd0dEH605dJzn72QGwibh4j9 LvR2skx_QmOz52TCT9P884t5KzVfAvOSdRFsUAfqm-Olo3vDDRBaAGbm9uBQ-1YR7 r3B43OlHR1KnUD5IwqsbxN2lpFHNPzLt0fkmliATLNRd6UiYA"} ], "PayloadDigest":"vPLHz2roZcH2iYj7GhGYup4R1v4b1WDCOrAIO3 R-hq5AVRT8FxVmvwhFK5TF8Zh_KFSti0qU9gP6-QliFCPnCg"} ], "EnvelopedConnectionDevice":[{ "dig":"S512", "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0 aW9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI CJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDNaIn0"}, "e7QQQ29ubmVjdGlvbkRldmljZXu0DkF1dGhlbnRpY2F0aW9ue7QDVWRm gCJNREJXLTdONVMtSklZRS1PQk82LUdaVE4tREtRNi1EM1NItBBQdWJsaWNQYXJhb WV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAEWDQ0OLQGUHVibGljiDnbpa9FpC bKqBC81emRiE2t0CYaU-g9tiDxXlEoIkqfivJdZrGDgD1BMQCnbL0VoBobP6Dr-6O JBIB9fX20BVJvbGVzW4AJdGhyZXNob2xkXbQJU2lnbmF0dXJle7QDVWRmgCJNQjRQ LU9DVjctV0RUSS1LRlk2LUE3VzUtWEdNTi1JTExMtBBQdWJsaWNQYXJhbWV0ZXJze 7QNUHVibGljS2V5RUNESHu0A2NydoAFRWQ0NDi0BlB1YmxpY4g5juOAZ2RcHBqm9o YYcRAg8h4hPDUzGu0aYyTVrkOXlpyXUMblnSbyJ_Xj5KouRYnm3aOS4AtWZakAfX1 9tApFbmNyeXB0aW9ue7QDVWRmgCJNQlZYLVVYTEQtUEg2Ry1XS1E0LTROTUItNklH Sy0zNVFatBBQdWJsaWNQYXJhbWV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAEW DQ0OLQGUHVibGljiDnXexA8QK1De4Ivy5Yaz7nO85iB8QWOGgntwgdARK7Oi9OafE hsyVyXISV887BxPL5rCFpmXsP2CAB9fX19fQ", { "signatures":[{ "alg":"S512", "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5", "signature":"7QKcgJS4Ub14gYYjiBP3O1RC5U-tDs5mehOV_Y Mc7Rq4PV_I1WzTTZ5wnPPWdXxsS4-gjzlxra4AhMKYT4tN0z3Hc954sJVIAoZDHED bSxxeSWsp6Fd06hCa5Bt43tYt3TyEmnIHFgUmSFNIwIpOfw0A"} ], "PayloadDigest":"OstbMttGc4Jpw5qapxrMx_wAdIyJ1ozebqUCmW SrE0G_bbYLycdNVYq35C6hesgUUGwAItS3939DgezPSm9lxg"} ], "EnvelopedActivationDevice":[{ "enc":"A256CBC", "dig":"S512", "kid":"EBQH-KLCY-C4F3-VF7J-YSU3-EQFU-FZHQ", "Salt":"6K4bKrm5-_rjgI4_I08wTw", "recipients":[{ "kid":"MDMW-WCIR-FJMO-7ZH6-CN3J-KUZL-RLAX", "epk":{ "PublicKeyECDH":{ "crv":"X448", "Public":"nvVIGPvOYsOJ8Ilm-19RbyLkAWivgWgZ5a-0A Rp9ftWFsoSSAqQSxaxWNMJr-X4HRTb65eFiuWSA"}}, "wmk":"Dxo1wkjSF6txOOkZ3YtNDWzK-e_95sEbZay2cEJnm3aa Pt-oMy9PbA"} ], "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0 aW9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI CJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDNaIn0"}, "ki85WOQnh96OwNqp5BCXx-pDm5ZyRU7w93rIb9kZQVcO0mvkvuiAq28q zje1vLZ4b-XwiqY8MOCLqRkscz_PL8ALVscz5rBQz4JsCHtD1xCRMqkGOUOYeY205 8lGpQ5MLZgNEeQCxORAlAdNrKRLvdUG6q2G0M9GOPzG9ocyhrI3D4P4T62_KJq9-G YmyHA7UEIXE04mCDn7dFWeP8lzsnpBTWbIFC4SNY1tOJeudypR01PQbkvFIn4whoF lUDgL", { "signatures":[{ "alg":"S512", "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5", "signature":"KHnfih_mZ14FUavWwY5vdhUFqu7WiBjh1hvHy0 HTCQbdW35_6UmLcqTT2bzsxaEAXsl8yDTSvB6AK51Q3DvtVXp23AH4Try8p66EvNr azKWjh4CAr1QJnUdIJnu-Y3ja2WQJaseKmO4g2svNAXadhAYA", "witness":"TPxOv-bF8Of0cYXGhOZB-yJ5JRgwXYqmwciTxUQb BEE"} ], "PayloadDigest":"Mqa4f-6bQ07E2IYl2hQUqfXTighNhw9KF-WSEy mbPQMTqfXsXMgrExxUg4KCgPX1EYVt9k-UfdyZBWtFUxFNiw"} ], "EnvelopedActivationAccount":[{ "enc":"A256CBC", "dig":"S512", "kid":"EBQM-73UM-YBTS-SOUZ-PADZ-SVFD-AV7U", "Salt":"mX9DOllVVNyFxJ9ocDg4vg", "recipients":[{ "kid":"MBVX-UXLD-PH6G-WKQ4-4NMB-6IGK-35QZ", "epk":{ "PublicKeyECDH":{ "crv":"X448", "Public":"zxVZRX_9E5bQaBCq_T3de_j-6WWQvNH84u03M G7UfjtP6mDcbdopF3KuzMIebcuch8Lb7UtLz1AA"}}, "wmk":"rg3puHIMXDoR7ATzOjfxsJUeIwk4Sb2-L5FzwvFVFk-V Hol4H35yhg"} ], "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0 aW9uQWNjb3VudCIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI CAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAzWiJ9"}, "gBlhcdXySmUZ3MHsR9XY0Opwp4zrqtnfvxnEI3SlZjq7dsfAPhHoVFOI MT7ArKsCojQ-Tikc65a4t0my5aDr-s_CQ5QQAlY6CKhsFW01hjTiTxZnL63w8XH59 