Internet-Draft Mesh Protocol Reference October 2021
Hallam-Baker Expires 28 April 2022 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-hallambaker-mesh-protocol
Published:
Intended Status:
Informational
Expires:
Author:
P. M. Hallam-Baker
ThresholdSecrets.com

Mathematical Mesh 3.0 Part V: Protocol Reference

Abstract

The Mathematical Mesh 'The Mesh' is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. The core protocols of the Mesh are described with examples of common use cases and reference data.

[Note to Readers]

Discussion of this draft takes place on the MATHMESH mailing list (mathmesh@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=mathmesh.

This document is also available online at http://mathmesh.com/Documents/draft-hallambaker-mesh-protocol.html.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 28 April 2022.

Table of Contents

1. Introduction

This document describes the Mesh Service protocol supported by Mesh Services, an account-based protocol that facilitates exchange of data between devices connected to a Mesh profile and between Mesh accounts.

Mesh Service Accounts support the following services:

A Mesh Profile MAY be bound to multiple Mesh Service Accounts at the same time but only one Mesh Service Account is considered to be authoritative at a time. Users may add or remove Mesh Service Accounts and change the account designated as authoritative at any time.

The Mesh Services are build from a very small set of primitives which provide a surprisingly extensive set of capabilities. These primitives are:

Hello

Describes the features and options provided by the service and provides a 'null' transaction which MAY be used to establish an authentication ticket without performing any action,

CreateAccount, DeleteAccount

Manage the creation and deletion of accounts at the service.

Status, Download, Upload

Support synchronization of Mesh containers between the service (Master) and the connected devices (Replicas).

Connect

Initiate the process of connecting a device to a Mesh profile from the device itself.

Post

Request that a Mesh Message be transferred to one or more Mesh Accounts.

Although these functions could in principle be used to replace many if not most existing Internet application protocols, the principal value of any communication protocol lies in the size of the audience it allows them to communicate with. Thus, while the Mesh Messaging service is designed to support efficient and reliable transfer of messages ranging in size from a few bytes to multiple terabytes, the near-term applications of these services will be to applications that are not adequately supported by existing protocols if at all.

2. Definitions

This section presents the related specifications and standard, the terms that are used as terms of art within the documents and the terms used as requirements language.

2.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

2.2. Defined Terms

The terms of art used in this document are described in the Mesh Architecture Guide [draft-hallambaker-mesh-architecture].

2.4. Implementation Status

The implementation status of the reference code base is described in the companion document [draft-hallambaker-mesh-developer].

3. Mesh Protocols

The Mesh specifies two separate types of protocol interactions:

Mesh Service Protocol

A synchronous protocol supporting interactions between devices and a Mesh Service Host and between Mesh Service hosts.

Mesh Messaging Protocol

An asynchronous protocol that supports interactions between devices connected to the same account and between accounts.

The Mesh Messaging Protocol uses the Mesh Service Protocol as transport. The Mesh Service Protocol in turn makes use of Reliable UDP Datagram (RUD) [draft-hallambaker-mesh-rud] for framing and authentication of individual requests and responses. These RUS packets are in turn exchanged over either HTTPS (i.e. a Web Service) or directly over UDP.

t c t P g l S v C o e S r D e T T U P o a l T n t c h M b a g o l r h r e U e a m L M M o e P P e s i a D i P D T s s s o l S R a H e r c o i P g
Figure 1: Protocol Layering

Mesh Services MUST support the HTTPS binding and MAY support the UDP binding.

4. Mesh Service

A Mesh Service is a minimally trusted service. In particular a user does not need to trust a Mesh service to protect the confidentiality or integrity of most data stored in the account catalogs and spools.

Unless the use of the Mesh Service is highly restricted, a user does need to trust the Mesh Service in certain respects:

Data Loss

A service could refuse to respond to requests to download data.

Integrity (Stale Data)

The use of Merkle Trees limits but does not eliminate the ability of a Mesh Service to respond to requests with stale data.

Messaging

A service could reject requests to post messages to or accept messages from other mesh users.

This risk is a necessary consequence of the fact that the Mesh Service Provider is accountable to other Mesh Service Providers for abuse originating from their service.

Traffic analysis

A Mesh Service has knowledge of the number of Mesh Messages being sent and received by its users and the addresses to which they are being sent to or received from.

The need to trust the Mesh Service in these respects is mitigated by accountability and the user's ability to change Mesh Service providers at any time they choose with minimal inconvenience.

It is possible that some of these risks will be reduced in future versions of the Mesh Service Protocol but it is highly unlikely that these can be eliminated entirely without compromising practicality or efficiency.

4.1. Data Model

The design of the Mesh Service model followed a quasi-formal approach in which the system was reduced to schemas which could in principle be rendered in a formal development method but without construction of proofs.

Like the contents of Mesh Accounts, a Mesh Service may be represented by a collection of catalogs and spools, for example:

Account Catalog

Contains the account entries.

Incident Spool

Reports of potential abuse

Backup of the service MAY be implemented using the same container synchronization mechanism used to synchronize account catalogs and spools.

4.2. Partitioning

Mesh Services supporting a large number of accounts or large activity volume MAY partition the account catalog between one or more hosts using the usual tiered service model in which a front-end server receives traffic for any account hosted at the server and routes the request to the back-end service that provides the persistence store for that account.

In addition, the Mesh Service Protocol supports a 'direct connection' partitioning model in which devices are given a DNS name which MAY allow for direct connection to the persistence host or to a front-end service offering service that is in some way specific to that account.

5. Protocol Bindings

The protocol binding maps the abstract protocol definition specified in this document to the network protocol format.

Currently only one protocol binding is specified: JSON-BCD Application Binding [draft-hallambaker-jsonbcd] over Reliable User Datagram (RUD) [draft-hallambaker-mesh-rud].

JSON-BCD Application Binding specifies the means by which data types such as 'integer' and 'datetime' etc. given in this document are serialized using JSON/JSON-B encoding.

Reliable User Datagram offers a presentation layer over a choice of HTTP or UDP transport.

6. Mesh Service Operations

The Mesh Service operations are divided into the following functional groups:

Service Description

Describes the service.

Account Management

Operations used to create, reclaim, and delete accounts.

Persistence Store Management

Operations used to synchronize persistence store data across connected devices. [May be replaced in a future revision]

Device Connection

Operations used by devices requesting connection to the account.

Publication

Operations allowing a watched document to be posted to the service and claims made on the document returned to a device.

Cryptographic

Cryptographic operations, including threshold operations performed by the service.

Messaging

Exchange of messages between Mesh Services.

6.1. Service Description

The Hello transaction is used to determine the features supported by the service and obtain the service profile.

The request payload only specifies that is is a request for the service description:

{
  "HelloRequest":{}}

The response payload describes the service and the host providing that service:

{
  "MeshHelloResponse":{
    "Status":201,
    "Version":{
      "Major":3,
      "Minor":0,
      "Encodings":[{
          "ID":["application/json"
            ]}
        ]},
    "EnvelopedProfileService":[{
        "EnvelopeId":"MD36-Q4SC-S4YZ-KPRP-7W4P-SNR7-QMD2",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRDM2LVE0U0MtUz
  RZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
  sZVNlcnZpY2UiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAg
  IkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0M1oifQ"},
      "ewogICJQcm9maWxlU2VydmljZSI6IHsKICAgICJQcm9maWxlU2lnbmF0dX
  JlIjogewogICAgICAiVWRmIjogIk1EMzYtUTRTQy1TNFlaLUtQUlAtN1c0UC1TTlI
  3LVFNRDIiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVi
  bGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgI
  CAgIlB1YmxpYyI6ICJHdWFlT0hOMXE5WDdkMW5PZEJIYTFFdUNSUkY3ZTlCZ0Y4b3
  VwdXJDZGpjT1BreUZBTFhRCiAgQWd4c1BKU1FNNWVnQVZQRGtHbWhyNjZBIn19fSw
  KICAgICJTZXJ2aWNlQXV0aGVudGljYXRpb24iOiB7CiAgICAgICJVZGYiOiAiTUJH
  Wi03U1NULTRIWUstRkxNTS03TjVMLVdWQU0tUDNYNyIsCiAgICAgICJQdWJsaWNQY
  XJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgIC
  AgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiZW5tcE1WcElONVl
  fQ1N0SGZYU21aa1ZueGdYSjZwYkoxQUZuZjNaUVZza19XZG1GaERDagogIGpsbW4y
  bEcyWHZyNURFWUlpR0pObUs2QSJ9fX0sCiAgICAiU2VydmljZUVuY3J5cHRpb24iO
  iB7CiAgICAgICJVZGYiOiAiTUJCUi1LTEw0LVlSRlgtSzYzRS0yRENULTZVR1EtWj
  VKQyIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWN
  LZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQ
  dWJsaWMiOiAiVzJxaWw2Z1lKcmZOajV6R2pOMGd6U0VCRWd1N2tUaGZrR1NhR0Z5L
  UlBVDYzbktBLU12eQogIE5HSElvRTFsanpUaG4zcHpIblBOeVd1QSJ9fX0sCiAgIC
  AiU2VydmljZVNpZ25hdHVyZSI6IHsKICAgICAgIlVkZiI6ICJNQUdYLUMzTU4tREh
  OVC1ZVVNJLVpZUEgtVlE1Vy1DNVNXIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMi
  OiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogI
  kVkNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAieXFGOVdhQzlHendYUkxKOFFEVT
  RLX0w2UENzVnY1bzVUeHF5SWxHdEFCREgtSXB5RUtzZAogIHl2QWZaWndZRGsxalF
  Nb29HZEMxaVVPQSJ9fX19fQ",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MD36-Q4SC-S4YZ-KPRP-7W4P-SNR7-QMD2",
            "signature":"M_zW4QfJQFlkOgwxMukD4rrJCSy4O42zNbSmUQV-
  -5IUedZeFq3t81SVe_8rpVa43oPKn75yyXkAq2vL86MdD2EW6_5c0qk6_TjetFNA2
  W6nMpJrgSVqfAGSov1VpDST98tz8mZPULoXw7uGCuSHcSoA"}
          ],
        "PayloadDigest":"jmeKG0k9DNNN6eJYg_LN13Gh2SwGociO76OVJ6Q5
  kG9XCOgTVEO_YXG1DZWSszhG6qXfEUU5QV8WiQXqFsEU9Q"}
      ]}}

The current revision of the specification is designed for small scale deployments in which the service is provided by a single host. The approach will require revision in future versions to fully support a service being provided by multiple hosts with accounts being transferred between the hosts to allow balancing of load.

6.2. Account Management

There are three account management operations:

BindAccount

Create an account bound to a service address.

UnbindAccount

Delete an account bound to a service address

RecoverAccount

[TBS] Reclaim an account using a recovered primary secret.

The BindAccount operation is used to create User and Group accounts. Currently, these account types are distinct. This may change in future releases.

6.2.1. Bind Account

A User Account is bound to a Mesh Service by completing a BindAccount operation with the service.

The BindAccount transaction is unique in that it can fail to complete for reasons that are outside the scope of the Mesh specifications. Creation of an account might require payment to be made or authentication of the user's credentials. It is thus quite normal for the result of a CreateRequest to be the account being created in an 'on hold' state which can only be changed out of band.

If the request is at least partially successful, a BindResponse message is returned. In the case of partial success, a description of the request status and link to a Web page providing further details MAY be returned.

The request payload contains all the information needed to create the account:

  • The account address
  • The account profile

Since there is no Access Catalog until the account is created, the Bind Account request and subsequent requests used to initialize the access catalog for the account MUST be authenticated by the Account Authentication key.

Alice requests creation of the account alice@example.com. The request payload is:

{
  "BindRequest":{
    "AccountAddress":"alice@example.com",
    "EnvelopedProfileAccount":[{
        "EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0tUV
  hKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
  sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy
  ZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
      "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIj
  ogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzLVU
  zQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGlj
  S2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgI
  lB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUkybW
  RJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKICA
  gICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vy
  dmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKI
  CAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhRSC
  1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ldGV
  ycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYi
  OiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3FFQ
  zNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNSVm
  o0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogICA
  gICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLAog
  ICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNES
  CI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIj
  ogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwSGd
  Cbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbWlu
  aXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVFGW
  U0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIj
  ogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJ
  FZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2lN
  UjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTBza
  V9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsKIC
  AgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FIIiw
  KICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVD
  REgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpY
  yI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3OU
  5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY2N
  vdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILVVK
  TjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKI
  CAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0ND
  giLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhenZ
  lNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF84
  bC1SaUdBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
            "signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa8W
  Vr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In4R
  Z9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"}
          ],
        "PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fPbq
  u5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"}
      ]}}

The response payload currently reports the success or failure of the bind operation:

{
  "BindResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "EnvelopedAccountHostAssignment":[{
        "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY2NvdW50SG
  9zdEFzc2lnbm1lbnQiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCI
  sCiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
      "ewogICJBY2NvdW50SG9zdEFzc2lnbm1lbnQiOiB7CiAgICAiQWNjb3VudE
  FkZGVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiQWNjZXNzRW5jcnlwdCI
  6IHsKICAgICAgIlVkZiI6ICJNQkJSLUtMTDQtWVJGWC1LNjNFLTJEQ1QtNlVHUS1a
  NUpDIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY
  0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIl
  B1YmxpYyI6ICJXMnFpbDZnWUpyZk5qNXpHak4wZ3pTRUJFZ3U3a1RoZmtHU2FHRnk
  tSUFUNjNuS0EtTXZ5CiAgTkdISW9FMWxqelRobjNwekhuUE55V3VBIn19fX19"
      ]}}

It is likely that a future revisions of the specification will specify the host(s) to which future account service operations are to be directed. This would allow the account management operations to be separated from the account maintenance operations without requiring the traditional tiered architecture in which every interaction with a service is first routed to a host that cannot perform the required action so that it can be directed to the host that can.

6.2.1.1. Bind Group Account

Mesh Group Accounts are created in the same manner as user accounts except that the ProfileGroup is specified.

6.2.1.2. Account Recovery

Should all the administration devices be lost, an account MAY be recovered by the process of recovering the profile master secret and using it to access the account through the account authentication key.

6.2.2. Unbind Account

An account registration is deleted using the UnbindAccount transaction.

>>>> Unfinished ProtocolAccountDelete

The request payload:

The response payload:

6.2.2.1. Account Transfer

Should a user wish to transfer their account to a new service provider, they first use the Bind Account operation to bind the account to the new service provider, then populate the account entry at the new account using the account authentication key.

Only after the new account binding has been completed and is ready for use, is the unbind operation used to delete the account entry at the old service provider.

Future versions of the protocol will elaborate on this mechanism so that the change of address can be signaled to connected devices and parties sending messages to the account.

6.2.3. Account Recovery and Transfer.

Account recovery is necessary in the case that user has lost control of every administration device connected to the account and must re-create the account profile and bind a new set of administrative devices. Account transfer is the process of unbinding an account from one service and rebinding it to a new one.

These capabilities are both critical to the long term success of the Mesh but have been deleted from the current revision of the specification as their implementation is interdependent on the architecture of the callsign registry.

>>>> Unfinished ProtocolAccountRecover

[TBS]

6.3. Persistence Store Management

All the state associated with a Mesh profile is stored as a sequence of DARE Messages in a Dare Container. The Mesh Service holding the master copy of the persistence stores and the devices connected to the profile containing complete copies (replicas) or partial copies (redactions).

Thus, the only primitive needed to achieve synchronization of the profile state are those required for synchronization of a DARE Container. These steps are:

  • Obtain the status of the catalogs and spools associated with the account.
  • Download catalog and spool updates
  • Upload catalog updates.

To ensure a satisfactory user experience, Mesh Messages are intentionally limited in size to 32 KB or less, thus ensuring that an application can retrieve the most recent 100 messages almost instantaneously on a high bandwidth connection and without undue delay on a slower one.

6.3.1. Status

The status transaction returns the status of the containers the device is authorized to access for the specified account together with the updated Device Connection Entry if this has been modified since the entry presented to authenticate the request was issued.

Alice adds an entry to her bookmark catalog. Before the bookmark can be added, the device synchronizes to the service. The synchronization process begins with a request for the status of all the stores associated with the account that it has access rights for:

{
  "StatusRequest":{
    "CatalogedDeviceDigest":"MDNG-A3QX-657G-UH45-KEKO-DIV2-4Q"}}

If the account has a very large number of stores, the device might only ask for the status of specific stores of interest.