XrniVqdI5ehtVHRO36eiuDDHe97tBrCFUky2pZdbuLO9BDm1r96GsboXBT1vuCbXE Y8jJreAeroNhvJkCDFqq3mOhBC1Cndj1g15_MOPPd3KQ7rryOHoGpwN2DP2kicx8F S3jGLtuGdIDxXawAR255D-QesHwr5zZyHY3F_FkJ-1ga5OxKHOQtU-oRIdivpnYSA Lt2cBTTZJ0K2qzWkYgMLPRHxtQRIVvzGt80mlncUuoGSmyJprO-BSR0ow8N573ubC GUQzrfwHggM36L2UrPBzm5Ou8bX5IKu4iLjgE9Wq9J1bYuerqqHYJ6csZFiGUG1pf IGQTuNoFJWi49_NzI-vHpo3RBu_aXsClJo3Kgi8Wn4KJsT2rtQuCTbVLmt0Vja_YJ lqlJJwjmBSDNqPsitwZtvW2uVZFOwhFSxXI0L9ZZiyzWOdHccOtJnZkzJiKy4RaGA 1ArpJ2Nm4MLbKvjDb4gJOvcL_a19qFlkhPWt56SySzGN95n5FQA8nRq2EvjQdJmGC OCn1MGFB1NooUWi3dXOeV2acHy8nTavVNEWVQeqWid5D2QxFSmV8cWghYn5nuFsy2 OGNbIH-kNGxjt9W5IbQKowUvhAfpqQ3P-RlNMCEKzxZZioA6YeNG6Hh9kRAk2gYAm Z9LlISSOmu0pvavRb8rXW-mNttPmFlC8g232avdLyZyR9XjcjkzHBNaz-cVqKraQf vR_3M-8mIqGKCS_1oRYGOOpDIxw9VU0JCEO6DfBHFEv-2a3JDg8XvyRuZMIlzJFzO 9usilNnsODaygIabfqA_Gs2qe_t4iAOq1a_yBRr0PW2Tba6BuuorLYmOxL9k7EzFs BUlkAHjJIdEixgwerVnmAnFXfXqKsc2tQ7LRRUkMfOQ3UCypn3niYn4B7M7eJ5efq -xXu4hWSzrdBpxwOUiLjb9ofvClQjkFWvi-VwRtKGIqdk8V-I2Wvc2nS8zzGaK0zU -8GnCP9eIe-1JKa2s4qPLD6ASA9QBz6IbtYlgi8HmEh-JfVoWwVdsSMOzJ-1V2ILx CN2YJIWV-q49xurbCDog4CFeHLvDPlSjMGYmofzcBHkwL-0H3qee-r6A7m4UuyDUw 9LqyWyGzo0pjDkXCEGp8v31jxHI4P7NzlT4K2rN1CzYEnVrqYuqxLR3S-7ySnEQWu Fk4HrX07bQG5j1iNGghQVV5rQ-uk-7-1uFY8GIIUpiBsI75IwbCeaIvOiCI4v4U3Q vTR8ssVOgIDDuZdvQFRCMDgnTzbQda3isGT-fdrGkp5tX94a6ASuIWQ4jC2yqfndW y5NVkglyPEyVCPYVyaBI-SxSwzPtmzC3Xla4GVo7gMmVOALyx-7nMzxerc8HsB-hr S9bAgyY7V-cCmbQ6VEteR5GVYuX1Nu2w4aXWwU3-yrIx8NXI22Pe9DPcNtj44wySa BijiOvduLwnlG-b5aKxfjfvCJWfqL7kEZE0ioCSLE0y-cWPM3MsM3I0gwffEuy7-8 b-nSMPGYjcCTbXoHBxmLt_-srSDjg89fSC4pLN9He2NoamM3Bl2ZZnItE-8vmQbH8 Wy304nJNPGhJ_W2juLh758V9XqumJHrADHrjU4n-SOjRngrFjLwYVufxtrtGehcC_ W2BzNnFhWtBRCA0A7Jjm8tjF0fHH7hxuaFDJKpIXYbJP2LqB8USizq_KRR6i6jsKM pxc7wG_81b_unXx1cPs9xMFdQWnn_2Izc7jXKJYC6cVNOGH3dQDZfIgL4O2KoFXzm 7goJ8hE1Hqx3trdsEjKC7c1UM-cdxFzNKmrto64I7kjJdVHpswFleKSHwxgQ93sLh J38mq2FKYQP_rMp40GgWABCtY78P-XZoc6Mev5bBWxN7NL3WlpnrZKTgJGyz92Ori bPQPz4Ma3aZ_3WqipO15r9QDZWWjsFzZnGSXpDnXh0uHBtqcqlu87y4LdmHkKgQqZ PCioP5KtpgusscKBbIhkQTHe4oe7zUEiRFLd8ff8fp0LImOnmo0WDrMgS3p96driz 9d9FaUWOFP0rK2OnWVZ9PhvqEzLERr99WVTJ68ZITE5NoaF1OwLGdgWFYs610VJoQ jsXZsT0dmR0Zj-vl6yei8sVZjFLosjst9uh0Wv7k_URAUEE95p-Ty2ZLjmwhWeWNS Siw4Qk_LwlkxRxSuuad9RfGumOydUrsKh3I8qerv0PmHz0WD4ZHAqa8c9ZLitVX51 WC0BeLD2iaExGdjThfnO3sJh1CC0R_SqbCV6xSmkcfN_iCEKfE_d-3Twwp2cVKJ2l gEvTwsbYX4PkbI_P1SzChkrlC6sn1EBsk7-tnBngnU_OVhUIq2Dxjv9KrrR3pa3DJ 3s471xfSZpNywnmjxFFv8uPAczmBPf_5BSC5ikub2nT5UTFmUNlAERh5XoDmDZJsE seikGCNOyFh0ZLdiLYgL6cUpFw171QZILt7v_1a6e2wKw6gMc_9k74qTEISlLyuVP tNz7PryNMyVG4aEwKQMBojHqUN5R8zG3X-KxOTD7PCV9ZtgKiP9SvdzBLzN9wW5Y1 3zGvi3f256i5vOIeO73nE-mEeTDtBdH2WTjHUPtTmTwvH1TruHJlMhV4W5Zs2XjjE _MsrFxV5enl3koNMwAfu0TgPpLZI9xKu6OwXwwcc9XHPQVUPUJK2qAWD1R6Dms2kd hmXoLC6Hia5w9R9jSnei4SNyvZAfkKH1peZHHamxeHBEZObARFnxFXq77zp9H9VqF pALocgAYXbuUBU6FHPIWXF1-xR4IGjswPgrKq6lA2QKsf9D7d2hheMrB0KZR5k8fV K5T5kRhICgu9NxErQkvf2RjfGk707lMmDdE-g8L27AxNqdku0wxRGFIUxcaVutXAB 5cHH3pKrIJfZfEfAggDooU8RMUI20J6IVZxyZ8nsTdT9ECZuoolAoXh1C4_w-zSpr 5A6WTLzYTLpnyChxueFeWD-qQWjzXjeN4b-aqJUcO89xEZ4AfRGE8xMeIWp72GzKE vMhXfL5v-zHOFJUJ-yenAkROt33qTZH2OlxMVFqIrtW_wTW7-y-B7wD9RHI67tooH 3pm6QYFTkUdJu0nL6FV9WN28zBVPRuS0mJEm_MJXzUr5fLY7SCDbGOAbxy-a8B_yQ 40xDftA7FNu4Ylugg2Si5NNBwoXCaWfmF0wy_0IMZhXudDTgI30LwNqpLH1hFOthv DKGJn4qPF-wOu5QaeRdwJgpiOE_XwQI2Xsx8ONyb7xGysaY04xtEiZALwcHO57454 jnbJpAdoOAMLZHRiOkhYNoyjp_SRxZqr3pB27SFzCzlP5s7EnaSd79hIfKY7Ii5p5 JjTZRKcVMF0Ger9CuuRPccR0hS6y3yCBL5VUQ_OhKmWYPJ9vE3mRz7h037cBJkVbB eiBOxT-EpNko9JWHtvdOjDnUPK2W2Q75R8qpvvLSX2jWibqsdvBrm2TkTXv4jx0JZ I-YBZZ8AmA-AQlu8-oEafCHvL65sgu9qpmTGt0NI6QO_7Fbu2WKeUuSTugbL7q2EN