The response specifies the status of each store specifying the index and Merkle tree apex digest values for each:

{
  "StatusResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "ContainerStatus":[{
        "Container":"MMM_Inbound",
        "Index":3},
      {
        "Container":"MMM_Outbound",
        "Index":1,
        "Digest":"FEHy24Y6cLModDXWH31kVc2a3TdhjXPooKHpLAb2JbsO1YQ
  nJolmowXAYHhkOGY0kg3jrKNTjds0myf4Dw1sdg"},
      {
        "Container":"MMM_Local",
        "Index":2},
      {
        "Container":"MMM_Access",
        "Index":3},
      {
        "Container":"MMM_Credential",
        "Index":4},
      {
        "Container":"MMM_Device",
        "Index":3},
      {
        "Container":"MMM_Contact",
        "Index":2},
      {
        "Container":"MMM_Application",
        "Index":1},
      {
        "Container":"MMM_Publication",
        "Index":1},
      {
        "Container":"MMM_Bookmark",
        "Index":1},
      {
        "Container":"MMM_Task",
        "Index":1}
      ]}}

Bug: The current version of the reference code is only returning the digest values for the outbound store.

6.3.2. Download

The download transaction returns a collection of entries from one or more containers associated with the profile.

The service MAY limit the number of entries returned in an individual response for performance reasons.

The previous status operation has reported that a new envelope has been added to the credential store. The device requests this data from the service:

{
  "DownloadRequest":{
    "Select":[{
        "Container":"MMM_Credential",
        "IndexMin":3,
        "IndexMax":4}
      ]}}

The response contains the requested envelope:

{
  "DownloadResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "Updates":[{
        "Container":"MMM_Credential",
        "Envelopes":[[{
              "PayloadDigest":"scKJJY0e2llHKRImyYAHL98MSo62-eVSTz
  8JkFFaicCDM1Nskxm5JW1WIUy4XhKdhYTYagTRFxNTsbABRAOT7w",
              "enc":"A256CBC",
              "dig":"S512",
              "Salt":"28sn1l7vROY1rqAjTNaxzg",
              "recipients":[{
                  "kid":"MC7F-DLCK-JI67-VFL7-BOHX-T62Q-KCVG",
                  "epk":{
                    "PublicKeyECDH":{
                      "crv":"X448",
                      "Public":"lGsU2MtoCW3h7kBLBfm4eN9xXqVSVbR_9
  Es_47TEqVo2HYkeSOlkFE1hPNCz98yD-xFx_9omFj4A"}},
                  "wmk":"tyvbkB9eXzVAFqYyTn12vOcC18vtSIlIfmPR6hpS
  LPoAORyeVaD2rg"}
                ],
              "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICI6ZnRwLmV4
  YW1wbGUuY29tIiwKICAiRXZlbnQiOiAiVXBkYXRlIiwKICAiRmlyc3QiOiAxLAogI
  CJQcmV2aW91cyI6IDF9",
              "SequenceInfo":{
                "Index":3,
                "TreePosition":716},
              "Received":"2021-10-25T15:48:48Z"},
            "GnC2lneENSTxMbQ6W91xcsDRs1Ap9P5PRn7MHvCQ1hEMWiGWw91t
  r5llzPtdeZz1-FxF5Cc49FrdanP8dtWZVNMTg4yQMf5bbaRzte4CzUrKihFYdJ3SK
  GAm2EC317muijVLb29kqnkJkmdLUJu41yYZ4OLRe1rM_xR1t0VlkaE",
            {}
            ]
          ]}
      ]}}

Future: The current implementation of the download operation is limited by the capabilities of the HTTP binding of the RUD transport. A future binding allowing operations that consist of a single request followed by a sequence of responses will allow much greater flexibility.

Future versions of the protocol may support optional filtering criteria so that the service only returns objects matching specific criteria and/or only return certain parts of the selected messages.

6.3.3. Transact

The transact transaction appends envelopes to one or more stores. The operation is atomic, that is either all the changes specified will be made to the stores or none will. This ensures that simultaneous attempts to update a store do not result in race conditions allows Mesh stores to provide ACID (Atomicity, Consistency, Isolation, Durability) properties to the applications they serve.

Clients SHOULD check to determine if updates to a container conflict with pending updates on the device waiting to be uploaded. For example, if a contact that the user modified on the device attempting to synchronize was subsequently deleted. The means of resolving such conflicts is not in the scope of this specification.

Each update to a catalog or container specifies the expected container index and apex digest. This provides a strong guarantee of consistency. The service MUST verify each update to check that the Merkle Tree values specified are consistent with the store entries and that the signature on the apex value (if specified) is valid and correct.

Services MAY impose limits on the size and number of additions performed in response to a TransactRequest message to ensure that processing time does not degrade performance for other users.

The request payload specifies the data to be appended to the stores.

{
  "TransactRequest":{
    "Updates":[{
        "Container":"MMM_Bookmark",
        "Envelopes":[[{
              "dig":"S512",
              "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJTaXRlcy4y
  IiwKICAiRXZlbnQiOiAiTmV3In0",
              "SequenceInfo":{
                "Index":1,
                "TreePosition":0}},
            "ewogICJDYXRhbG9nZWRCb29rbWFyayI6IHsKICAgICJVcmkiOiAi
  aHR0cDovL3d3dy5leGFtcGxlLm5ldCIsCiAgICAiVGl0bGUiOiAic2l0ZTIiLAogI
  CAgIlBhdGgiOiAiU2l0ZXMuMiJ9fQ",
            {
              "PayloadDigest":"gtpamSravs9YkD3Wi6-rIFqFOINwLFj8Q2
  eGpMjmbyP-_TRCgRs9Hqpo3bJPhoRSgUmfIUsQTDNeiT414W56eA",
              "TreeDigest":"TpXg14cDEx_-1Qe-h1qiryihslO0MrUCLW0L7
  wvq-YLCEWZfAIrp9FmBwNE0se8UN1nFY4h1aqXbN3yBuKfg9w"}
            ]
          ]}
      ]}}

The response reports successful completion:

{
  "TransactResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully"}}

6.4. Device Connection

In order to support the wide range of affordances supported by devices, four device connection interactions are currently specified. The use of these mechanisms is described in [draft-hallambaker-mesh-architecture] and the interactions themselves are described in section ??? following.

Device connection operations are always issued by a device requesting connection to a Mesh account and must therefore be authenticated under the device profile rather than the account profile. Two device connection operations are currently defined:

Connect

Requests connection to the account.

Complete

Polls for completion of a connection request.

Since the second operation is merely polling for completion of the transaction requested by the first, it is likely that these will be combined in a future revision of the specification.

6.4.1. Connect

If the connection request is initiated by the device being connected, the device constructs a RequestConnection message which is posted to the Mesh Service using the Connect operation.

If the Connect operation is accepted (i.e. the service determines it is not abuse), the service constructs an AcknowledgeConnection message which is forwarded to the inbound spool of the account to which connection is requested. The requesting device receives a copy of the AcknowledgeConnection message and the profile of the account it is requesting connection to.

As described in the following section, the AcknowledgeConnection message contains the request details presented by the device and a nonce value generated by the service. This nonce value is used to compute the witness value that will be used for mutual authentication of the device and account.

The connect request is made to the service, not the account. The payload contains the enveloped connection request:

{
  "ConnectRequest":{
    "EnvelopedRequestConnection":[{
        "EnvelopeId":"MDKW-3KOD-ZTW6-MRIB-AARK-UACM-PDOZ",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQTQ2LUhTVkctTj
  VOVS1FWEtaLTRYN0ctR1NGNy1EVVdTIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
  zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
  CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowMloifQ"},
      "ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOi
  AiTkE0Ni1IU1ZHLU41TlUtRVhLWi00WDdHLUdTRjctRFVXUyIsCiAgICAiQXV0aGV
  udGljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1DVk4tWExM
  VC1MTE5XLVU0SFItQk9NRy1SQTZaLVVXUlIiLAogICAgICAgICJkaWciOiAiUzUxM
  iIsCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKWk
  NJNklDSk5RMVpPTFZoTVRGUXRURXhPVnkxCiAgVk5FaFNMVUpQVFVjdFVrRTJXaTF
  WVjFKU0lpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxk
  bWxqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV
  04wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJeExURXdMVEkxVkRFMU9qUT
  VPakF5V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V
  3b2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNK
  VlpHWWlPaUFpVFVOV1RpMVlURXhVTFV4TVRsY3RWCiAgVFJJVWkxQ1QwMUhMVkpCT
  mxvdFZWZFNVaUlzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KIC
  BnZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0F
  nSUNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmli
  R2xqSWpvZ0ltUXpNbGcxYjNOSE1VdFBSVFZ2YldaCiAgV1RVWnFSRXMwTUY4NGVHS
  jVSVE5yWmxWM1QzZFVZbEJYTVhaSmVXOHpRME5PZGtvS0lDQTVhWEJzZVRGQk0KIC
  BsZzRUalZNZWpoWFNYUlRXbWwzUzBFaWZYMTlMQW9nSUNBZ0lrVnVZM0o1Y0hScGI
  yNGlPaUI3Q2lBZ0lDQQogIGdJQ0pWWkdZaU9pQWlUVVJOVnkxWFEwbFNMVVpLVFU4
  dE4xcElOaTFEVGpOS0xVdFZXa3d0VWt4QldDSXNDCiAgaUFnSUNBZ0lDSlFkV0pzY
  VdOUVlYSmhiV1YwWlhKeklqb2dld29nSUNBZ0lDQWdJQ0pRZFdKc2FXTkxaWGwKIC
  BGUTBSSUlqb2dld29nSUNBZ0lDQWdJQ0FnSW1OeWRpSTZJQ0pZTkRRNElpd0tJQ0F
  nSUNBZ0lDQWdJQ0pRZAogIFdKc2FXTWlPaUFpYm5SZmNIVTBXVkppZVhJd1dVeE5Z
  MUpYZG1sTkxYSlVXbGhYWmxCMVVWaFdhMWgwVFdkCiAgdWQyaHdlVVZYZGpCSFVtc
  HNhQW9nSURsVmNuQlBjMjFqVlRJM0xXeHRlbmhKVDNkVFdHcEJRU0o5Zlgwc0MKIC
  BpQWdJQ0FpVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ01
  sVXROa2ROTnkxUVNFawogIHpMVE5WVlU0dFRFbGFOaTFWVlVkS0xVbFhOVkVpTEFv
  Z0lDQWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljCiAgeUk2SUhzS0lDQWdJQ0FnS
  UNBaVVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjblkKIC
  BpT2lBaVJXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSlZibWs
  yTlVWWVkwUllZbVZYYQogIFcxUmJGazVPWGhoU0c1U1dtcGlTRnBCUzJsVU5tUmxa
  RFIwTVdwMlRHcEZWbWhNYjNsWUNpQWdWbEZyYVdSCiAgb1oxbHNWMjFmUkhNMk9EZ
  FBkVXBvWDFWQkluMTlmU3dLSUNBZ0lDSkJkWFJvWlc1MGFXTmhkR2x2YmlJNkkKIC
  BIc0tJQ0FnSUNBZ0lsVmtaaUk2SUNKTlFrbERMVUl5UzBRdFFrSlNXQzFITkZCRUx
  UUkpNazh0VUUxRVRpMQogIFhUMWRCSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21G
  dFpYUmxjbk1pT2lCN0NpQWdJQ0FnSUNBZ0lsQjFZCiAgbXhwWTB0bGVVVkRSRWdpT
  2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJQ0EKIC
  BnSUNBZ0lsQjFZbXhwWXlJNklDSjVjR0pUVjFablNIRXdiMjVvVDJ0VVQxRjRNVU5
  rWjNkSVJWUlFURWxTVAogIFZRMWFXMVNTMHBmTUdvelZ6Qktabmt0Vms1dUNpQWdP
  VEptVHpaclNGbDBNMmRUYjBoWFNtMDRUWFpXTkhkCiAgQkluMTlmWDE5IiwKICAgI
  CAgewogICAgICAgICJzaWduYXR1cmVzIjogW3sKICAgICAgICAgICAgImFsZyI6IC
  JTNTEyIiwKICAgICAgICAgICAgImtpZCI6ICJNQ1ZOLVhMTFQtTExOVy1VNEhSLUJ
  PTUctUkE2Wi1VV1JSIiwKICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJGUGpjQ3py
  N3MwRmJVSHJaT09oVUd1ZXNVTkJKT05YOUZlLUNfXzg3ZXlrSFc1VU95CiAgbExob
  mZ4ZmtVTFFWUklZM2dkRmdmTFNKNW1BTFlRM3Y5UkxKdGhkUGhNcHhEZnV5SWlEM1
  Z0LWNobzJRR2EKICBTcTdpbU8tWmxLWkxQX2p3TzQ4QW5xY05abkp3Y2RLTUZoa3p
  aRGprQSJ9XSwKICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJIZ0tJNVZjY3psUmkw
  X0g5bUVlYnlfWWxrOHpDVGxlTG1oemVXVm9ma1djY2YKICBncENsSTFoUkgzZm5fS
  lVBSlpxYXU3Nm8yQWFVVFB1My1EZXU5VFhhdyJ9XSwKICAgICJDbGllbnROb25jZS
  I6ICItcHl1a0E4S0pxZHZWX2hlUElLRlpRIiwKICAgICJQaW5JZCI6ICJBQVBPLVB
  VQ0stQUlZWi1GU09YLU9CSTUtWVpaQi1SVlQyIiwKICAgICJQaW5XaXRuZXNzIjog
  IndWMDRjckJhZjdoLTVmY2xWQUdNSXN5NVpVWm5LY3FiUFhEVWJ1WmZYWW96dUk5W
  gogIEItZW1ld25xMmF3dnB3Nmk3b0Z2Z1ktb1cwalFyVVlxSlNUV0RnIiwKICAgIC
  JBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSJ9fQ"
      ]}}

The response payload contains the information the device requires to compute the witness value and to poll for completion. This is a copy of the request acknowledgement and a copy of the profile of the account the device has requested connection to:

{
  "ConnectResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "EnvelopedAcknowledgeConnection":[{
        "EnvelopeId":"MBQD-SAOO-FLPI-PKWI-WYR6-PNVY-VTC4",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICIyV1pQLUtOWkYtSk
  1LTy1SUVNVLVdZVEgtVVUzNS1OV1hWIiwKICAiTWVzc2FnZVR5cGUiOiAiQWNrbm9
  3bGVkZ2VDb25uZWN0aW9uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmpl
  Y3QiLAogICJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDJaIn0"},
      "ewogICJBY2tub3dsZWRnZUNvbm5lY3Rpb24iOiB7CiAgICAiTWVzc2FnZU
  lkIjogIjJXWlAtS05aRi1KTUtPLVJRU1UtV1lUSC1VVTM1LU5XWFYiLAogICAgIkV
  udmVsb3BlZFJlcXVlc3RDb25uZWN0aW9uIjogW3sKICAgICAgICAiRW52ZWxvcGVJ
  ZCI6ICJNREtXLTNLT0QtWlRXNi1NUklCLUFBUkstVUFDTS1QRE9aIiwKICAgICAgI
  CAiQ29udGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpaQ0k2SUNKT1FUUT
  JMVWhUVmtjdFRqVk9WUzEKICBGV0V0YUxUUllOMGN0UjFOR055MUVWVmRUSWl3S0l
  DQWlUV1Z6YzJGblpWUjVjR1VpT2lBaVVtVnhkV1Z6ZAogIEVOdmJtNWxZM1JwYjI0
  aUxBb2dJQ0pqZEhraU9pQWlZWEJ3YkdsallYUnBiMjR2YlcxdEwyOWlhbVZqZENJC
  iAgc0NpQWdJa055WldGMFpXUWlPaUFpTWpBeU1TMHhNQzB5TlZReE5UbzBPVG93TW
  xvaWZRIn0sCiAgICAgICJld29nSUNKU1pYRjFaWE4wUTI5dWJtVmpkR2x2YmlJNkl
  Ic0tJQ0FnSUNKCiAgTlpYTnpZV2RsU1dRaU9pQWlUa0UwTmkxSVUxWkhMVTQxVGxV
  dFJWaExXaTAwV0RkSExVZFRSamN0UkZWWFUKICB5SXNDaUFnSUNBaVFYVjBhR1Z1Z
  EdsallYUmxaRVJoZEdFaU9pQmJld29nSUNBZ0lDQWdJQ0pGYm5abGJHOQogIHdaVW
  xrSWpvZ0lrMURWazR0V0V4TVZDMU1URTVYTFZVMFNGSXRRazlOUnkxU1FUWmFMVlZ
  YVWxJaUxBb2dJCiAgQ0FnSUNBZ0lDSmthV2NpT2lBaVV6VXhNaUlzQ2lBZ0lDQWdJ
  Q0FnSWtOdmJuUmxiblJOWlhSaFJHRjBZU0kKICA2SUNKbGQyOW5TVU5LVm1KdGJIa
  GtWMVpLV2tOSk5rbERTazVSTVZwUFRGWm9UVlJHVVhSVVJYaFBWbmt4QwogIGlBZ1
  ZrNUZhRk5NVlVwUVZGVmpkRlZyUlRKWGFURldWakZLVTBscGQwdEpRMEZwVkZkV2V
  tTXlSbTVhVmxJCiAgMVkwZFZhVTlwUVdsVlNFcDJXbTFzYzFvS0lDQlZVbXhrYld4
  cVdsTkpjME5wUVdkSmJVNHdaVk5KTmtsRFMKICBtaGpTRUp6WVZkT2FHUkhiSFppY
  VRsMFlsY3dkbUl5U25GYVYwNHdTV2wzUzBsRFFRb2dJR2xSTTBwc1dWaAogIFNiRn
  BEU1RaSlEwbDVUVVJKZUV4VVJYZE1WRWt4VmtSRk1VOXFVVFZQYWtGNVYybEtPU0o
  5TEFvZ0lDQWdJCiAgQ0FpWlhkdlowbERTbEZqYlRsdFlWZDRiRkpIVmpKaFYwNXNT
  V3B2WjJWM2IyZEpRMEZuU1d4Q2VXSXlXZ28KICBnSUhCaVIxWlVZVmRrZFZsWVVqR
  mpiVlZwVDJsQ04wTnBRV2RKUTBGblNVTktWbHBIV1dsUGFVRnBWRlZPVgogIDFScE
  1WbFVSWGhWVEZWNFRWUnNZM1JXQ2lBZ1ZGSkpWV2t4UTFRd01VaE1Wa3BDVG14dmR
  GWldaRk5WYVVsCiAgelEybEJaMGxEUVdkSlEwcFJaRmRLYzJGWFRsRlpXRXBvWWxk
  V01GcFlTbnBKYW04S0lDQm5aWGR2WjBsRFEKICBXZEpRMEZuU1VOS1VXUlhTbk5oV
  jA1TVdsaHNSbEV3VWtsSmFtOW5aWGR2WjBsRFFXZEpRMEZuU1VOQlowbAogIHRUbm
  xrYVVrMlNRb2dJRU5LUmxwRVVUQlBRMGx6UTJsQlowbERRV2RKUTBGblNVTkJhVlZ
  JVm1saVIyeHFTCiAgV3B2WjBsdFVYcE5iR2N4WWpOT1NFMVZkRkJTVkZaMllsZGFD
  aUFnVjFSVlduRlNSWE13VFVZNE5HVkhTalYKICBTVkU1eVdteFdNMVF6WkZWWmJFS
  llUVmhhU21WWE9IcFJNRTVQWkd0dlMwbERRVFZoV0VKelpWUkdRazBLSQogIENCc1
  p6UlVhbFpOWldwb1dGTllVbFJYYld3elV6QkZhV1pZTVRsTVFXOW5TVU5CWjBsclZ
  uVlpNMG8xWTBoCiAgU2NHSXlOR2xQYVVJM1EybEJaMGxEUVFvZ0lHZEpRMHBXV2tk
  WmFVOXBRV2xVVlZKT1Zua3hXRkV3YkZOTVYKICBWcExWRlU0ZEU0eGNFbE9hVEZFV
  kdwT1MweFZkRlpYYTNkMFZXdDRRbGREU1hORENpQWdhVUZuU1VOQlowbAogIERTbE
  ZrVjBwellWZE9VVmxZU21oaVYxWXdXbGhLZWtscWIyZGxkMjluU1VOQlowbERRV2R
  KUTBwUlpGZEtjCiAgMkZYVGt4YVdHd0tJQ0JHVVRCU1NVbHFiMmRsZDI5blNVTkJa
  MGxEUVdkSlEwRm5TVzFPZVdScFNUWkpRMHAKICBaVGtSUk5FbHBkMHRKUTBGblNVT
  kJaMGxEUVdkSlEwcFJaQW9nSUZkS2MyRlhUV2xQYVVGcFltNVNabU5JVgogIFRCWF
  ZrcHBaVmhKZDFkVmVFNVpNVXBZWkcxc1RreFlTbFZYYkdoWVdteENNVlZXYUZkaE1
  XZ3dWRmRrQ2lBCiAgZ2RXUXlhSGRsVlZaWVpHcENTRlZ0Y0hOaFFXOW5TVVJzVm1O
  dVFsQmpNakZxVmxSSk0weFhlSFJsYm1oS1YKICBETmtWRmRIY0VKUlUwbzVabGd3Y
  zBNS0lDQnBRV2RKUTBGcFZUSnNibUp0UmpCa1dFcHNTV3B2WjJWM2IyZAogIEpRME
  ZuU1VOQmFWWlhVbTFKYW05blNXc3hRMDFzVlhST2EyUk9Ubmt4VVZORmF3b2dJSHB
  NVkU1V1ZsVTBkCiAgRlJGYkdGT2FURldWbFZrUzB4VmJGaE9Wa1ZwVEVGdlowbERR
  V2RKUTBGcFZVaFdhV0pIYkdwVlIwWjVXVmMKICB4YkdSSFZubGpDaUFnZVVrMlNVa
  HpTMGxEUVdkSlEwRm5TVU5CYVZWSVZtbGlSMnhxVXpKV05WSlZUa1ZUUQogIDBrMl
  NVaHpTMGxEUVdkSlEwRm5TVU5CWjBsRFNtcGpibGtLSUNCcFQybEJhVkpYVVRCT1J
  HZHBURUZ2WjBsCiAgRFFXZEpRMEZuU1VOQlowbHNRakZaYlhod1dYbEpOa2xEU2xa
  aWJXc3lUbFZXV1Zrd1VsbFpiVlpZWVFvZ0kKICBGY3hVbUpHYXpWUFdHaG9VMGMxV
  TFkdGNHbFRSbkJDVXpKc1ZVNXRVbXhhUkZJd1RWZHdNbFJIY0VaV2JXaAogIE5Zak
  5zV1VOcFFXZFdiRVp5WVZkU0NpQWdiMW94YkhOV01qRm1Va2hOTWs5RVpGQmtWWEJ
  2V0RGV1FrbHVNCiAgVGxtVTNkTFNVTkJaMGxEU2tKa1dGSnZXbGMxTUdGWFRtaGtS
  MngyWW1sSk5ra0tJQ0JJYzB0SlEwRm5TVU4KICBCWjBsc1ZtdGFhVWsyU1VOS1RsR
  nJiRVJNVlVsNVV6QlJkRkZyU2xOWFF6RklUa1pDUlV4VVVrcE5hemgwVgogIFVVeF
  JWUnBNUW9nSUZoVU1XUkNTV2wzUzBsRFFXZEpRMEZuU1d4Q01WbHRlSEJaTVVKb1k
  yMUdkRnBZVW14CiAgamJrMXBUMmxDTjBOcFFXZEpRMEZuU1VOQlowbHNRakZaQ2lB
  Z2JYaHdXVEIwYkdWVlZrUlNSV2RwVDJsQ04KICAwTnBRV2RKUTBGblNVTkJaMGxEU
  VdsWk0wb3lTV3B2WjBsc1p6Qk9SR2RwVEVGdlowbERRV2RKUTBFS0lDQgogIG5TVU
  5CWjBsc1FqRlpiWGh3V1hsSk5rbERTalZqUjBwVVZqRmFibE5JUlhkaU1qVnZWREo
  wVlZReFJqUk5WCiAgVTVyV2pOa1NWSldVbEZVUld4VFZBb2dJRlpSTVdGWE1WTlRN
  SEJtVFVkdmVsWjZRa3RhYm10MFZtczFkVU4KICBwUVdkUFZFcHRWSHBhY2xOR2JEQ
  k5NbVJVWWpCb1dGTnRNRFJVV0ZwWFRraGtDaUFnUWtsdU1UbG1XREU1SQogIGl3S0
  lDQWdJQ0FnZXdvZ0lDQWdJQ0FnSUNKemFXZHVZWFIxY21Weklqb2dXM3NLSUNBZ0l
  DQWdJQ0FnSUNBCiAgZ0ltRnNaeUk2SUNKVE5URXlJaXdLSUNBZ0lDQWdJQ0FnSUNB
  Z0ltdHBaQ0k2SUNKTlExWk9MVmhNVEZRdFQKICBFeE9WeTFWTkVoU0xVSlBUVWN0V
  WtFMldpMVZWMUpTSWl3S0lDQWdJQ0FnSUNBZ0lDQWdJbk5wWjI1aGRIVgogIHlaU0
  k2SUNKR1VHcGpRM3B5TjNNd1JtSlZTSEphVDA5b1ZVZDFaWE5WVGtKS1QwNVlPVVp
  sTFVOZlh6ZzNaCiAgWGxyU0ZjMVZVOTVDaUFnYkV4b2JtWjRabXRWVEZGV1VrbFpN
  MmRrUm1kbVRGTktOVzFCVEZsUk0zWTVVa3gKICBLZEdoa1VHaE5jSGhFWm5WNVNXb
  EVNMVowTFdOb2J6SlJSMkVLSUNCVGNUZHBiVTh0V214TFdreFFYMnAzVAogIHpRNF
  FXNXhZMDVhYmtwM1kyUkxUVVpvYTNwYVJHcHJRU0o5WFN3S0lDQWdJQ0FnSUNBaVV
  HRjViRzloWkVSCiAgcFoyVnpkQ0k2SUNKSVowdEpOVlpqWTNwc1Vta3dYMGc1YlVW
  bFlubGZXV3hyT0hwRFZHeGxURzFvZW1WWFYKICBtOW1hMWRqWTJZS0lDQm5jRU5zU
  1RGb1VrZ3pabTVmU2xWQlNscHhZWFUzTm04eVFXRlZWRkIxTXkxRVpYVQogIDVWRm
  hoZHlKOVhTd0tJQ0FnSUNKRGJHbGxiblJPYjI1alpTSTZJQ0l0Y0hsMWEwRTRTMHB
  4WkhaV1gyaGxVCiAgRWxMUmxwUklpd0tJQ0FnSUNKUWFXNUpaQ0k2SUNKQlFWQlBM
  VkJWUTBzdFFVbFpXaTFHVTA5WUxVOUNTVFUKICB0V1ZwYVFpMVNWbFF5SWl3S0lDQ
  WdJQ0pRYVc1WGFYUnVaWE56SWpvZ0luZFdNRFJqY2tKaFpqZG9MVFZtWQogIDJ4V1
  FVZE5TWE41TlZwVldtNUxZM0ZpVUZoRVZXSjFXbVpZV1c5NmRVazVXZ29nSUVJdFp
  XMWxkMjV4TW1GCiAgM2RuQjNObWszYjBaMloxa3RiMWN3YWxGeVZWbHhTbE5VVjBS
  bklpd0tJQ0FnSUNKQlkyTnZkVzUwUVdSa2MKICBtVnpjeUk2SUNKaGJHbGpaVUJsZ
  UdGdGNHeGxMbU52YlNKOWZRIl0sCiAgICAiU2VydmVyTm9uY2UiOiAicU85UjNvVD
  I0RURPNUdDWWxZQ0JzZyIsCiAgICAiV2l0bmVzcyI6ICIyV1pQLUtOWkYtSk1LTy1
  SUVNVLVdZVEgtVVUzNS1OV1hWIn19"
      ],
    "EnvelopedProfileAccount":[{
        "EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0tUV
  hKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
  sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy
  ZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
      "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJlIj
  ogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzLVU
  zQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGlj
  S2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgI
  lB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUkybW
  RJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKICA
  gICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2Vy
  dmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiwKI
  CAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhRSC
  1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ldGV
  ycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYi
  OiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3FFQ
  zNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNSVm
  o0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogICA
  gICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLAog
  ICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNES
  CI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIj
  ogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwSGd
  Cbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbWlu
  aXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVFGW
  U0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIj
  ogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJ
  FZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2lN
  UjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTBza
  V9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsKIC
  AgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FIIiw
  KICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVD
  REgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpY
  yI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3OU
  5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY2N
  vdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILVVK
  TjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKI
  CAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0ND
  giLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhenZ
  lNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF84
  bC1SaUdBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
            "signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa8W
  Vr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In4R
  Z9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"}
          ],
        "PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fPbq
  u5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"}
      ]}}

6.4.2. Complete

The complete operation is used to complete the binding of a device to the account regardless of whether the operation is initiated by the administration device or the connecting device.

The complete request is made to the service, not the account. The payload specifies the account the device is requesting completion for and the identifier of the completion message.

{
  "CompleteRequest":{
    "AccountAddress":"alice@example.com",
    "ResponseID":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW"}}

The response payload:

{
  "CompleteResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "EnvelopedRespondConnection":[{
        "EnvelopeId":"MA5F-7LDW-G2AQ-N4PQ-N7XJ-243G-CH4B",
        "enc":"A256CBC",
        "Salt":"5N4XeR89WnRUPeNN9eehLw",
        "recipients":[{
            "kid":"MDMW-WCIR-FJMO-7ZH6-CN3J-KUZL-RLAX",
            "epk":{
              "PublicKeyECDH":{
                "crv":"X448",
                "Public":"x4NzHBx1XxAiMAvIgZh2htXH9is-DGf71wwvqJh
  jlWZcZds2vBOGHhXCRI85oGRbSWr-rXRNSuYA"}},
            "wmk":"DRB_GkoKIfvQZ7RTrJHrYxj5e82Npx6MPiXeae-tIrWhmP
  rA025oPw"}
          ],
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRFQzLVRNNjItRz
  NYTy1FU1lPLVdRWlgtSVIyQi1ZTkhXIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVzcG9
  uZENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
  CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowM1oifQ",
        "SequenceInfo":{
          "Index":3,
          "TreePosition":426},
        "Received":"2021-10-25T15:49:03Z"},
      "T1FrG5eIYXEffmfCQyyc6gUWlbLLzDyAboglNpOO6M8qoFT2MPW8xwZoqc
  sEOOl4nHsPbxOeFfs9VCOoS78oZBDxayLqSImKNQc6xs6thMCvRbnGyZ30TSj0DI9
  -aKyr52FcC47d4ZUPS2u1-egzr3LUUHX623rBjbtz9eIu3jWaqBT2G2Fwa6AE7ekX
  R06xPsRK7exnHVTJZV2P-KMa4fSA11i5SZTgxnX7uIMbTmn4fA-alK7z-EalQ63wR
  L28xpqw5ajQp-1P8F4gXclo_MLZHRFtEvZC-dkhr_5iaB53UJH9tjxPRzgdiKy6nH
  saifrqReQcTrgkGDgUKcN2USIN33wUwIEnmr7dwiJIdFWxqFWMbE-8niOLL4PEkyp
  SNieWNxW1G4ED2sjcFL8wHjD1k892F7Qh6w2D9YlUCNNuoa6-f6o6i1f7h-2IgoVG
  B56yOYHYP7omRCaYk2-l8w-hqITzdsoj1xU1uqYBFF7rapyGAGS1FMHq4_wDI3YSF
  pRckLGEV_MzHPM6WKgXRYlRi-lPPooBDmr6PRerM7kI_EKx68r6XV0q43_dOFoMa6
  VgEvu-kIXdlJLAN5ky-dNrdELfwgF8HFvshwNLvsMfXx9y93DzA8rRNqeJ9BCnsE9
  pSAVzJ5S3eL6AKYsdQ6gJDtfD_Tfcxf0SEBq0w8gcO2Q6uIkRq2YOSVIR_LuqZSEC
  wTpWr8_VcK3iHXcCaoLrFf3_x92QSR5HcrRImBMY9CUCTGLJ45ry-G0Je0ZM8C7WQ
  MvufGTIKE-4z0YnrZKYwfgWmIMdKXv-G54QRHSM_sAxxEd7NF8r6bzuu_kwTJnjkZ
  zR5tDy6Bgsc6wf6Os-QlkJ52VpdBMxKzBDCchH_2JNv2k4rV7F5aQzYnLBP4jWsxh
  pwMXtYTTsvEeg3UTatSxeh04XuvhFeFtiqH9o6JJonJUq0KLw0TiULFnlGXqXIzxv
  PX5PzXfjbtbEFVlaadHX9K7k6ebzRmVSpwWn4h4io78elFkdyLjJR23_ID53IbEtB
  Vl4KqevNyuXLKy3WVZW9jWR1DggON-xG6h1WwyTq9JFBCPj6qkzjI6wz6wTUTiNxt
  PZoh_Rj8PbouzWD62ZmOCqFr9c9-9EHJZcMSMPQAilH0FROao9NiWUOYa_ye2helB
  CFgf8zTBTlL_kZXbpkvm1Qf0YaJUddkSkJRIASLBtreLhJF9QT-9ln42oEl_r61Y6
  mv6hSG6nMBDkI7jlua_HbTq7c0dPfbC3wJki-oj0J_hHO7IuqtgrMDeHih8dsonhk
  mYKahV8k0-J_t02kI92h1iDYbNzAftM5FbfwbzMsu7E1xtMxKdhHemHUZzIlhI--G
  oipVdXUfoUtK4TQ31Q6X5afpnvZ_wBr9OUpWOrKUabQ1DRocie-pf6g_M337csJqN
  lLDpwXeItNuD9beZvjpT71K9HAI2uqDbZwwUXFquDbK_ZsU3N7NYFYRi1_CxgS5IO
  XyJNRI05H6_no9GGUy8rOpoP2gpEDKO1VKJlU90ztjHldc_tEG1iRuFrr8bfAvoW1
  HLrijGIEXQDC7J8Dax_zJj1uRcH3PBhuNYOqQ-Ipa60PIQY-hwC5ylfBuB3bSMcua
  FYWKCmMQt0BX6Q4-JxvD-uYmyslXq3iQBA2VFaR8wCfZrahuUWdH1mmQSBikyk2i2
  KD6AiuaS7RaOm0eHEx9n3dMzOGsL1OpfOUWHqGvLp7lwmpsHDOaYe6fpjVF3Rb4dn
  naGq6nzNH8AGqLglIB2GFf-GPqCaQp2y6fyjeIKFMWEZYpxiJ2fgkGMInN_1Q8WeI
  vUCEzJc-xqLEaVsyblYNKv8YXk8dd-Jw1qoia16YP0W7_aMMm-_wHDYMkU8W6q0GT
  ZVZZHXtZKVnESRC5RsI5wJBrUo-e2-0RO_5AUDKBdpJ1LJBAyF1nhkXA0beha07fa
  fEGLUS8b46pGxDiZs17mwF1PRmnR8bFyXPbs8lGBMYMOvR5NiDZE00kRbEMTbE_nM
  _HzyYAmzClyP4dPtpH3nDXT0hjkf81bxKJ6hMOHP-fX1jXciYqKJg-fJrWkCDLXRU
  k_Yh8G6Vzoh2lEKHhLdw_uHV8ivo4Ur8D1UY1DYsWhab3K2U6a1lFC6P5PSIHy00M
  3GR3egXb56woJROsyiOx7zA1185Bk-2BQkMvlZcTtZOnmuK64yJBchHc0rFR4780p
  4BXdhAfcuNy0q9dtY7Yw2s2NlJ9sbRgnqMfRRkOWChOZ8eDCgq-u5PoTdHAwek43S
  RV7jHn6LluvKl76_EaivyWwgwIKd67lqlvzw8o8yxeDiq3KScT1vDtC1-oYLmQ3Wc
  pqgs_PMbXTebtGgjKCengZ2ZxYPPkJLqU_O5tvFP-kI3SY0OzG73YeICbhAWfTEZ7
  AwbZwxE210OWkJvNMWOsWv3bPfCaaYs63F0TqLz9tb0ASj3glOsWlJALJy-N033Vh
  FvzaUqETHNAAr12o5Zr3kPNtaQ2GtT9zDA2UGlFK0oDs5Z5GDzCRlmOmjfeAq7ITm
  dGBvn1vSjF3R9kX78vELK6JtUXVYTrDzdJbKRKoQFaxXKYFwxKnwaaYLEVafVThW_
  Tis2G_9CVEvYx3oizzK3nn_jJZiCW7z7ajEcLTIJDEC3mPZZKIhb51yWA-aKQ_fbK
  5iJVZbolQGZNmJvYDkpafNMcg49HQ8Nz-b3cYVzoMIEEIjlBDVwc_Xx60N6wjlYUA
  JA-Nnz1YrX2AvOyh5qeaYG6__9qdNTO0h1HXH2AtVJJ1wzvE2jQwFuU1ii__gYE5I
  6RVcNM0sTM-JNNtQDhw2Z_utcWj-7xbCRuqzLqQ-lkKVzMoO63N7L7uPB3jOHCpN5
  N3__lA12d-yeQR47b5JEWHYadeUO0kPSdmIwaEDoGZ7nHhNQhV4q23EOPQ4xYr315
  7hXwtc0sJR7EcuNi-dXt6Mi1-08QxEiedGDORZbMzqhNIsiVL74gfK7YMuPQbwcTo
  MMvzydfSDWa0MZzjHVr-7_uP6fkGpGijB2sYnKzMIKYSneExdRuABNXEgESc0jKsS
  KGDpevK8iyOAqYCyHXXWjzWrrEUhLx8OZXsPTJlHu_IYTo5Ui_2Txgg-9Dp7YPuYi
  yXyl4GXrmmAFrUB0MMBIlt4o32MTugKlfQs6xnCUQLnbPj_vDLJkD4Sb21Jf40H4p
  uF3z8EvPQEOX32zUaL7ztDK4r8qs-BaeD6NaiMG5quE1kktKYPfYTrLWkV5pUTtI8
  YJrZ2lqsTHQB9iaEaPSNaDExpfyiFpM3SdlAaUXoUXMUWm8BrTEf1QWAEWaP3Wrdh
  3PhEUKjuE52zemrctLB5nQupLQzPK8nvODafjMZaIkypj53MORFh3Us8sHxRoauk4
  9QwEg7Uhw-gDTirMIpW-xlUYzoG72AY01k7GgJOpr3F8ZxeBAzKN-Yv0DipnINAcc
  0QnDtoRSnScQsrUWmn_KRyPg-zit6k1DQPNQc7-28nRkWqczMxqyK9O4ORdE-3cpF
  Wbc4N7Kd2iuQawPRRDmcCLd_JzmfowdL3UaLGzUTaxdKbvTirtPtgaGyi95V5lsq1
  0yvI1B8d4VROuvFVwAl6TEYVeFhvtJyWQyWSLMwOG_8aVCyxI35rMSB2f8bjwxAiF
  LO50tSUen9waUV_wTIuax80VOjy4w5inXSF6BOSdXAJso4KJB9j42eW__ATXfQivf
  Bdz5bgvUXucQPS2GJTF-qkLUQ9nDnr7uSzB2hl8D9DCYtid5ahTDGUEsSAzjMk_KK
  qVw4fp3GMoTxhoXs1p708VFl6tjnqPhH6-EC1X3pmglW95raBZAEhc2TZTgjrD_Qj
  pPcWAsEqlouVbU3Q8dusGPGIx-WJfpGi0ZHznFoTqDoMvFfSu-UBeha7gHzudU_hQ
  FoOyvFBUij94F72hx8vVKbc-iLGXmw_tSicy3kHfCXBOTsoUaxKYowKMl-SsGHDbG
  jPFYU7XWD9DIXrYXwFgdqQ_bWh2lXLFi-Vvn0JxUEN6Psb6hYAA17vAg_P47NiAo5
  0zkAPaoSh2BZLqQlYnAsFmy9zMOW2SceEIPhiqwkn9e1H5cSYnr_a3KSgaLxV-M6A
  Smr73KUzb-kdeHf4Yx-Hxm8inKhwkFNbIyudnyS-V7Wa80mvlgY8th-psFBqtGgpk
  Mpkj7pOM1-FoX5-E121Z95Zdw581VQ1iYg6V1MQXPk17qBbX7xUYPWgQcq5XxyTq3
  zGKo_OIHNXaorhj3eDoUwso7YQeJhsONcxmrU5jiFM2JKVsLWxlsWaAjsJt07Coan
  kQCXZ2h8XS5jB-pKcPx-072s4chxwFEY48cEA4zadPJeqZ9DcUr5OQhfgVhdQrEt9
  u7N4PbP0xuH7xINQ4hkgjfH-oRzPM96uRbEiDAFl1L62dV95JdKPr4NP9k2JN7QOq
  n1AoFLZB2Apz_nU1oT8EiJb1DzocQZ6e-xHQgdbUx5rz4fIREZSpQo5l_swknavfk
  wF52a2GZKk409OjBnrNKMA43iDA5gdmG_sMzKB9-0e1clj7hwaVOTamV06KNDzvnp
  fG6h_1nCoGubSxNurRmaNYfD5peV1D8icPOcDOtTJ7RpzmSqp8OAFWIZ7NU3cNsNd
  9E_AowNSmL5kCfHz47vSgRGSnILJAxDlC9A-0cDl3q9vroUXggVU2nJztC8ngtL71
  Yy3VIDhMjDmOV9aeCpLhKuzS9qjKLCrF_SexHWX6AfpgjoKvf9A88doKWapx6tgsi
  i4y9ms0YGgphjNgzDW-mXR5wW9QRH3iMYWw-lu6yUKTeg5pkZGEhMu12Ppql2ebej
  vgFYTWdGhT_2lwZbIFOOBhH5Gnn-bmqR3Ow7K0KhXb9XJtQUOgSkmW50OSQlT6ZNT
  01OxGtLuROdMjj-DopqD2gJVKmWCPtjdsuVyv_HZKtgrce8bOCxS7OnsWDL05JdVu
  uel0wOsya3HwQScwaZRt7OQnEw6r1gYJ11hxlL1AKK2ZzyRSSVBl6WPfXjQnl39j0
  mPooM5Q5NfdQaFkjIqjOlu0cMJCAMMeY7B80R3evBHGTV7oYvarbhtoDVDYfB9g-b
  O_5eICs9EDtD-vs7-VGW4TQNQOxuRmSzvYgIGZlXH8R1HWT7x6I62fBM0Kb0L2jMo
  4G2WLGuhey_TK3yNb1G9ozxrMm-xZVrul20vkKmJu5AJZLGSUir4vm1aueDqC4pDh
  IbmVRPLk0NHDfib6ffUcgEpNhKpfaO4yr5Tzkajg6pIMZ6wrwZBaySRvNM8qhhHZK
  la1s2peaQ-ym2OIW4M_TDGiqj0E0rwCTsr3mLcMjRSUajHsNFtRhqmjsR6eQxdIJr
  Kjdk6rrKCzNYD_hg_oBb1Cn-NyLR-zUh0fyqBNr_OET1tr2HkO8rCqrItZdEheQSe
  q9of4XWcJE-VgW-VeGwlGQIHj4FVVGYaSr5OAJSJ6a84Tf4iizbBPzEfdqFpyvm0L
  N710E5_wdzwQZgXgSEnR3PXvecjIyg_gS47QBZc9k06rCnW6dgXK1lnYqsQqRt5bK
  vCzDVkXFjkcDieHv0D3z2XPyw2CM4wCaotLTD5puJzLwp2uweCq7HtfPulksyjnFD
  VoU0fM0FvH8rJaAoOMV-rnX4-MHcDwZmMK0RrmVZfFrJ0TJcR8Ar35PRAwh1F1Ur5
  2XTtF74Fi2vhJOuc3_pO9AGrmobfd5zfkCtVXr0wM4dTvI87xVmFW1tgzMtgGOQzp
  BEZ6P20oJ7zr9ZxfYknis5bV7k-cF4ZEwO6fTtFl78heHTZY13uAk2vnKdMGmpDs9
  cc8ulCDc0AOg0wQyyIxRL2WVPGJCpSNlib8e9eAtXLffYAiQZ4bb1ZlIUoH-G2QBs
  NL9tL8Gz85EB1fZU05TRF6X6pI8vgGgOcEQl0-9Lnwin0YLhr23iCwNOvQnh2WSnw
  vgcMsUup-FlX0OVrX1atcTBffJDCYNc3rZsTA2Qs3Qkl-JthYvZgAEIQXzxE_EMoS
  rIRpRbcKDFQnQ998yCh3dbJfQA3rayL6ZSqONhuWf_SqL17NOZCVPzPvGE3GOnSAa
  yCd0Uor3NZyXOdULkv3Tpi440CD6nOatAV97Hq40nnpI-K4vIWt6xIfBO-Tidshxi
  JgXwZQlwcKvzShL3WAUInFCPM4AF1UKqTuKdTQs1DXQuIoZZxFf4MkCt037zfdSR7
  C_UQFbVdsGkEcRgpL2JE3WE8XTqN_LfBX4X0VspT-rJUXNKQDoFZChLFizNasAGyx
  n0DzzR7m-LLwHZY3-rnpwpiUKKRNT3a7VQtCAsIQazmh2sqM1QyCuaDisNl9_JIpl
  32rMBYwvs6iMGVvPwyA6joKdUNBzMkLrIoK0e8MAEeCkk8DV-TNyYgNIEm8MRwA0N
  YHJ17fu9xlcjGiyMt9_g27mCgY3oBimsdRb1KEjGSGT3WHDrKCJNGpM77cp6KqyDm
  63oKN5qLlt1vCDS8Ni9jtRIZbUn0PIDmTTgj-VKdLvUarNFnisyIZhxoNy8emjpsz
  ct3zCpLpQ8UU3rskSPBuJu02yQZimLiM9wGnhrlvADdxKY6k1VZIFeONv6U3676BZ
  eMzVUADZsIceBAzIpPf-uqCxFnpjWf8QyN5tg5n99NIvsVflwQUYp5hnVqdUBFg2_
  8jKWv3xJ9hLWnNigEvzrW4s3FuludlZkNdjs6i9sqeYvwSRyGZyjC-XtWhdALlsMU
  O_C4UhrS0vmLCpzGEvIUx3aUYQUOOvH_-_4t72mQIeNpZFEo-SMUxWxc4AUpte2fV
  Dpn30NvRNCIa5m7SyH08A92Yv5KusVeYYxUd98U5F-3YRh-9G_LFFbiyvc5-R3EIY
  sEIqJnT9op7o2ClRo12HnO6D13Q1tv1Qsu6AMDiAlU4BboteV1dzLpyaxwk_cy7Am
  lcuE2Jx6BQGH6n8oz-iGxXUNGy1-Q_kA0DtwvSL6yTEoL_KfmKNL2lSS1KEGeq-fQ
  -L9_FW8UjXvizNWDBTByGEMtxM6hE-3jJBGMvbgkp3oBF_jrlGB2Jyb0QpsFRTGDk
  2x1mx1G7WGDL4c5-G1J4L_KpgazJ3D9FNJkKbCdKRxeHUTVgusv1LiXw1EN2pohyx
  U7Cnn8cYymTUWa2iF4t1d4HBfiRdWWzjTQjxYgYJh14xUPcPBfttqyNlFW-_32m50
  Zo6N8LauuQjmAk-YMc-EEbL8rNrkCk5_aRV1icV2bpkPSR1EYAkF00ATbdVgGcnZE
  bJQaJHUFQYkfzSimhSs83rcNHHIz6_3gMJfZADdRMFuq5OfjrgttFehf00Cbo8glS
  EAtpAnaLKEUL9xzFiJE55Bkunn35LvhfZc0VhXZhhJXaNASwMxMIClJG-mT2nLFmy
  lVBwHncEdiMa6m8MXdGPCFAD9k_ndE78vBzdcy3RvQB1kqrkDWupPmEyr4Y36jidn
  rGmKeQTEQXB3h1m2N3X7nWW5hHNDSE22qZ_TK-_5zYnwtfRiDK6oQP0HX9jovPszG
  35neiY40tiaK4Fac88te4haHretD-4lwnulNWK20LiGKKVLIogoy8rW4mtxu1gp9b
  zDV6ETbJ_QlswnIGpksy5lmyA9H80HrxXgzsV_Buf5vtE0y_hVDn5vmrL7wzVOjqU
  L4Co4M_E-jMvGDB1cgfVu91yY3VVC-MFp1ashLuFUdrzrwiHPwnCKB6wC4BmNgrrM
  UBvrV1gtevVXX1iKoZFHBOF4yk-LvRWejr7QNw6nsdjJiv9hN3vp0vAUsz4I_lMlT
  LYKfB9q6C825XytaXQ33_K66ds--4RNNGgz5Ua7EgCtTJhJO3xrlV3fmSLH2IDPzh
  2aMnWpJb7AHZeeH56lJQAbrf8SlKdHwp0VM0i-6IpLrSO8g-5LJ20lM1ybZv6izem
  V70_785ejdrEby2CH_aYp_2JXHG5REbTTdi2-ckSMswsiR8FZfhYoRjpQjbauxGId
  4SXU-phA94wiUqRnS6VryqwuLpjOna53E88ohyG6Dr_K9GeiXbd8vaL_zobZt1m2m
  O0V5J1pdxdOHmUwOZoVHPvDQSDeDR4s83lLDpsFUHJqkMZ2YTNGf3EsB8hFvqwaiB
  Aqu-G5o19dodlajRfcUkTemyqYpTEOq8hzhejYNWRt54f60vrK5GVqyoJIdnfXxcp
  0cItIAuWh0dIyTtKJvdO2zm9Xg0lgvCkd7GhMeeMUxPe6_0TdpHT2c89WC5LnV3V6
  xhPS1eJjY66OzGu-9XCxNLntyWXWqESHNOTg7ZMDA3qWr09pk2gBka1Jozi3UsH8i
  mnt4YKrLJ_jjnDtF1W7No2SuWpSYXnw2-7YflNtLluf-Hl95Ts82HY7QuCvDbCemW
  GBFppe1hsKQg8Xii-5O6AiiYO-XDsPxijzRACm2P_A_SBsYanrgQwz2-E3jGnfnMm
  DxTq0mWHWEc2k7Jm8fy3P8F_UWSL7rPr07VrEK6tS7UQOUiSnbd_B_ZSjtV3a0jeS
  T-t3v7irfzfVRkhlQiUIX-aDiBpNM1I99aT7iVFw1nxm_uQdOXGHqFPRGjTHxRqtd
  ogXXhbK2fqoVBk73eaDZAR7J-g-B15CnTxnIAoZEB3azd_Dp3At2PMpBuFiGmAqHj