u1jQAzz2itiF9GZ9p4ol93FjsK0tiRjyoKlqSsEAa_fBETnTzmlhblMTRwNEwoVQ1 _kygDezz0fuklkICAwLgHl6wLc_9oI3gGyS2W62dRvsIDcz4mmMsMkJizqdDNxKBr TJrkpWJXulKozk81xjbECG8Rbic_QGwbC7yyaiYxU9lazb7VMnlnSKwitx4GxgXN0 nKISYPHO0jnZLMYTvhog3mbIqqNrcJGWRmEl7sRJa2_k84FI-MOEESYxaCndq0CwS atguRggOlY8wVFNkdAUdCT-T1j43eTVcKPqGrTB6rDxhAClHkFfwW8bIrRenLmxMW HplKju7xbjCaj-3Usz6v5p_-0TUdlFsoPcEU3Cb_b4LgvyvZA_stq1TbQoyctrVQA OcSxFX2-aImyJYuyKkyMNTKmQNgv62f6h111QO34vPZqrLgArTgpnQhu5eYEgymfU empry7SRLkwQdywml4jeImqtZ-AfzM3Test1FsU2xGaMslxrQz80h2J8FHzOkxTAP CUs68MNOXRUChYzUvRespSXCPzisFFmZWJkFAFyNayWVHPRxcWADHTJWKlc17NS1j b5pprmqCynRE5AbPIeDMEGx96r57nIb63l6TadwQMFiQHDiaHOdP1EAREPT9tYURx JelgcpNdqWELXkGGkUaBpZoF0Wh3aHJMd3beMG1dZaMkY3hMCagpeoArs4w96393w gQik5AFeh22kJdf2PaRAvakmMsZ9PvvyHzTRVKj0kUyegloQH5EpOheYfmXcQL2Hd p3_LMAIfZtT9EJ7avVQCftCaDVhAuJtVAOTUzZUTw9y5DOFXoCD8fQ0NzeAywhP-G XK3Bm3duH-T9BlXN3NC3hbKKaJzVkgJuVDihWuMB5aXKj_R65vLIxgx8Z4V1qYjQf p9vIcENaDKT0j6qRjlnwwKdPLeJQfJBqBvCU7RBXZr7k5mCLSbMij3GZWyvpb6FZ2 ekxJO9O2Xov1-EcOPATjqFvo2ZqhLqKzGzvAa8l-blua10eF50OOYd32uk5WpY7Xl kcSjE8XKfCPmh-sVkrdxTV0bB-1mwbRkcofJh2SFBTvl2D9MgP13dybD3hh2Ab5fE 02rc1kJx4kke4p8LykCpRP8KP9T1ZRmy03GxpCjW-Q7_165ZciX6JCs-_OQoTgn9R 9DBX2KcvoBEHOCu5GJczfd_j6dS5KgLz_-sI3xLFjaKEyRdpJHlfNMv-ca9m-yCZr l7Rk_kHb-IxPa6DA9t-EwNvE4PKGbt9WUqYPDBUV2hJyQrIevSEqH84sSmY0ycvjN -ORwv1JwE0okT7uJ7TRgxf2eSGMkXJQx_FVnsj5pz_EPxMj72zAXlr5mUvFBEzlce Qlvwcc1HQ8_JPASkK_e1hiq7nABmYfdfAR48HKdzDxFCVd4e87oeqsQrYeaLm4nM- ojNYBQJmbWwhewiRai-CK_K3Q-PYlbhPvmzIbp2yE79EawtCNBTPn3myWo79ejxdY CekhJRdevRCPsCKTg3Yuj8m59IPCkG7-p_GFFmPnF2zu7QAyllNID7wbr16L5xqJC r3YYu-xHEbN8ovNXbusNCtKEBss2Evn-XS6zq4Spci8gOH7V5Pv9MK8G0MuPkbssc jkqc5IqsG-YVAiOtI0bn6RCqqwoQV16QfLpY0NNP7KMBjRxsspERxBd05o46xAuzZ jYs-JOSbR3vy8z6-lIAJEPViw2po8DnuXccwrMns2p_unIiwWqHgeUbau6MsEO6aA BaboDrE-aqQhlb0YcTgZmcznFOzghmlZ9X_HokeO58KT9uVR39h6o-ZPzctnN-e8c U07EwjWUkyGgUoYNI6MWW9J_z_pUSBYydjjm2jQchV7CcdNlUBBlid9lZbOQZpwwJ _RcUfTGv3LvUnUT7SxNZL2QAzFlTwXQGrVmEUzhPUxeu7m4WgQ5kTrOpoF2T2Xt8p QvlCnzMlz9y0akQtF8bkQfdwj_JJTMr9EGRrnkq99xmHUdyzxPWhSx9RzhPJPqEK2 qiQxAs8Uj60m6lnDoyqmCRpjz5u5WG-lB6EMXATOVnj6Mkkylsmwb-ZiBOnPS3n8O m2Ua58ULY1_e5UpPsdPZDRqN2ypTgy3IFoFoXf6RR1L32us3-SoYLoqdZRO5tDzcn ARzlrRVomW7CoVEsHhP_IOcpy4QvK66_K3dVLQnrGoFsJHAD2AZ41f4yyQ0qy7NVT C8qTVyC4tJ23rQl4E9UZ0FgnK6REMFWq-UhEUrVTZWwwbLaGq1OH_cAFk9DXRwbVM Z_ty20Gd0e_JKFQ8zSZJxtqwFPzb2hVINzLhgeBOYfH-ExmeW4vy5THHhvfKAIL9h 5CKGCqztEyUIpsZLOkN0NEyDHZrN2oshiq-BACnoMcE9q0z18JeNxKnw-_u3pUEFP JNyvWpROA3if7-lEu7bO6Rh0kmDnlU0f1kBWwsWDQkA6tdD6hwiYg1U36XuTLutD_ FfR7IBnQqBx_QWJJzLnMyz_nkQHki1uIlWHHabOzuVbcSAH4P5M7P4Z6XKE0oLgG0 wGFgK5MJYOC2wSGBgXIdbr-GJGp4wCZ2mGZ9zE8DW84cZWYs-Nv5rmrgrcPUEsK9W MXDj-T5Liqo3y8lgHuOyNjGAkYM4M9ysT-XJBHNxYC1a5SxJtAM8IxAx-ba-uOtby nkV7X5ANUblK03bAUlmDgndmtA3kq77ykGWL1TjT5q8O5bTe3mxWwoT724EV_rUDl Nba99vzfRVxtyNDxBgOZsBJUP4IghMZJm--bQ9jq28MGduAHtgicra_hzOHs1kuWw 1qh6vsmP6RmR7R4_yDNoQl6ccHz3_DLzd2oAlWCIJ9Mi1xuP041zJ6d42Pv7w9tdb vDwlavTq_1n2JF2pnC-nC6frxXepuIG0eDdq1bVBLrrq0LG_HiBEZqVZFfFOMY4et SNcUujrtzBGqVCJbLbrkairiozJiOfW324VKW2ESFgiKjmW_gmMckQAqwsXsAKdib VP_pwQ9Cl9ZJGqVchgFxgmXbfCZsmPSkajWHg2YlJcOEE2vXZsN5e6dkjm1Xck2Ng xjRxMg54-vO_eA9UJkX8EIGeFHGvlqs43Xoi4_3JqUy2qwhFI-aPuoi0CORf-nXS4 Ahudwcqh3uCn-JwrI4dRG4XmFhniEFS8PO4-ZPB0J-xQNGtg8qZxxSUeoMIMSITKi GN86Dd1tPnWBU1f5EWz0xlEOZuhteeaIkRwB1l-pBSWA-2jiHadqetS7LqMsDYeBk uwTehlcqWXTXuGEENiRLTWtjF6MTV84kkUuN8WsnKJ87f0Rr9oUwbDwjcJhFfV5TO 3xWZbvL97I-ydU6h-45QoTW2myGD_OdKHzT9jEgGNJXmmdMYECAjUUdVuO1-wecfT VqytzQ_aYb2YbtRHwMY5D_gSj6WCqCxmnL3coPXrMcbyaRUHWzxouN9u6A2fEq-Xg pXDloJzlamml5NRxaYGTvAgz9wqxMyQkqsLrMri3qeGVAX1ZGm4OJREo5gbw7eSgK Dkz1a6O4Da6aN1GVcTtpP4oM0Cu2IsFNII2nmqawJ5iaG_U1UtD_3uwX6bjly6YAy