  2DgoJx1RWrQPPpX-ndBxlm7YVL0RI7FfNPSdXtd3prr33gw2v_tciuLLjaE8A8gpD
  oGKtgS2mvXnM2yDzwNQeZVtBmWOqEMnkXu3XbQjWWdptVFrl3K78KYvnaY8o4viJk
  D0eRQxGXq0JPD1u3g3uTjVkbkcvOmZXpBPhcNq91b5Cuvu7SjOx5ANy8Wh41Y9nBF
  JAllGKdeWyjKLZhWfBhGxEIimHFj32nJHYds2WJDmSAXAqQ_F32YF6UT9ZAegeGQs
  bLbX2ccyZLo-3RVDDZ2_1UGZYbx3wEH4M9XqOLf6RtGFfgW1_3PLF3v1N17-wJ6jb
  qt4CGrvIcEdXWsfw9PKcauH36081jFEQnh9khDoZ-1BWQnjDBFBEHQjwR1ivgwryS
  Y8YCTSWUhiSBreJ6fAgal5J2k-PrjIa913qIuOInZ-irBfG2zMtpPuN5p647VpRT4
  lMl-NM-SV31gzE3va4vE17T1nZX4joqG55ASER1gtZKN2oS4OqiWvpr8dJ3b7IUPL
  CYYaRZEGXdAw38n68t7PyWvzFdWv8yUXQxiYHJRcF24ROGJeDBxjwkKTDJEzdapmI
  YKhXaElgzD0islRK8O5cQVwv1yvE4MY_cbnLMvcs4lVcQEiQqT6VuIrCiq3rrXvMA
  C3woX-bhn1-cT3BZIBKjlx0_wat7hm3ZGyNVE_jcuLoihgXBZ1PMNQFJGQED3PVhd
  xjqIxPy8b5wy6IEX37uL1PwY7jk0qawfizmn-sH6Nou-6QY-tqQCTjFG5BXZlkzaK
  hWKIaYd7CC965r_f1786rzLrLkY46Fz5wLS6qVbiKvcAGTbdkNhwAf8eVYWqbWOO4
  2pgfQ8YYuTEJRZtULsVIzTaQTonW3dG_AwH_bUsRz3mrNPXImv22OPZsoqcrnETea
  2hx7gVSWN3f0SJNHjvi4Tls2QLmO_nuCvgIlz7aK--PFT8u6DqYgtAF-dnHF0J_22
  9_oSbXPasJlno4ajosMs3nE6lpJidLH-rOEaLlVmQJU8rGYaH4oqu6etg5dAkoHdT
  nLy_gNHGkArhPMqUQ8_eTg1GFw0SGZDWmmI-X50xyIJ0OMVVO_Ohr4ogphvZWunCG
  2VB4FM_mn6VsmtiMrcy9o8swKi0kbS9hJqAC0dmIiDSCNougEReLmtxf-yRZnqxtl
  u9qwURK4EKHq8m1M2JiN-H9-HzQjEj8g7jZziv75l8gdwDrMM3uBSqtarni0VFs7F
  MRbg5YYofnZHy0VQH_zyH6wrRrjfpgbrU4yy7pAy3zFXraSHff1eHiBsikTzm9sBT
  HZrjJ8iiwtfIFiqUIEIUm_HCCcGG_wwMSsL42RpAQd40y0bFNlPUquQWf96Hb93ld
  MUJZHvSRoBvlVMdVdgcmbQpK1kYoxGf4MdupEwYXrNQnE67uu6ry3WHu66bhz6W4F
  bLutQXKzVpyjCiyOP94LmeKLSe5r6zHUT4wRqEEVNY2o3wA4R1cKIApCIknCRjDXK
  sw6WDkoO-FWgWKKMEGBwW8PizFKujnwPN6l_FGDgAS3pXiiGhd9NR3LQCKDYc1yGi
  m6quL-DXu3BGRq9f1BqILOw2Ibm_9XG_PaGspQPFCY6Y-5WjK3jODDzW2q-xnUw6Z
  7MIphoX-GGICwQmybh47MqJlFVTsxna0xIi4q-ONBxKtmk2VRPE99KYZq3NkcHA2E
  3F2Cfar2LZ7Hp648b8yBDG-GTuczVzSpMhPNnfYhYzCbjtXrni6DkVd-jQgy1rXW-
  -Ti5S-SxrMWLGo1S9zf0G-T8o1lEjCx1s7miY2Asf3R8GpU98DfIibJBj57B9xLFy
  latdfdR_oYIlHCQlaKVowF5qmOLeua2vCH4YqQpO8NeV4D1XdJSdMY1nq3XFSbyGe
  wLQnJ4UFEvvRiMcCCp4qPWWnFqwrNmJwKo5X2fy0eQaMXQf5SY6gxNCZG5reHjAzM
  uUrgs5czDZ54YAhUZDJ-1FWJAKY6g09X5byDGoISNKMzWqVOxCKUQJeIBreVk5fmp
  ZwkZPpYOC-uL8hGw-fvyzGBQ_sksLgrB6wkpPbwReDN2xlDx4WnzwA3CDY8IF6EzS
  YzDrVc0LwLfX3iTkSy6zh31cbvPZzEb_yPSMyUkC0bBLckrOTIizdRa6khtqTJmqI
  AM7YmeQF81MsquZfxD68o-op0Z77GQxapVADOjy_h6ZURpilVx-rUjW7ipeAjGplk
  VRJvuSkSf2KNywiwbcsZ62lJi6LKLrB_3-_wvI3VreBaZ_P3sNySMyi1Sqm7mirBe
  lAzIctYI4H9ajp0U17xLF4fLQFFj4YVlIrh9ObUFcQIG8OMbw0L-C_89kjaT_Mj7J
  AgrYhL_LHrVgE9LEW86H4f5n03vOlYw5eeunM-FGIjr46Kj0MdP9v2i6VlzFXm0jN
  fPmepOVPXBEqK1YHmXZCRXFm_ujfvsMXuuJs3Yx79OVdOIN-vQ16YOJu3F2v_p8BV
  UD-UQLhclrCanwPZhtpkkJp-XdwOLRNRicPPkbnxFL7nkatsYigWoQZGcaw8T2Nv_
  NQ3UAzc_HsUvtYFW8C-xkIk8fdwDzBcLD1yAKnv2dQ-tw-9UtH45tri9r9t-Q1Wfg
  ugiHDEo69KNOLdNMdmjTSq3rNlO0IDCiWhYYvMQb6Ew9px7ALvBBT36sk8dJU1hby
  fO-_IdXYDMD_GdSIaEWlylBpasMpe0bFtUIpPDn-MKX0OLlBVkflUCF55y0fNC4zY
  a29oey0BNd3bCmvXXz7e1FZ_vy3s5wwYtIyYi460oU1QgMwaxVxRWUwQuH0VAhS4J
  F2FDYYAZJWxbAfSphYlYt4NuRgA-wadDq0DI8tShOICdIy4vB-_qgtSGjUzQbHYdh
  DzN-tMC5OzOlQCoCjO13f_045qAMnzE5MwOBehatGLyaPEmq4mDXZl3zjitJoMeph
  L7P-WX-ttlH0DdQEq9hhVtazd7Gd74oEZGTHsqJ6dBalpvIbdzzkWyb1D6zEvrY0-
  S4Pf9f6yK959m8MzLj6seBcME1Wwsu5Z9P_fncjs_EBqLs7ndJ6nzTqXC69I153ED
  L44kPXOT2k4FhU8T5IbWwiIzeE0WY1Z131ZrnWxHrxpn2pTlmeGSD-37hH3uJFFFQ
  Z2yvo2oFdlN6Pr7MNw40xNRNhO8DWnToh6PewUMk1_SsHyGjePhIIyuM7eoPtacwG
  _2isR8Kd_EMh22wJuPHmqOK6j-nh9FSt197E3Kmy7j3kBOTctm0RJVAKznNy5ymp1
  jai901f7UrYgumRU-GjR2lovJqP5ooF8FAE_oeT9oc9z58o2qzLPBQdqGoZRUbbSL
  Q5KAlKDXUWLZVBUpGiFSV4qTpH9LIYtjao3egQHtpfcPZVYEsFn52y82zFs3s2t_5
  IquRVJxYXHayR0JYzl45WGOS0TQrUI4SE3UsoEdRZHLsWO2WoRGDitx7u4GjvGgvz
  ROISFKGQHZDSw1m-ZzTaWNDLhD9qqnsOkswNG7cQA3MUh1hqo_uHKhdKhkiR9pvrl
  fuF-Ik8kSvQyYcqBMp4MFXQkadhYbFXRpMMxCO9ShqwLyQgkFGbiVc2RwKoz2XA7F
  hhNBK5PI7F4_z0sTcGYRFMYSuvL_uV9yCdweXblPpf5JkyTwRaPClYR_jJNeIRJ9a
  iYEvXbvQDigTQPMvC3rqu8JIGaB1G0O8wg0IHK-5--GOUKi1aeawbZ0mgFpqmFJp0
  2W2L7kleUKBNT1LlHFVHOHZYNavKfgRf63uO1lI_hsONpm4QED_Og6xhq6jHqp7a1
  0WdCSbzDpBpqzsPj5BNxO9nubaqVT8L81JUQrPxvMcVoXKwf8nFlI20zzad7yGnav
  Yye9eFJH-72gBCSZaXa-cJAx2Q6JTMbMeuFoCB_a9L0ENTzJG-aklTd3yiKILQpKn
  PCmCQm52LzKKdGsbT6eqdnAFYiDbWKoHV5f8KqfrdSwB3RmvuvQiW3W2j0Ycdbctz
  GxImGXCRNrteBbLCpr0k5pVxo0OdF_AFPhtL7t_Wg-xhjfg-u_Wy3uY5CnUGc1u7X
  nNEg00hhnc_8L2icwlIb_enrluwV2MgCEGP5IHXmdkILlLFatBWuZ7LO5Gp4F5Nxy
  sBPf_ESk5zyVMT9R01sXdjj8mfl5HKcyM3_orH5VPi25MBHAx9m9HW6lmKP6oz13E
  rhJEWFOTKLRwg4rAfKypXMATRO4ve9BcvIESoXwS3FI8pCy0zaaiEaH4kBU8at4fy
  uV4Ph7Guydy6brlZS0jOGGhNQ2LLlZ1SfN7Ye-q_MC9svxsbXwcxQXsWQQsWPKBYa
  0TTCX0QYu3Jk3Oi8xAdCmTtssqvEKYSe9Sm_axauAQlISZDPsT53h1iiKbPRE7SCT
  ULWA5S2M9X_IAoZWj3NVTR-nD-A6ntO-hOdhhaZRth8OX_ZO9bXW8hp_-B0aF3-dM
  ArCboXMa2eOx3R11sQgnvRsQNeeT6mJutjdeEl7AnOj-cAUze5QEJc8EEHYWQyVnD
  ZSA4kGkC4hxdd1OCgKSg4hKEV8y8AyNYSHrKhrubPKLqeYg4-ye2niK57PH25uqir
  p6nnhLusFWnCZKNAWKGqWq5MgO5YUCbvTrJi9u5dy2Bv7mcGUdCIJyX8P9Fzcdj20
  -XcdeoMMOygqOhWb29wqBnQtMzRHSFiIv9yMwxiNsJoWuoqMTWSkJosDy-vKul3Et
  mNjPSkEeyyo_MdMq17dJFE3kRlRluWypBFsa9FjzDwlAn7ztGkwyZpYACrwPkry7e
  dAmUQGyfAL7G68j8faRrVGHKsboal5ipZVX5pDOAmis7hUa5BEKvPEYqakm3T386O
  a_X3UKd9zPNgKEqghqM4SMm8GhTuR3rP3UaEgoIVj98JBz7Np2n3coAnUxertKFcv
  JZqadvj7_BTSVdKk4eEY4im5h1KJapIks0bFHzK9Pgt8cAzJOEYy2UCa4xvLY3VGk
  WYioBrNpdIWWCdMTGJrm4Q_bMWNbn_bcQL6osNxjLCs4Ra21yR6opbwZj4hiZQ0m4
  ZjJQs92prkkNUR_dYjttHPCzaqMOhS2oBYZFaOvI3xhkgrYI8EIhxAiUaPvSy2g7i
  wfeF8fcUrTvA7nRLhJWsokj5GnDyZ4rK7a91zW4oaCvN1yLcFXvoJiXHPOAS5vB3H
  1q5nqQkMMEP2dnxOlaNGkbNxcwfsU_D1jpJu92FL5N5wufAPHrD8gKjBOBRJAKj9-
  3D_CWIexFq8CKM8bzWAUketQEBuML_6hLKLnECo8CD_0a6yoxlF6E_OhG8oI3PT2Z
  vh3T3PznbLJzquKV_h_nkDFHNJCtljLcTtckTj6KAlYrrI-nZHiXj3siK0N07tOuJ
  CorPLhy8XTMxawSzQ0OHLxjvKOhdg7XyATii39RNocazHl8kT9dtwWhkZrWFAYFGW
  Hb6_pwfWoziHPOQg_HLT-5l_xbM_4xVTFvfT4IRs8sQReM56Qn-jjb6xgFZu-6Wus
  2sVX5YOxkBma_eQj-D5iR2KMyft5XX_JEtV-9tiGKamy5-I2RNK9DICNzYMysj99p
  WS4dduKlR9bd4c0zmHhODDo7iGXa94nliWSuNJoQhM6FghGlhYKuzRbv0JIF0WNgE
  ZLBJob8zoKh5K8zMuW_8ThFTjBeRIeGCR46tOaFmSau4cdzo5y0ojci8zNN_XYvTD
  CMoB5jUXJQTi2zHCgv7X0V7Zk2ZK8vzVCq705GiHJYOVsV2EEg7e7MYHEczt23Ek0
  ar7uJV9Lo5XpeAT4tRjkETupu-EVePJEdrzDP5rZehRlfJ3GhmPiJFtEzkrXKhzcC
  c7PvU5BaQgoEtmMs36Kfrpxc4qj6x1UiJc_4yuA-8AQFmynmyN1D9LCFbY08DsOJ6
  zxQa1hGZdRsDbhaqQqMozUovOd8UtIlIJAM1SsIHXseZpaDJ9Oke80g9Mxosn1cCC
  eb3Jn66Tuwe4zeMBJhPloIYLOCx-90LjIReXNtEc2RxTaQnUmIrRu6-RWJcH5_xjM
  7zK-rkqCY1rPpZrJdQzWpaCKjYpdzZO0qhUBAzs2M63GjS19rwuyNSlaBYD6KOgRB
  KOCv3g5-SsLlmP-YKr4olIVUOQPiNtDONcYnvCgVj1Bv4V6noAxI0rdzMKy5YJlgN
  38HyhpUHCG-RNM4nMshBLUGS9I3Eq7EbucH3Y17TOpGPryfCALnyL31DAzGc92ApI
  l-ByI1M2ZgIivCUIdDxwaSJSfgdUweELFx6ZnIdz3ZfctxPs5Enh-BBVa2KrI59Sn
  jjafNHosP-XFMM6lh3RmvtfuPTOIjxnsab7p9ybEiCDuF1ysG98vfk4uTgyCN4AvL
  sXlSFLUIkqwl2INBUqwJEP2KyZ0Xrp1MQXjkJ4E1PVI1jZ9EsOLL0O_0uCUPkhx9c
  f9OY6rpZRMvtTTuA5Sl4w2Ukp6QBkVI8q33BqWmhBYw4rtf5fWGDWRCy4_A1CVAPA
  WOx5bgecflHFQujVtzczrIJCOMqbJI2PsmOK8EyX7hi6sILpAcWqHE3n_LXekkde-
  OHgkSahJLrz9LvPkwgujTb4QFF9RSjClKvHVhtdQPRIlUmpPZ-mAbS99v_ddKY6ED
  c_ZC9VFuVtNsbyvlEXEzdUVVmXx0MDw4zHRDrXTaGUN7SbbxYYxRS_nrjk49ZpJ3D
  CWQ4ciyFFRXjkHWNbuWXQiVHM5pDBd7y93A6QsUQuc6ZhogLpGAXy_SQU49JtLFSg
  REVS5Ln_J1RLA2AAzIUaKNRKgcIVgFiBhtmj330UN0qxXb7tF43CZo5WhoFTjRfPX
  VySnHyClLNnaWkruZbtFzPDs3j8iti55s0xaYpS-DTuH_7vwN2N7AX8SuuLL7DSEs
  Nkux3o862Sk3xWSAnWuI02VO_YnkW0mvLwwlqUg9bD3oVxd8KWECiVCI-MRDZOu3L
  WSKXC2tptETrE-0evg0txQ7AN8pr-6Pc5ASY-kBQViCcszIdS358_pEUgzAntiEs4
  jzmsYUwUrfQsGP6Wg7Y7K0pdK56UXxQQOvKulzGD0EK39T0GogXu3rY_5lNWi2tpu
  6Yv7NHninziVhxBo-gAyQHqBuZgxNpV_7fH_JjW3aC6cxtigBMpW9orcG5PnuDUyy
  mFI6KQUYUqQbC4cSFU8KxC98xlF8aPtOxEPhasDE2jmmKlL7NPQkN1dRG026h9ZUY
  vaVexhl4zTca9b5mI6S3_AtdLzl2H_5-tm_3m0Kca_LxE4gzQjNKb-A4inLR4RWpA
  0Dek6-X32cTP5_8RcsH1NCfjV5R0c-l7a2TaBAczfuIWIJZurNmuglDO1alZWYVT6
  0rr6bU1N__gCkpaduRppzkQD5ED4TB7_OPcFYCu7l-qZVERsA91ZD2IYyKrKmjGpX
  n-ktC1S-FYObif7i0ixm_aKdX0AD1kL1O-nyn-bcb-pFuyj9u4iemuQHm13T4k_TX
  fSVh2wGp6Bwi4CUzlo_Cy_mA2nERQfPh5FST0nfQHU0A8L28bv87XXU7rPelhOZIn
  WOXRSlBh-y8SvvDKohTH5f4EFCg575K73iDTSa-Z_T-NzlD0zPK5mQPGULfnJafml
  AWZIaXdN8bOpK02iNO_iWUi6QOh1q2VNOnMgs2NYW3ieKk6gw9X-7E5CNxa4OGbBk
  snsWjdNLCELYUA7K-L4rNpGQHVrrMcmYeAe2dRyS3NykupS9fLNZuCr8QsiwnmYPM
  yivq50W3jTYpIjbx2iJHOA10yIMQsUrvQrTN7jEnhkaQMumsZnm53Jc51Udt976Nv
  RdArZKSd3elj5ceVAIDI1Nxs8Nsm9n4k3VtwvnaDBphcJk37djWWA4MyFpxODv5ee
  D-8uAPs3k3187x3LCP-gpeuXXLaCinb2BNvueJAvFkYG44arX42Xi4a7Adtq9zu26
  KVt4jfYz0dTz_PbIEJM-zdyaBLkVcAfU7g_UqVo120BVblAKRoA8ZC6NE14823Xp6
  -ch-B0B5OL-qRo5Ngi51qoXT5SKjwuykt3PYPu51ocpBO8UI8w_-lrUfMsRi7tjTG
  byUz3uO8dJhihSMAVQlhoPmP6i-_8gkl4jL4dOEAOImFxU-W6iq-a5EN2t7mifuIH
  D_2pX234jCmANNYqIlzKo_wzxJItaULf0006Y1eC_5a_vU2DfY4d8E-Uo7eYDCLQw
  et-oxcGsUJEuVyjru0VSeeTSOTdbCx6-7e9u_-n4P0lxIwnZmKlF5kAo4jrg9lXlT
  Sbfyq-wvW0uE35eTS2XEPAg-k6_4_CL-n11Pq8crBcDndaOfokp9qRIl7DePhh4lG
  hK9-f-qA9jg2oixToVxKzwceXxcC0vQYBd4fJhD0laLD_1uFZuxckvjUy9EifFmCm
  45K_WtSJZ1POqgx-Wn2pPHPHLLU_CY_NDBaHHdyYZWwi13yntEN8-p0J_1lvjyM4j
  nb_hDNFJHeZaCigzwxbGOWLjBkqwdt9XALil87XrXff3CwGBlq_yteYIe4oEIXUrx
  Rm_58GEuZJ-qSC4QPZyKZ0aAZsw5e3BkvQpzdrP3yP3wc-bWDhpwjfwTMz0Ck3k5o
  ARWH_8iSEV6oYi_pT6lyOMyABg4Rp_IzYyK0kATghyxmjWr19E56bl32wJg207Aa6
  IaMFggaagQ6LiD64nfmoUYQPOC2CQtIZQIl8OYfd9zZL9_zvAc9LlV6BTsd6IDpxl
  bs67SzUznVV9981fguO-uW55gK1mOvZFz_C4yd_IAKFWP_9VF90Tn7dJTzYVX-pkB
  rPylilg6iyM236GAFGoaOcvg1u6rRLZ_WO_I2T4idyzTdZp_QmCFsQ5kMdEsmlXxw
  ugU09uh8v2NPXy8jUbXwCZ1RGIan8d8QS91dXpHIcrD2mGcB1CggX-ujrjlRwO4Pq
  A8ssdnbBpIkW60Q9D32ojB5MlytqGvHdRkWAv8qgwV6EpyVsd90Bj24H6wAoH0Z8V
  795lPw5bIzgsKuKmkbzEjtS5H0ltxqhaIvLRvaIYyDDdcCQHHkSOIwjwRw5QUnpat
  M6z-AhpWGeT3VDvqmDcXD0dVummwB_sc4k5UddrgTKGQ3I1jar2D0H5foB4fk-aBT
  VpCkRw2fbdUvE2Stu8mdcgq7k4w9f0g3VWTODglG_0auhijOpw7EkKX5l8l1N-9lE
  Bq0siez6TR9gWhquG8xvlZHCPKN0hVhvBw9jW_YX2jzaUgEsmoSJJcFOonM7Z9Dce
  MWLRfDgmYk1h5TCtOu7mqoITK5FSgP8FkUb040-49W99HakCgRxtKj-R3hT2Exyxx
  aGFBbc2bD6Rqhf6R4tWjxMwM3kSE8rV3saJUR6DKY19kXTmD1AHThs3a-1sE1JveD
  RzkzOWDhOop1TwSeTxoiqlU5VYGYSPvgpP-l5MUMjkDLh9_4EGs8B-Wm7keroEuVS
  NzAmaRL6BY2HaJIPeH5HiDFG-iui5-zfBI2Drq-l1Sfytp_EqMKY24uVsqx6bAstH
  YYfjvAhmLf7SEbGgAFMl2ezIIN7-N58kybi-Z4IoUtCHrtVhm-SXancjjxYsYMYS5
  VXPfdj_KtHgildtUBdcnuXzrgsvfSXNx2KhZABn22yqBWefWOBBNmbi0s0_1qK-OE
  mZAjGeq09Kzxq7WpeuAIWVv597yUGEXqPJn80w0mXg_3jT2Wp3K8scZIiV3fWzTuc
  aw5v76paDewDPTVNjDk9IHDYEjBgwExZXHdHqQyvufGbwdKEWxzE0pfK2thHfDmSP
  7apEwqZrJ-0szRR7P0MHDZAjj3qqS2hNQu_Owz_9oc-6pENXkQUg77HIjlTN13jPa
  z_E4fcofC8Gbcxycf0hhG-mZa2p33ld-Birz8hqF2iyspysRw_L_Kgx7POTYwT4o2
  OmM-bHwPeiXayBm-H4Tv_iJpAhRVTIQ1Cgt8QbxA9kApyPg4LWRxcCe5vCByD_2PT
  nooHNDIbc9wlKpqxNFx6i7SczlCawCk5gBFakXiBiA5ZtwVXObPG3a82zKWHe-nxc
  F7BxfbDdiY0DOS9YBztYyfNTsR8cFASiVYNb-5f6vzjQn7CV_M-GDC6snSRJsUvKB
  OswpJ3JZMJNaXvXZtw3Mzix-pr0Wfw1T3wqBiAJcSwm57hqySotR1e4KDNJdmoQwO
  JNZ7KBLvV-ljF9acwvk4WeOBxXez8TnCOt1eIyptQqG7sJpFrlox6pS9nWFIAiRwk
  zA47udjY82O50vtupxBvQt-qkzS0u-Vm2X-ETG3tjPke5cuYi4IHmpCNmqVHvNdwW
  j2Yx3Zi6imLoxYmI69hm1bW6D61nRA6-TnzTfH9BsDx_-7p2-O6Q_yxwCJbEvwBEO
  JvU-XGu1b9C0XJQLV4hgT-ldl6OzUNOcYMAUWAvYoNKzqtO-NMzVk2j3GR_VKA23x
  A_iE9P9fnhzF_JazqeuCC_mX-03Zt8qRDYUdi3ht0WFrC3qxloD7Hc-_9iQqUOOw_
  FvtmYls8qreZwzke6kA9-6EycwdTaAHFMVRcL9UnX3KPPP4IGXPuEpaWGxEPxdkdo
  _MdR9j3XLgOe5cjO16HOKPr9s50DbAyzzuYK4JyS1pUEurYp3cGf3sHLkdN-pWoig
  fTkqgCIRNtv3ivusjQ2AJtGSLemdooadQZJUJZtSXmZXZ7hY-pHwQCvvH6KzJQWsi
  czhy0zEREktO3qz7ea8V9UjW9wUisQGTczNSrl0NNgI2BQf34KtGJmh8cuZ3XQe3a
  2gWH8u3pk3cgqYklfCn1Q2kZM5GpMFqyZWv0hak071fzA-dzQtSupBoItL0YuDLRb
  Lid03Y2kFkB10t3448hdArKJDEL8D7Alb2ljh6ZDzg051GaCdoPPMBmyF4WJCaP7g
  22dNqMowYDrjHdF2hA_adeTswg4tZimUntRL4j8BwdA3lAiHFpAUt-gCk2i6e_RKQ
  p-6Umi3pwi6hLoU2V911jopD59AuKQtjm93O9RpR9OadrpOmfYsiGmlkn6BBLojDv
  RxouNaaEZzZXIDkGyk97ryHo2Dhh3ENHG6HSTtMIOV6gTTS6FgAzzC_rixtpkRyjl
  oPtkdkurpfRWw40r1l3xwAwZ80p1-csUnUJnCR5b00hgg9_stkU1OQzsLzYgYS7uH
  iRg5mDJhDS3X-tJ3FndPMT7W5_SrcsYMYJHYRymodF-cVn6E-94B5ynUUpaj8HCRQ
  U3uvQg2xMnKmZ9ExvWwNucbTwU80P2uJEoODctCc6c8FWifwBYcik9ObmYEGVs2YT
  9zAI5PqiMvbdaT35O6zvXneKIOfeAfaorexf30BxITsqNGrFn39ZdZSCbuqZAzmnq
  BO2weQADlxfflsuJ3hycP8umq52IS9756t32l2baMA49mJC3wriCb4byFlpaVq5cb
  tCZRPV1Uss0k8QJdUbg5Myita30Mg2JvpRrpi2J7NPEjWwSkDUEQMXwMcKHlfKyb6
  qW7WcK0c4lr0g3yHhuAGG5xYIq_Ej2xh947CwCTdG8X86MiL4Yx4-isn9y2TNhLpv
  Nd-B8tZ-imYRwsOsXBSzFVvcTtnUMSFlsNP6-h2RWn76Z-iBNNuofiH5Rgu_OnjXM
  PwLZD3HWsdidp0V75u_stzW6WE1KQ1drhQpjlJBqp59iRe5kN9KtIj9UFHEcVltRD
  dvXov0sn47la1fWIK-53Sd-LWZB1DV8T28lxW7LEYmb2OB9j2nSKTY6bJax7ezdm2
  vsUmQwO7qVBlaWZpOneYjvz0NLPCqUc0PKWlwpBlXs8RBYYdbVmLxZ3-0J_1VUtHs
  wCzVouz_jI9ldpR65jDqK3v32DDRZzM-XIgFO1Vb4IsYkcKijEarjk1hMPjmHSmGm
  NxxePVwvtQBoeUzfA8bfotSYIZPhVQmUTGAGFppyCf6gXILPA0lxbVRe06TTnVwre
  kBQ5who1YyNJAyRgDzt7gYDhzFR2EjAlZon3rD_B7b4lT-5W-WpqQsP8h-Nq_Y_x2
  EwyV1JzjEdaO4RZQVJgmGsQdF7gIuVc9pQx5_RvXVhGta2Dqn1bf9DcqHMlr6jdJ2
  Eroga-e3rj1MNfxbQs5q6pJ8bOEfHPkTjsPO2OQXY9Jh4INahe31pLa5LDKD0CkD6
  ABNOLQFGhB4RWJU9-vqY2CgYaihF1V-7wn_g_r3TXM4qSQ3x6ra3K_rNTiDx__sp-
  Fq4KitNqqe3wEQ9rf57_sbkG65bKBUHbjpIMemAzRGybyFVcrd4iVHuEktC0sWCO0
  73YeOjyCbf1D0l8mCbgNjP0331Lqj-h-vP6Bnk81xEvlDS7-rxBcxlCSOdyn9g3yH
  qpJVb0ODoN2r8Ha99Zoqm1RX-ghuXKoCk5WLN64rOPddT0Phw88yihCfwrCxQDLrF
  MWWxZoGDIu76DQKOIQSi5I-P6cT0_a1QkAaPYEs5sJWjy1dg4lCjzqZm4XwPjbuGG
  hv2Q4gRuaZEjC2K7qIYEylP9lN5hBn0ygb-z5ugdmwbwXmBRbySxUhCgAETahk-DD
  jWBHgzz81dueke12tvEnvc338fHqzd7N4lJdrLq94WlkfI2y-mQkOX3vG1yiTQ4qS
  tNdF4Q5fztHkqBKH7XQp9SHjJl_XUymA7Otrmm7GXJXMIEoPU2z4rPqKirqGGuCkd
  XN1-ONv6ccb5eP2mrC81nld9MFiQkWz_pGGrpALYrlOtIpqmqb6yJiayZux0Jvigl
  YWe7cYbWV4DhLQrJoM5HrORSBiybLxoG5dOgT59luFhkMR1gzs1eZXvTTx6xWOYF8
  OxP5QTC47uqPOfEEQVNElABEqoNBk1GtZ77gUAQdLXOxHc60lKQ7aY-V4v_iQ8e7v
  oN4FI_02gnUbMLqYLndAZqhR8De_PXk2XWOCQMqtx4r9cl-LvTCWSonN_5jvbk-uL
  s-hcl90BtMIOWeikJCU0VCJfC58mH5RSgpVP0DTJE1TpFzrq23bA8q721ub1TequL
  oJK0dFb0k6XEL3OJelKXPGk4kuyhelSqhGdgaa_knZ69E5ysKRurw2NDN0PCJsOlI
  HRN5k-R7t32ykbi5bBfsJuXtWbDdrImgbL-J6YOZk2yHzjAbfFqrbqE1Phly2FBjy
  U6UGrkr_xzE0FKbmCSVb16N6NUTf_tJ_M8hDx3w40I8njHo07uyzq0sRf-j4REEw9
  gXawrKzPBYyq-RnritGh1lPUFh18i9cE321Tl9ltL3PYrWYcdAwrbTH8wieypVoX5
  LzPQ4c_sp_6-U-lhDAEEBV7C6yMLKeLVtX9sBvWEl7PDXwbEh66eTLzg5Mv_Hr6CJ
  K0e90wTyp3bl5vIQsxedT2ojbjAM6d9H2Ny0TVPSeCVpDtDPZa9a2NZNfKHhuisLC
  EhYxn2LQudzBlEzV1vTS-ajSeQclhna0_KeHugQl8COtsL7A7AtBm3uw5sQjw2X8E
  XhhVzOjxFwj2WRnYF8qgiTv2i6BFY1U_6hQCi4-711j_K8h84Fgxv6UWQKtqh1FWa
  5oe-2Az6eJb4iNWR-S5RuRlSFAxSxLamTOv317CFMZ2E1AGXITfeifDL8I-jPYPoy
  bED4QpuPFl2kTA5MyvocDrrpXVhIC9z6-v7N72knS8s0W7UTM6Zj4Ii6dHpJ4NjSm
  N66MGp81uyPPlRU4R4CjkPPoaF5j8JpB3jA_iyI6Vru6NJKNPB70yqnlV8sbrMl9k
  y10Vn-Ro_ODcLCeIRgzkSQ3kjTevbHiHc5RrufK36ZxU2QpmTX8-PWCcHpx_3cIdl
  -SWtjfq5RIQndpz36Ho0S1XgQSmjsa2TDkTz4ICivGJN0DAwnYghWdTXzbTkG7gRz
  e2x8MlcGNvkk1t-r8TaWmeAOs7gmwYrQZyEVhuRRMxQty-w9_wTchoagKZt15u7gm
  IqaL1O86xYTRfJ2pZipTNHbA2ZtNEuuDnM5Wp8t4NPTSnhlLBw8bVwcZmLQSAapwa
  VkhbQC9V-EMmIUcJgKEpG_T6cFogE3mCiwfHM2NZtiEsIaKkUnCgZMurS-gN3jlZY
  uxTAcIaT8gpxIZK-j0fZ9lqsmTC9EsM4FR6w-8hsCLueBW-acpa9TC104AIUjYFzz
  NdhGrhO0630uTR62O7JzglQTF67pZy-1z-AYxA7xPdNCX297dXqoo5HYFD2t0T-xA
  wkCm-xCk5JLf3OE45O2TONfmqRXOt7iJ9h7oY-ejzq7byB8Mw2R56Y4esasg7k-hO
  CHcrbLT8IN9JVljStiOoKfrnImJwlj8iv_wAdyGrMS6-H_xGh1rJmqIO0Xl0pDuVd
  Mv2lHXmIrvTfOqSbDPb1002S0knx8uljjPu2ZqaEi2oy2NtQogxnTKImsWZS-v_B7
  U_rOnioTdMgOf9vgFOZdSaPp1TjyVBqW97oHeAno-2EUuRTBf5SFVtyQdJFODvLdG
  2eN7DktRwzI4Dm1GFWtxrIcLmh8EBu3CjbE6_KLhC2w0Fdc11OminR-Kx6pV5aCzq
  pWj5NCrZm2V9MY9CstwOcDNGkMp7QhrQD_q0MI9l8nqAYx6a2Q-ALJWxfoO68ae5-
  YxIe9S0kmj_q5_XaBlWxlIXy9g8lYuyd_OX0AeyZEyhUub-2ePkpY3ES3RiEh9DCM
  bGAE98deGm4Z2Y2xQRN8swGxgLIhpSDwlMDSztFU0XHeYrRiu0FpnSsBz9fus3E6K
  Y0HjLLZesKAdt54MKO1pfMUdQXmq6uxHGo3L3fb_E9mPTpaeOl4zFNFaEpBktZm0S
  23lSGbgA0WOBEeWbUKkPUoZ5X76GnWu17S0j9jpgIwO1iNFM52BPxQ_okg2aFx3jY
  UG4AnehcHPu3mk6IWnUYOl-0mfEvZoLNUAHJF996Z5IKn8waBhAqV8UoF1FhVL_iA
  ll94xp75wqaP-pffhKMLJlOGj9FYZro75neIk6mEZvew0YSphrfEUZI0ZcdPWkQHq
  yfeyaOyRxEYy36hGr2M6dFYWUaVJWXxdKu26yDXVEViZyMEzT_scplDeGytX4i44S
  z8uR2CiC18_MjnedM5F1LC7B-F6mE9yf77wdWMlcTnvDbboX2ZDgPZi5GC2WbNAoc
  IPIp8IWVcCwf4BhFRuRqHJn5osJ-XSVG0fChle5wZH-Zn56aRroe8S4z1Bkv5tjmr
  -IXpCvdWO5VyXCudjc6qUbVMDSha0WogDlPrTSFbc5exmr0V-_oEu6dZMMmInOmPq
  SQtkFzc-yHSK059WPQWJadWHK1GBC4yjqBMAyVfhTWNtv-qAvMA_143jld_ybrXyo
  NEb4tY_RnOLyNsc4BptXwLbKlhLSppgiXlQb52N4AcaoHT_3QVyi6jwrd5HyBhkQC
  YnF7YGoy3TqA3RyAbItFXhK6LvZx6WIl1eKc6WAnwVMLJIP35jAo1ECr95KOsRIbt
  DStpQhJMxn7HZrEc3cYzejBx2gkifsrA96NJ7eeW1gDDCg_QcvQozcKhSValBl6z5
  jtHeTsVMbsPk73Z_u2Rxyg05mc3vD1hTNWaJCXYNGK1jY4U4oIZK0RpmU0jBuqS01
  RDwR_Pa0Nwhv9-OCymYZ4kYr6_6z4FDRiss-g1DeMvKJir-ljHhU3MRYlczXGWMM6
  FRJjxiIkRwlRhYflcUYN2mZyaMq1A38GkKANhXRqE_FHbMzoq8DE-xiQBmSJUQb5-
  3Uux_0eiMA_bzOHvROMTfEUqwWbnZer5NvDhmd1VVv0dH_lxFONcJHkvYU1-XC8sk
  Kmk8E_fs2y9QQVcnNNL4t6U0CbfiaUpx5SDKSM794YhfRylSdr6QUHr5PZX0GKtJS
  CKPYrpOLhRT9rgheOhVVHWn0XB2ydYJa6L7xHeSy-yx3vS-8Sk2FfNgdakS8vukQK
  y9TV8XhN1ggwA144dGueprz-eqY89G-wIh6oa_-1tGFls4eoh9EMDqhK46Bl2Q3Cw
  58cdvBsiH_P2I3Lj2dsD7l9stOduskd0FDpfEcK3NX8sIG95ZopptHZhQCCyxHVXa
  AQt0oLpA8T7NP6aNoPMGcQYw2_WGWgPgyMan4rqF-13zBnWpo3hYY547WXnRoaJuo
  rYmoLeg25ZYhcTCNlC4U6rZu_W6lM3Rg_p3DwI4bSUzDRMLRJHW3YrLE4CFM8BWqA
  3tdv4CZpIZQjeb51EGHg9Whwcf0_nBurdN8KZCJSI6-F1iL6j8GMr7kD_FN0TKqc8
  mBKWBkLfwY4iAv8xxVcpOiEhyx-v9Iq2CumiXclG0GSrBtzVf2pXZDUomkaMSv4n8
  SlrCZyvntuXJwi9jGEn8PpJtV84rZ_2hIt5g1xxtynwe_4v5T6DYhuChMg9S1Fo1T
  TTdnG1Wa78Irh7v5LsqE5CaLpGSeuopb0O1VjHPmtLxnuE5QFX5mTVp3YYyAwQ_W-
  gaN8AC9pmanTmPrxIHEu28fk2rSkWA53hRyvrGPENaJeioS0ec04iFcIlJFeU2S6Q
  pZqze2emOw2yruTSM1dEdGViUezcPQ5Bc4x7XuPJLIywXVLW3mOWlpdjkm7cOlGIv
  Pp_uPU2Byv1wnSxgd8xhqqT-ZMCcGF1G4jAqDH5wJ0NW_wdEIjHMmEpQlKd7ULTN1
  oybhZlXx-JJgk0pbgF1ebs_LYUjq_nfgZEUzoEaNqRs3I6qTa6_KSAE0YyPMKyq1u
  rjKLYwxkHdcFMDXKYCWqjrccaKHaT3MrYd1t6hTy6JPoAB_bO8-_4KGg5yRf5opPU
  xzZ_mHeL2Fv8fOLSYoNYRWy40xw8Ep6eoNtnFMu7ECnJ_MtBoXTv4UEON_5ZORGKB
  4QEqtMh2LwKN474u84ohHArgRLxFDCah_DESxG4xiNIgpT4x4408dE0-gdE6wp_GS
  kzrRCXgVi4yr1GNZLDo5roCEj38Mh5QxhgVPi3xl3tDYjCtjUPpcgE8N0nFKr5fi7
  BuPMaNZrg7qaGT8KQAb5vSC27JOmHMePXvKkbqNx18tyqiOGBVnffzkLqJcS6IQwy
  mefiOv3rg9bz35bV6OhIB63CWba2VDaBceIrAgpul1G8Bz0AL0dGD_Hj3RIednYhe
  DNxlzUrLJ-Diz8aBsuszyt7J6No1LAsswuXZuDpyKNchhrLljgpDmDogm-qn7_qXz
  6vKZVvw8HItLDLtVmF3_l0gFInOOC9vF2P8DMvlwdbW0tlqO9OpoZw1XFoA-lGjY7
  gp_WAztAxykHwbKWmoWbpfrFu8Ii4kuLhAzxI0tk_CrELcU8qjAB_UXgdEJAKeZxi
  nvCqQ0E1ri-7Hcuui0VKidKQXBaEpg00DiEKZwmVe4YrG7uzdVPX0BxIabNnx2goJ
  3wT9_DybwAjgOAtaYtRfQljRfsNVUy45LVn_WJzRw-CvSJPdxOdeIrwANNRM93L_O
  1kWpDrp_YmlZMpNU8RvGVWm_f_rJLxNfpYFJ4ZE5Ydmf9QQ8jXwvsa6IlKO58jZwf
  SPNQjxnrZ0zcV8wlZTCQh7RD_BQeZK9yE1eOxup_3fTp1u9hwsQFSTH4dQ19oH6Ps
  NLfdI91BnRdpaOZbV4No0WAMTQdrF_sRxRwBJ3xod2dMCcNBtWdgopkRtLTnH4ndP
  k7tzjnE384ZN2iQVBgFlApWeK56Hzo-bjHFU-YjA2wdMX-uAIX63MM8kOy8j8H9IA
  UhzAL4wog10X_cRb5OnCL_7vkEjFKbUr-RL1kiANwGyA4OZk5zy_J5nmc6_nnacFg
  aFN2StnzIt13IAGM84tctObu43go1_rpmWCUSnMgLcvdOsLAroYUwUKWEkC3UhopS
  M9YpFtxWgcWjxYW2rYsoV7AOgDAwCFO1b-ZTjD-K00d56a-PC0Gu2s-2nKl-jY5q6
  hNW2AHDTp1eWydGUQfNn9LKD0ihVwMlmjiBDkwBwlitMKPalsfUAg9lCYd5pMYo55
  58lFdJMWJ4TScr2pUvTiYgVBT05sPz4ILOsCYn0eEIMPFRfiTSniarO1cRKv2O4EW
  qY3BY8DjfTdp9zuAH-eBdoQWy1tx1ilZwbe1ysLaR4Nx1DuSA8cCSA85xDpAknhHz
  4Dop4Pt_hOLoYN6WxzJo9NcGxVjgrkfnZVfEQTjPlicP2kcsv8fi14VOfkuSBBEJP
  ClPrEfAwZRlcadElMGvZFTrfRc7ncDXRfGYcq801Xsuqo1OJnOfklxC_GXW1eudy1
  2scazCBUD_DmSm2eVbMw7fbWojBhd1rmjtLDNZftTjXBdjHblUBbrh3cNahb9W1oP
  QPU-zT1LOYw5-cflPVaV6_RLFGd-ZYlcvu82S7WZgTTgMJi24xuaHUBTWRFrME5Xq
  R5ISpsAc0VmKRHlM0BgxL4BZR0dRGbcTOD-bZ1fgpjlQ7ctTnt4KVh4Nep7Jit3pe
  k-OxKzSKs5BZoVuz6IekbWC_89d_N7ljkY1JqnaFMQpL7DU9tkRlHzKhx2RNozrbB
  SDtmtqKGEsNIubTG3xxqQPwz--Po4HoIn4hMR4YQY71Ps-wU3MRbptyLzL2-C67BI
  pjACGMPRvhUhDm8H6YHlhTxp5ZqEtpj-OYn1mhVfIjE6pmRHrDcdqX6bICX-z6c_4
  XSunM-46Mclkt6M1ebP7Rpwyj7chpnn2BMteyq-gFiyockWbciHlYaRpdhvuD_2M0
  fNUYiJ8JPw--0YBj3eqIxCqdg8OS1-U6tACkIQXLqlbIMW6tnHqP_Fdf82pyjS19B
  QLOf-65Y345n-beHTmIeJViMheboaVmyt-mkGlQIElHN10h1Tmusg-NKaYU1LOkAz
  5b5Izf5gdp-7YmeHXbNGpxKVDBs1ULOvadY3TboXPbbJIpNX2UNnlC8Bj9hAmG9O0
  bRo5qYBUaGvitAl11DZ5tyifgj4aPGWoQpRHqXhqoa6T1OSmV02t4hgHHHcKC3u0-
  LrvpOyJLz0aIrCxtnroiEsEyc8F8UaMgqOHOXzilWlUFA5ShCGmSKFL8NPY2O7Ci5
  kJMeqyJTOndVT6XQTkHNwvrbV3sTFu75ik7VUcS9cWShzYsgIVjfGBzHTqJI60QRz
  wS08bSIgi7oOuZ_ZQf9xTEOC6bbpTUMZGeZeZz1FC-3WqNIDIwdyVj4T4lRNzYIp-
  b49laGDtBplWZswn4mvi8n76eFLKSMs5Y6AfKwoUSWQRIkExkT80yHbPt8FGYyy4T
  ZSZd6euWeMl7tkT1egnovstgASeN3JO",
      {}
      ]}}