m5q4YNprmKyFFwyJIPFmtd_B4QEoZ65MTcp_EUDtzFql2TLv8GKPqmvySkammIVFA A3eHDDusfQEI6CyaCs_DG_wmtTQkSncCmJBvWAKgkZgPkwTXtOSmjOSOxH-L250mH 3DJhGl4PvsV-zMvcsoPhb8oENH_BZVeolpbHCL_YBFIbp4N3PlbJHZdhMLB3wgO4G JLs8Dz0Jl21DL7m3F997TASwyDdDymk_LzjND-T8V7YYQVVT0mxRnK9jefTF_C4YR mlYhN-6HA5SKYtMLRSMNNyWyYgeUMCK9m2jXW-AMc11lIkrshhb_JR8sjGR5A97_R qVc1AYBmaCmHiChlb39YzhEWVovNQDvTfqLwlgM6WXXN7BMrDmv898t028AEDQaRJ dWSCwNXq2Vs7P43gr-Vo0zf6ZErqs6S1grgPaqgpZqoKSlGbH84d_RcmDQqzhsXA0 cR1g6qgj3w6WJd-Ft8H-JxJjEOnuNpwgVyj2Uht1-3kXC0kUTHGCZL6Wx9p4kqxYa GQi5MVzYg7AolcPjGagR2l0UdD5nTJdkputAIDZZ73PAFJ9H1JuZPhH7kD8eJQJyy Broh_pnBXpgFi_6SZVJCh5NJWErajfFibPBePkpDrXVyehFzTJw1Jzsq-rPbL_oIo 2N08_i7GpDjSQlDI2ENkEvdMrX6zrIWoP-FbFT9U-xij4FQWiNzg4Ww7c1d7hU8lI 4gJQSY5SzV6eSdxlSYc_6C165E3F5eN2FBSUi3kPy-jIwmQVJ59UniV8eCCBEtPDp nT40gCQaytamAOIATcP8IK5HRQQIksmgcZxtYITyiE0_ZK_30sSyo_Bft-USwa8MF 0w5cEQTBsKfyGYxOr_8Wo_4N_rrEvbvJTDMWow5BTcvE8vq4r2FnXNFC4xUdy5Lk5 HG7XKNUKeZQSTkwP0Ry95Yzw8Be4qovtYmm7UkGiwDNB_abRQGnb3bQcrZv5GXOH7 TlDUE2m0n9BcG3W_oqCESdXpNL-w83u-puP_vF19I_maOkUtpyUWJXXj0kRd8c0WF osuYsGg6sIy_nC2ErgEQPDvuAL0cq0Qkc8gX9SckW0W3vOPxAkQdYN3eMt-k13Afs y7IePBNP_hXordX3WdkAK-55A7JuPBN7zW5MqL96jvLCJk_10ms66e2Ae5MK73Wpl HXQl3IQ7JwCAqXdb-uOMfdViIs6a47y7EXJikZNacrKthzunoyD1F8cZ6wL4ecRTn Jsl_2jstlwKcZEuEcvZGAvPqzIl9qhYqEw7O8MOWQMS8cDAUrAb0etfbSmDNWwQR3 RgaMM6BuevUgFBdVAvf_wvI9994rQRDroeipduhis8xvFDVD_pH_ZpJEl6eQpijxA tIdtdap3kwib1gylmAxJ6-zfImOBJo5_aBszjOJWiMmB3Cd0", { "signatures":[{ "alg":"S512", "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5", "signature":"V5h7pFoycR-2WNj7rSO8cyfzbrMHw8GeyME3Wp wnFW9a0X1f1FbKuRAQzgo6CAQR9CmOffm92lqACM-DA_Rylu0zKWbq3PK3u2iRrJt YZ4RyqDam8DoaDEejYJTz7CtKOh88q62L1iF7QirYhqLcWicA", "witness":"KqVrOTlFoo8dHQd3Slg-eowe2e_9OaoPHfDB4Duy Fo8"} ], "PayloadDigest":"3-0c-MhvBsyqxImZbVhOiLXXtd8Av4Rj8C-zOF BOutKwzhvOdQ_x5Y1DV7tEM1HQeIZnzhdber6onFEVlsdSvA"} ]}}}¶
The device periodically polls for completion of the connection request using the Complete transaction.¶
To provide a final check on the process, the command line tool presents the UDF of the account profile to which the device has connected if successful:¶
Alice3> device complete Device UDF = MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR Account = alice@example.com Account UDF = MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA Alice3> account sync¶
The completion request specifies the witness value for the transaction whose completion is being queried:¶
{ "CompleteRequest":{ "AccountAddress":"alice@example.com", "ResponseID":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW"}}¶
The Service responds to the complete request by checking to see if an entry has been added to the local spool. If so, this contains the RespondConnection message created by the administration device.¶
The preconfigured device connection interaction is used to connect devices that lack affordances such as a display or a keyboard. It is also known as the static QR code interaction because a static QR code printed on the device itself is used to connect it to a user's account.¶
Future: Note that this interaction is likely to be changed substantially in future revisions of the specification and the Claim/PollClaim mechanism removed and replaced with a messaging based approach.¶
The interaction has five phases:¶
The device to be onboarded is preconfigured with a ProfileDevice and private key information and a DeviceDescription posted to a publication service. This process is typically performed during manufacture. An EARL providing the ability to locate and decrypt the description is printed on the device itself as a QR code.¶