6.5. Publication

[Future: Consider eliminating this mechanism entirely and instead using messaging flows. The means of achieving this should become better apparent when the problem of publishing large messages via a pull mechanism is considered.]

The Publication mechanism allows content to be published through a Mesh Account and retrieved by means of the EARL mechanism described in Uniform Data Fingerprint [draft-hallambaker-mesh-udf]. This mechanism is used in certain flows supported by the Mesh Device Connection and Contact Exchange functions. There are two operations:

Claim

Post a claim to a published document

PollClaim

Check to see if a claim has been posted.

Content is published by appending an entry to an account's Publication catalog by means of a Transact operation. The content may then be retrieved by issuing a claim to the account specifying the publication identifier that is authenticated under the value specified in the EARL.

Use of the Publication catalog to post content necessarily requires that the content be smaller than the maximum message size imposed by the Mesh Service so that it can be uploaded to the service by means of a Transact transaction.

Publication of large data items will require modification of the protocol to support use of a detached message body. Transfer of a detached message body is outside the scope of this document.

6.5.1. Claim Transaction

The claim transaction is used to post a claim to a document published by means of an EARL. The claim interaction is used in the Static QR Code connection interaction but MAY be used for other purposes as required by Mesh applications.

A claim is made by sending a ClaimRequest message to the service to which the publication is posted. The service responds with a ClaimRespose message specifying the success or failure of the claim.

A device is preconfigured during manufacture and a Device Description published to the EARL:

The client claiming the publication creates a claim message specifying the resource being claimed and the address of the Mesh account making the claim.

{
  "MessageClaim":{
    "MessageId":"NCWK-7ON4-VB2S-3JOX-6QYI-EE5V-QIHM",
    "Sender":"alice@example.com",
    "Recipient":"maker@example.com",
    "PublicationId":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
    "ServiceAuthenticate":"ADQX-SBRA-6ACX-ZGGB-IU3L-2TZS-TIKZ",
    "DeviceAuthenticate":"ADNB-SNE2-GEL5-GQQS-JBUB-TY32-JGCC"}}

The message is signed by the claimant to make a RequestClaim to the service:

{
  "ClaimRequest":{
    "EnvelopedMessageClaim":[{
        "EnvelopeId":"MAKC-IPPQ-POEQ-P2EL-N2FV-OLED-GPIH",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQ1dLLTdPTjQtVk
  IyUy0zSk9YLTZRWUktRUU1Vi1RSUhNIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F
  nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD
  cmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDhaIn0"},
      "ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiTWVzc2FnZUlkIjogIk5DV0
  stN09ONC1WQjJTLTNKT1gtNlFZSS1FRTVWLVFJSE0iLAogICAgIlNlbmRlciI6ICJ
  hbGljZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogIm1ha2VyQGV4YW1w
  bGUuY29tIiwKICAgICJQdWJsaWNhdGlvbklkIjogIkVCUUstTFUzUC1WSkxULVpQR
  zctQjY2Ny1MNTNMLU1CRU4iLAogICAgIlNlcnZpY2VBdXRoZW50aWNhdGUiOiAiQU
  RRWC1TQlJBLTZBQ1gtWkdHQi1JVTNMLTJUWlMtVElLWiIsCiAgICAiRGV2aWNlQXV
  0aGVudGljYXRlIjogIkFETkItU05FMi1HRUw1LUdRUVMtSkJVQi1UWTMyLUpHQ0Mi
  fX0",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MBUX-YI5W-NTAH-UJN2-4FFC-4PAY-NI73",
            "signature":"fxh1PHK56aMoB9Qkbx3Kcv4UrPQkfGRCd9LwW4Un
  3EcR_EqxpWaxZjcXFqdX6d4j9lEStBR2QxKAE_GCYpaXVOLOAVTbb4pwaV9fLDo8r
  FtlKfnFFoBZMslOfqcKsJrAnc4AQsT2H5nu6xZ0dq927jYA"}
          ],
        "PayloadDigest":"wMSgIvLpoj69Rw_P_YJ7yXYvo18eCvgU3Hd8DgJ_
  07Jv0nqIkC4sZMGFGW6Ntl_3PVwk7bAj51GVrPwqzZ12sg"}
      ]}}

The publication is found and the claim is accepted, the publication is returned in the response.