The administration device acquiring the onboarding device scans the QR code on the device and uses this information to obtain the device description by means of a Claim operation described above as described in the Device Description.¶
This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device MAY advise the device that a connection request is being made by additional means described in the device description (e.g. WiFi, Bluetooth).¶
When connected to a network, the preconfigured device periodically attempts to poll the connection sources specified to find out if there is a pending request. If a connection request is posted, the device decrypts it to allow it to complete the connection process.¶
This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device requires notice that of the pending connection request.¶
The main differences between this connection interaction and the witness/PIN connection interactions are that the device is preconfigured with the device profile at the time of manufacture and the onboarding device MAY be acquiring network configuration information during the connection process.¶
The manufacturer preconfigures the device¶
Maker> device preconfig Device UDF: MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE File: EC6P-KOIX-T3B4-YIKE-OLX3-BUUD-64.medk¶
This results in the creation of a primary secret which is used to compute a ProfileDevice and corresponding connection records signed by the manufacturer's administrator key.¶
The data is combined to create a DevicePreconfiguration record that is provisioned to the firmware of the device being preconfigured.¶
{ "DevicePreconfigurationPrivate":{ "EnvelopedProfileDevice":[{ "EnvelopeId":"MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE", "dig":"S512", "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRERULUtURFQtQV o2Mi01NUhWLUZGVlktSllOVS1ZM1lFIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi Q3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjA3WiJ9"}, "ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1cm UiOiB7CiAgICAgICJVZGYiOiAiTUREVC1LVERULUFaNjItNTVIVi1GRlZZLUpZTlU tWTNZRSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJs aWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgI CAiUHVibGljIjogInF0TDhCYVN3UUptNk12bE1BUXY0MkpsSk9MWFZMY0gxTWNweU p1SWxJazhXbVpvYTlHd2MKICB4WjFIMmI5VE5MZGFZUGp1VlVaWHRkb0EifX19LAo gICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTUFCQy1MR1k1LUJVMk8t U0FaTi1ESjJFLVMzQ0ItQkc2NSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjoge wogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYND Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAiWDZUaF9IOEJZOC1zRHpydWNVV3F4S0c 1YVloenhTVC12dDE5STlKOU83TmlnRGYxZmhEcQogIGZCT1pWWk9uUDhYNVdTMkJJ WGQ3SjlTQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1EW lQtREFFNC02TkJQLUJSQ08tUzVUTC01Q1E2LVNDWTMiLAogICAgICAiUHVibGljUG FyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICA gICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJpM1hia3lpT201 WnlXaWxBeU9DZnFUalBMaUtVLUgyNTJZVUdqRVd3MWgtZ2haR3Nkb09aCiAgcXRkQ 0k4Q0hRYWtzS3JHTWZDdDMxbjRBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IH sKICAgICAgIlVkZiI6ICJNQk1DLVE3SFctNUlOSy1RU1pPLVBLRFEtS01aNS1BT01 GIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tl eUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Y mxpYyI6ICJSX08tZnpLUnp4aExsdHh1Nko5VG05MVNHSWFCY2g0LXFfNnFwNTZ4WU YtVTZqa0hSall2CiAgT2hjNm12OUdLOVhNUjZtVFNOUEstV0tBIn19fX19", { "signatures":[{ "alg":"S512", "kid":"MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE", "signature":"VFD-9f8AXHdm38HR7y7JKsPStGNRu7wW5SXsJgc1 lbRyzQ0XVyDyNtqR5el9TCEuJKC0vU4lq4QAQfzJlUaa-viM7xhTcvJhVZ_YGiYEW wq3Nb1-sortDNUdi7FGmG9C5Nh-ErWxy2oKkH8Nht19LDQA"} ], "PayloadDigest":"PRkvfQ8djpN_Z3tY_p8qPRR4rTy_ZFEFW_WAqBcQ 2WpffnNZf_dPVKtW1XW9IpGjxYg2h0zB-hSVnCWViSUiEQ"} ], "EnvelopedConnectionDevice":[{ "dig":"S512", "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW 9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJ DcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDdaIn0"}, "ewogICJDb25uZWN0aW9uRGV2aWNlIjogewogICAgIkF1dGhlbnRpY2F0aW 9uIjogewogICAgICAiVWRmIjogIk1BQkMtTEdZNS1CVTJPLVNBWk4tREoyRS1TM0N CLUJHNjUiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVi bGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgI CAiUHVibGljIjogIlg2VGhfSDhCWTgtc0R6cnVjVVdxeEtHNWFZaHp4U1QtdnQxOU k5SjlPN05pZ0RmMWZoRHEKICBmQk9aVlpPblA4WDVXUzJCSVhkN0o5U0EifX19LAo gICAgIlNpZ25hdHVyZSI6IHsKICAgICAgIlVkZiI6ICJNRFpULURBRTQtNk5CUC1C UkNPLVM1VEwtNUNRNi1TQ1kzIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7C iAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkND Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAiaTNYYmt5aU9tNVp5V2lsQXlPQ2ZxVGp QTGlLVS1IMjUyWVVHakVXdzFoLWdoWkdzZG9PWgogIHF0ZENJOENIUWFrc0tyR01m Q3QzMW40QSJ9fX0sCiAgICAiRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQ UJDLUxHWTUtQlUyTy1TQVpOLURKMkUtUzNDQi1CRzY1IiwKICAgICAgIlB1YmxpY1 BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICA gICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJYNlRoX0g4Qlk4 LXNEenJ1Y1VXcXhLRzVhWWh6eFNULXZ0MTlJOUo5TzdOaWdEZjFmaERxCiAgZkJPW lZaT25QOFg1V1MyQklYZDdKOVNBIn19fX19", { "signatures":[{ "alg":"S512", "kid":"MDQJ-G5K2-BJ66-MPLM-FWSA-665O-MILP", "signature":"r-JxVZxihprjMs3buV4yqmgXO7NdXlAEI-Cn2nYF HB3rlbcNPwmi5z_0f5HpAXkQfFlVJefnxsMAffF8GNbOocmVEdaIXR8rHDkBMa1xd 6iCaWZdv8SAGdTHK0wLHkeAUDGj2wXsINFTMfDqhh_TjRUA"} ], "PayloadDigest":"aT7dqhsuhW15GSExnBrO1nHQqAcT-uLaCUkJPhqg AevgNUtTUuWkHC63T2ensFiSjCAAXd1YOvp7L8V7twmvZg"} ], "EnvelopedConnectionService":[{ "dig":"S512", "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW 9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICA iQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjA3WiJ9"}, "ewogICJDb25uZWN0aW9uU2VydmljZSI6IHsKICAgICJBdXRoZW50aWNhdG lvbiI6IHsKICAgICAgIlVkZiI6ICJNQUJDLUxHWTUtQlUyTy1TQVpOLURKMkUtUzN DQi1CRzY1IiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1 YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgI CAgIlB1YmxpYyI6ICJYNlRoX0g4Qlk4LXNEenJ1Y1VXcXhLRzVhWWh6eFNULXZ0MT lJOUo5TzdOaWdEZjFmaERxCiAgZkJPWlZaT25QOFg1V1MyQklYZDdKOVNBIn19fX1 9", { "signatures":[{ "alg":"S512", "kid":"MDQJ-G5K2-BJ66-MPLM-FWSA-665O-MILP", "signature":"BwF9R7byEqkzaUblEujRrko0zPuHn7NwH__14VRv YH0jTblJSrmG40hujXOKqs9ElXe8F0jM26EAXm6l0Okhi_stdxotXwa8CHLZgzTGO T9qEKdJElqkZIWLYJ9Tv_vM-VowlOz7jlzP4ThsVkI4fhcA"} ], "PayloadDigest":"KUSigElHIQenRINVDSSgH5M9Dt5GJLzKUk5yylWM TNdJ_4bW-JKREQiwutelFZvKv0-rX4XFnfBPwzmUflNY2A"} ], "PrivateKey":{ "PrivateKeyUDF":{ "PrivateValue":"ZAAQ-APQL-QS4L-SY3L-RER2-TYEA-V4EF-Q3OB-6N2 F-DKDP-UJQ6-KXUN-LI2H-7RXH", "KeyType":"MeshProfileDevice"}}, "ConnectUri":"mcu://maker@example.com/EC6P-KOIX-T3B4-YIKE-OLX3- BUUD-64"}}¶
An EARL is created specifying the means by which an administration device can acquire the information required to complete a connection to the device:¶
QR = {Connect.ConnectEARL}¶
The preconfigured ProfileDevice is encrypted under the encryption key and published to the location key derived from the EARL.¶
The administration device scans the QR code and obtains the Device Description using the Claim operation as shown in section $$$$. The administration device creates the ActivationDevice and CatalogedDevice records and populates the service as before.¶
Alice> account connect ^ mcu://maker@example.com/EC6P-KOIX-T3B4-YIKE-OLX3-BUUD-64 /web¶
Every Mesh Portal Service transaction consists of exactly one request followed by exactly one response. Mesh Service transactions MAY cause modification of the data stored in the Mesh Service or the Mesh itself but do not cause changes to the connection state. The protocol itself is thus idempotent. There is no set sequence in which operations are required to be performed. It is not necessary to perform a Hello transaction prior to any other transaction.¶
A Mesh Portal Service request consists of a payload object that inherits from the MeshRequest class. When using the HTTP binding, the request MUST specify the portal DNS address in the HTTP Host field.¶
Base class for all request messages.¶
[No fields]¶
Base class for all request messages made by a user.¶
A Mesh Portal Service response consists of a payload object that inherits from the MeshResponse class. When using the HTTP binding, the response SHOULD report the Status response code in the HTTP response message. However the response code returned in the payload object MUST always be considered authoritative.¶
Base class for all response messages. Contains only the status code and status description fields.¶
[No fields]¶
The Mesh Service protocol makes use of JSON objects defined in the JOSE Signatgure and Encryption specifications and in the DARE Data At Rest Encryption extensions to JOSE.¶
The following common structures are used in the protocol messages:¶
Describes a Key/Value structure used to make queries for records matching one or more selection criteria.¶
Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.¶
The container to be searched.¶
Only return objects with an index value that is equal to or higher than the value specified.¶
Only return objects with an index value that is equal to or lower than the value specified.¶
Only data published on or after the specified time instant is requested.¶
Only data published before the specified time instant is requested. This excludes data published at the specified time instant.¶
Specifies a page key returned in a previous search operation in which the number of responses exceeded the specified bounds.¶
When a page key is specified, all the other search parameters except for MaxEntries and MaxBytes are ignored and the service returns the next set of data responding to the earlier query.¶
Specifies constraints on the data to be sent.¶
Maximum number of entries to send.¶
Specifies an offset to be applied to the payload data before it is sent. This allows large payloads to be transferred incrementally.¶
Maximum number of payload bytes to send.¶
Return the entry header¶
Return the entry payload¶
Return the entry trailer¶
Describes the account creation policy including constraints on account names, whether there is an open account creation policy, etc.¶
Specifies the minimum length of an account name.¶
Specifies the maximum length of an account name.¶
A list of characters that the service does not accept in account names. The list of characters MAY not be exhaustive but SHOULD include any illegal characters in the proposed account name.¶
The entries to be uploaded.¶
Report service and version information.¶
The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.¶
The PostConstraints field MAY be used to advise senders of a maximum size of payload that MAY be sent in an initial Post request.¶
Specifies the default data constraints for updates.¶
Specifies the default data constraints for message senders.¶
Specifies the account creation policy¶
The enveloped master profile of the service.¶
The enveloped profile of the host.¶
Request creation of a new service account or group.¶
Attempt¶
Request binding of an account to a service address.¶
Reports the success or failure of a Create transaction.¶
Request deletion of a service account.¶
Request creation of a new portal account. The request specifies the requested account identifier and the Mesh profile to be associated with the account.¶
[No fields]¶
Reports the success or failure of a Delete transaction.¶
[No fields]¶
Request information necessary to begin making a connection request.¶
The signed assertion describing the result of the connect request¶
Request objects from the specified container with the specified search criteria.¶
Request objects from the specified container(s).¶
A client MAY request only objects matching specified search criteria be returned and MAY request that only specific fields or parts of the payload be returned.¶
Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.¶
Specifies the data constraints to be applied to the responses.¶
Return the set of objects requested.¶
Services SHOULD NOT return a response that is disproportionately large relative to the speed of the network connection without a clear indication from the client that it is relevant. A service MAY limit the number of objects returned. A service MAY limit the scope of each response.¶
The updated data¶
Attempt an atomic transaction on the containers and spools associated with an account.¶
Upload entries to a container. This request is only valid if it is issued by the owner of the account¶
The data to be updated¶
The account(s) to which the request is directed.¶
The messages to be sent to other accounts¶
Messages to be appended to the user's inbound spool. this is typically used to post notifications to the user to mark messages as having been read or responded to.¶
Messages to be appended to the user's local spool. This is used to allow connecting devices to collect activation messages before they have connected to the mesh.¶
Response to an upload request.¶
The responses to the entries.¶
If the upload request contains redacted entries, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.¶
The index value of the entry in the request.¶
The index value assigned to the entry in the container.¶
Specifies the result of attempting to add the entry to a catalog or spool. Valid values for a message are 'Accept', 'Reject'. Valid values for an entry are 'Accept', 'Reject' and 'Conflict'.¶
If the entry was redacted, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.¶
Request to post to a spool from an external party. The request and response messages are extensions of the corresponding messages for the Upload transaction. It is expected that additional fields will be added as the need arises.¶
[No fields]¶
Claim a publication¶
The claim message¶
The encrypted device profile¶
Check party making claim¶
The claim message¶
[No fields]¶
[No fields]¶
[No fields]¶
Perform a set of cryptographic operations¶
The service account the capability is bound to¶
[No fields]¶
The security considerations for use and implementation of Mesh services and applications are described in the Mesh Security Considerations guide [draft-hallambaker-mesh-security].¶
All the IANA considerations for the Mesh documents are specified in this document¶
A list of people who have contributed to the design of the Mesh is presented in [draft-hallambaker-mesh-architecture].¶