{
  "ClaimResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "CatalogedPublication":{
      "Id":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
      "Authenticator":"EAYS-MGDB-YH2G-DWVI-TTWV-4Z6P-UVLM-FENY-Z7MP
-7ZYV-35EA-6GQK-CHBN-K",
      "EnvelopedData":[{
          "enc":"A256CBC",
          "kid":"EBQA-ZKEC-3A4N-DSSH-TQMT-6GON-M6G3",
          "Salt":"9PKNerq6mIRxK2feTIUJ9g",
          "recipients":[{
              "kid":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
              "wmk":"W-lDFznmpNx2ZcN6_eWCG0ja0VHFV25k5TVdBMMYbAPc
  ZGPZvLjlww"}
            ]},
        "I01c378amieTGSky6lqXoT8infXsu_EwVamZ6Lp3Q_Ent97vfxdOY8m1
  g_eUVW7ui1Ede6raopIeC7ZWHdZOlfHDV7agFF6-X_5CmpIDCTl10ouL-PIVkXJik
  2FB2KOQGwVqMHPrPu6HpeK4mIro0OpJmGJksPiBezVxEq0NGzDw8nbANsxr9tSdsO
  4sJuApk7IJUZGZ1mSaOdqUF8byioqACRFXDie0-ox23XItR7IOwZf--HUIHnPEtnv
  _cxEwCKdAiYus1x3n3WdAxZc9_rqAY-FgXic0qZetde6uHOapnUeCTdnHS3-x84DG
  1XaBqthhHMhlwFz0CqftYsB85EjorNKIjw_mwqMmX2QnVSVkhLKW9NdA3w5_mzfd_
  nJk0SisY97xeuIsl6-imXTM8LEdyQpuiilK7R5qr7ZaYFya9SCje6UiOmbL8dVqjF
  zvDTMQRQ2qnYJKAGDI_Z7P8ehqHkpRB2ZDF-5WQh3JnvnYyW5GTJwNgg1ig2iW2pS
  QqIXd-Oe_DCLITFgq8ncfM7mEhaXcJUQe01Fj_c4a3oOlhfmv2ts3iK9dieba65Kd
  LOWaHaU2P0TivQQImMg-3WhCWfU4MbpQlQ_3yEZ51QPGVeUIV0bj3kc1QbaBAlJaB
  ch0_E54A9TRWz2xmakyjrEuvSi5aPVd_s-U8DrSDR_YqXSedhMwSBdGqcW7nybFMK
  gOxomDZyHnEbNYvwN43vHFDuOyvQWs_dRRe97ylx27VTcAw7AhAt2s3rMZeBwJYfS
  rJptABHFEeXPE52g6oSuzrHrG3P_ryAalSh9YuoKEYV4UXG8_9B4d8sOD8s5O3j04
  -7Ix1LhqIrSDVYBmn8l6l4nJzSs9_9sbBWtAUIozPNL8LqhbDd1-qOGNjNyt9sQqV
  QX76qD8HB6EtdrrZsoBewmwohlLIatHJH_909ANUD7tFJONkcyQAXaU64B-j9Z6rF
  4vh-9UxYlbbHrOhi9C0kpbnsAsAUzltg8_IvnH8JSTZI4J13WYWkYTx4BUjggX8cV
  ekob4ZZupdcfS0UnNjKNqGDjQ8IJqrMWfqLllnnBQWpSxsRoRp-ernxQ_Ax8pnWtG
  oMXA8yc0WwAr4_S_YQQ0TVxA5KRdQZqF-NC7NX8tacAS8CdPfJwPhjebhDgKwJv0P
  ccyjqJ8HFtV9YsHxfQQjyxYyA4QT8bvgI4JtJsa_YQ5Zw92tyhb-SwKHNiwnhVrz3
  _z6vQPfPdQJUfMtz6GC13eihC19_0vM3IPATyJcenZnQz3rLOm-cFseviCxoLgN5a
  LZGCrvlWrwtfN5-evHZF66guRy2fF3BSM4eUi71r2ehU0kYJ8vIjx6NVWzjL-Q2zX
  1WHL_bJOaLp0yHV6_2jOTBnaj6QT69Dp0ikXwEEtVzpxVUKLHbmpje2EXXIzNVlFn
  MM65KPT4OzxyKONsq32-xxIi5sxS-woyXxtDv8atRbbE0KPLtLfgianqok9rx2WuN
  JpjjpGcIwKk8O_1MqFotKIlhVPwCPza688bi4lESyruslT917HfyVyqfKrDyTjAMK
  mYAGkVaa3ASVudNyhJP8rQWwwc_qxruMMQrCe51JvKh7FwsIL14dT6HFnaNcLXSDE
  LU7u0_jcViwpu-EysogSeXJ0Z31yG34ve0G_h3K5dN_hk_6PgfK-Soe1dhReVrOb1
  JWM3oUmKUv0Kx-XYvsWB_KiuJWRqKePmIhWo9_uZaybh21PoJ75Ct5b3Qk9u49RKf
  _x17YE11VQBMdgsV7TS2Qpw0olk4yNg_J9ZjTu1d9UBjabTG0FqdYkeEscDPyIoIq
  7DreogM3Y650nqLSpdvJRnueJI5r1a_J9UAVzmk2TAr33fA1VlgmpHptd_tl5i2KV
  TvMWkL1wmSncGcX-krfCQAIH9ZBmjyVwgurfR9Q6UwuDJYKiRgLLE14ZJmz9hn_j8
  ki253lZaYCEYR5F7-nqQpj9lVrYzb476McYISLHzl2SDQkC7vkVo0OZWcsWBjrcWF
  MK9LPJMLu8EO6TCf_7rRwZ6SmoDOupGVCWikGuAczW7lvCtKty-r_oC1YNGeOxyqG
  9lTij6EzXDdGS7CHRRolDtYnB6LDLdY8hYQ1cncW3A5g6RHrafChrEihem_0NLplw
  2yPofZGIzhj_gMcHx7Sg_ExP_0cS32hU1LYX-Hcc0dK8bWQll4a7xsU8dHt8TNbLA
  5VuP_bPAv95fTFQvW_Lj6-GGyh7gH2bO5QffpusKAddsisiIdGvjr-hNVF99EjsJF
  FetvlCP1CFipmCuxo8WgXiayK-_b32Rvav_BxZ4YIcZGRsrH5oI6JywKyg3O9TAwz
  f7853NMhqsvnmLyhGC6Ezs7tQ__WgYqNcfJfo0YG8y78nMvDN2np_pDLw7NRGFhJj
  FrVjtdsj7E2gCorPC52JdKJ9jUrQCYpSglZU06CGTRQHnQvMk-H2ftQ4AFVEBJrjO
  6527KYwSylkZGMV2WBsrDsYu70Rs1SqI6e-u8pL_VdYPALWvD7SRVPCb90YoPX8lh
  gZR0BeCp_kNN6C30B9P9yWRR4JdTsG-LcWtK6iCs_igIOCjfelbsUBXTs7nxI0m1P
  mzlvPzkN3Acwrxa6HUEA_tOLulovb7i04IeDb8nKZgiO2Dyohi4aWoyFY2ExsQmgF
  qQLExsWPbYJiZEc5BM3idhRDzvjnON7aPkvqq568y-e3d3OsRXV9uKikFJghh89j5
  HHZ3HhTeIHAQAfDKVx7vPUls_5-mleI2v_ZkSag3vXRb23XLfI3x33l_ZxW9MC7YX
  _kdJgEqQiJu64AvYWKiA-Fd8uEQMfaUpHamNDlO4GFQ8uLWJ7cKkuDbbbiOfiT5z-
  77DQAMUiIjJ3mQ_kmileeTNb_qu2jEdJGzx-JQagB7ZIZxn0wZpBSCthhG0uXsERa
  XMFamXWLYZtWdWyUSL6AUzcgRf0RRmcvk7yvH-T3dGiIJn4TXOnDp0DBW-MByTeHv
  Wrk5k24lpPq07QI6WCdj4b2qSsY0L_eW6zbI9f7Aq8868WMxQ"
        ]}}}

The device waiting to be connected uses the PollClaim transaction to receive notification of a claim having been posted.

6.5.2. PollClaim Transaction

The PollClaim transaction is used to discover if a claim has been posted to a published document.

When an authenticated, authorized request is made, the service responds with the latest claim posted to the publication.

The device in the example above periodically polls the service to which the device description is published to find if a claim has been registered.

The PollClaimRequest contains the account to which the document is published and the publication ID:

{
  "PollClaimRequest":{
    "PublicationId":"EBQK-LU3P-VJLT-ZPG7-B667-L53L-MBEN",
    "TargetAccountAddress":"maker@example.com"}}

The response returns the latest claim made as signed message:

{
  "PollClaimResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "EnvelopedMessage":[{
        "PayloadDigest":"wMSgIvLpoj69Rw_P_YJ7yXYvo18eCvgU3Hd8DgJ_
  07Jv0nqIkC4sZMGFGW6Ntl_3PVwk7bAj51GVrPwqzZ12sg",
        "EnvelopeId":"MBQG-HNR6-TNS7-5N2M-BN4R-ECNA-6ETO",
        "dig":"S512",
        "signatures":[{
            "alg":"S512",
            "kid":"MBUX-YI5W-NTAH-UJN2-4FFC-4PAY-NI73",
            "signature":"fxh1PHK56aMoB9Qkbx3Kcv4UrPQkfGRCd9LwW4Un
  3EcR_EqxpWaxZjcXFqdX6d4j9lEStBR2QxKAE_GCYpaXVOLOAVTbb4pwaV9fLDo8r
  FtlKfnFFoBZMslOfqcKsJrAnc4AQsT2H5nu6xZ0dq927jYA"}
          ],
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQ1dLLTdPTjQtVk
  IyUy0zSk9YLTZRWUktRUU1Vi1RSUhNIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F
  nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD
  cmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDhaIn0",
        "SequenceInfo":{
          "Index":1,
          "TreePosition":0},
        "Received":"2021-10-25T15:49:08Z"},
      "ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiTWVzc2FnZUlkIjogIk5DV0
  stN09ONC1WQjJTLTNKT1gtNlFZSS1FRTVWLVFJSE0iLAogICAgIlNlbmRlciI6ICJ
  hbGljZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogIm1ha2VyQGV4YW1w
  bGUuY29tIiwKICAgICJQdWJsaWNhdGlvbklkIjogIkVCUUstTFUzUC1WSkxULVpQR
  zctQjY2Ny1MNTNMLU1CRU4iLAogICAgIlNlcnZpY2VBdXRoZW50aWNhdGUiOiAiQU
  RRWC1TQlJBLTZBQ1gtWkdHQi1JVTNMLTJUWlMtVElLWiIsCiAgICAiRGV2aWNlQXV
  0aGVudGljYXRlIjogIkFETkItU05FMi1HRUw1LUdRUVMtSkJVQi1UWTMyLUpHQ0Mi
  fX0",
      {}
      ]}}

6.6. Cryptographic

The Operate transaction is used to perform one or more cryptographic operations using private key material recorded in the Threshold Catalog. Such operations typically represent one part of a threshold key operation divided between the service and a device connected to an account.

As with all operations involving the Access catalog, the request MUST meet the authentication criteria specified by the catalog entry. These typically include the request being authenticated by a specific key.Key Agreement

CryptographicOperationKeyAgreement is used to request a threshold key agreement operation on a specified public key.

Alice added Bob to groupw@example.com as a member. This resulted in Bob receiving the invitation described in section ??? and the following access entry being added to the Access catalog of the group account:

{
  "CatalogedAccess":{
    "Capability":{
      "CapabilityDecryptServiced":{
        "Id":"MD6W-KDFX-PSF7-5NBQ-WFJE-34PL-7JWQ",
        "Active":true,
        "GranteeUdf":"bob@example.com",
        "EnvelopedKeyShare":[{
            "enc":"A256CBC",
            "kid":"EBQL-CGOH-LPTR-WNYL-RXDU-7LK4-G4GZ",
            "Salt":"xUeBS0V_Z4GJV9s2N3OAPw",
            "recipients":[{
                "kid":"MBBR-KLL4-YRFX-K63E-2DCT-6UGQ-Z5JC",
                "epk":{
                  "PublicKeyECDH":{
                    "crv":"X448",
                    "Public":"2hYs3byJFTbFtPgYaBplYVgtBJOuYjMSvi8
  BcCEFoOy8JRaOWg37ygj8m4hUjoZhPlC6bZ-MQEoA"}},
                "wmk":"9iJlp63lB9Og5mog603Of1NJtrVsTFCC2GzUKDLv-P
  Hb3Dn9tNTepw"}
              ],
            "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJLZXlEYX
  RhIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmVhdGV
  kIjogIjIwMjEtMTAtMjVUMTU6NDk6MDBaIn0"},
          "hY6vVvnbC6y-a5ULJNUh0aVv_YEIu1BRiTDS-gBY6nKX7tqs_oIMFR
  Qipj8bUHdtE46dYu2Ud0ue88CMOX3qsLTDP_5d7UgqKUk5yfr3nlSJzlKU7u3W7YF
  b9tOW-svw3sE4UncLN7vJ5V90bF9DUS_xek8s9SxnyeZxWY5z5GvCTJr0TxCO5hFh
  FR6Bwv2cwqG9eqyFhWCu4GrrgLUk-fk5rOdF9KTZW6g0wqg0xTUFDuY4tfTTwzp4N
  iffzB2rj88nOkvvW-6SwVVrExLY5E4l-7ClfnlBH-20Zz-z8faYy85gDl6zVGDyYd
  JelTPlRmlbM_tsW2NRyKNz4WCAreq_QZx3XBBqoKNi1CA4GdO2qiMOOE6NigTKB9C
  Rlc4EzUtwCU8Zdw6yUWxxCEtHoXVh8OpvWixTdmznouCLyDUVsvfx1dM-PIrSfbEl
  _K2v9IHZrtcgh5vahoaWY60ELJYLnARsvnWchyfZCgZMNbknDYiAyNAwxI_Wgm3xo
  7vyTkF0ARe0-RWofxYlyzDcFk2yA6-edTAq0PHiOFSl3j90hVmcaWC903uI_keNGU
  4egZ370UCWrFUz-O5woKJDllJu-GubgpJ5YTc628m-_6ASaVEw9G4uGiIx0oCcSqR
  SENXe9tnD90HkaZCCZhz2Cscfm8uRAVG9wasFrDjaKxUwf6N3nVjOmFVJwBl_G14i
  go4PmNHI2dgJBLqxlof76g"
          ]}}}}

The private key (in this case a key share) is encrypted under the service key.

To make use of the access entry, a request is made that specifies the key share to be operated on and the public key parameters to perform the agreement with.

The request payload:

{
  "OperateRequest":{
    "AccountAddress":"groupw@example.com",
    "Operations":[{
        "CryptographicOperationKeyAgreement":{
          "KeyId":"MD6W-KDFX-PSF7-5NBQ-WFJE-34PL-7JWQ",
          "PublicKey":{
            "PublicKeyECDH":{
              "crv":"X448",
              "Public":"mNrpSHZmFqcMBHYAwEyp0tUshHkBafWjCe3mDMcoV
  PIuqBhrbj5ZIpQdgfcS1BWgb5cwGXmIEPcA"}}}}
      ]}}

The service checks to see if the request is authorized and if so, performs the operation and returns the result:

{
  "OperateResponse":{
    "Status":201,
    "StatusDescription":"Operation completed successfully",
    "Results":[{
        "CryptographicResultKeyAgreement":{
          "KeyAgreement":{
            "KeyAgreementECDH":{
              "Curve":"X448",
              "Result":"JmEGQN2398IzXNI4j1CG4ZWtLVk1u8P8SnBw1_cEQ
  Os5INanZUEewbDxEQp5ocl_QP0EnBoSdUMA"}}}}
      ]}}

Future: Currently, the access catalog is encrypted under the service encryption key. It would be better to encrypt the catalog under an encryption key specified by the service during the process of account binding. This would allow a service to assign a unique encryption key to each account and limit access to that key to the hosts servicing that specific account.

6.6.1. Generate Key Shares

Generation of threshold key shares is planned but not currently supported.

6.6.2. Threshold Sign

Threshold signature is planned but not currently supported.

6.7. Messaging

Mesh Messaging is an asynchronous messaging service that allows exchange of information between devices connected to a Mesh account and between Mesh users.

To enable effective abuse mitigation, Mesh Messaging enforces a four-corner communication model in which all outbound and inbound messages pass through a Mesh Service which accredits and authorizes the messages on the user's behalf.

B M P M P A e l i c e ' s b ' l B o c o A s S S i b
Figure 2: The Mesh Four Corner Messaging Model

The Post transaction is only used to exchange messages between services. The client sends and receives messages through interactions with the outbound and inbound spools of the account.

6.7.1. Sender.

To send a message, the client creates the Mesh Message structure, encapsulates it in a DARE Message and appends the message to the Outbound spool of the account using the Transact operation..

The DARE Message MUST be signed under the account signature key.

The Mesh Service receiving the message from the user's device MAY attempt immediate retransmission or queue it to be sent at a future time. Mesh Services SHOULD forward messages without undue delay.

6.7.2. Outbound Service

The Post transaction forwarding the message to the destination service carries the same payload as the original request but is authenticated by the service forwarding it. This authentication MAY be my means of either profile or ticket authentication.

>>>> Unfinished ProtocolPostServiceService

[Not Yet Implemented]

After the message has been sent, the service updates the message status on the outbound spool.

Services SHOULD implement Denial of Service mitigation strategies including limiting the maximum time taken to complete a transaction and refusing connections from clients that engage in patterns of behavior consistent with abuse.

The limitation in message size allows Mesh Services to aggressively time out connections that take too long to complete a transaction. A Mesh Service that hosted on a 10Mb/s link should be able to transfer 20 messages a second. If the service is taking more than 5 seconds to complete a transaction, either the source or the destination service is overloaded or the message itself is an attack.

Imposing hard constraints on Mesh Service performance requires deployments to scale and apply resources appropriately. If a service is attempting to transfer 100 messages simultaneously and 40% are taking 4 seconds or more, this indicates that the number of simultaneous transfers being attempted should be reduced. Contrawise, if 90% are completed in less than a second, the number of threads allocated to sending outbound messages might be increased.

6.7.3. Inbound Service

The inbound service MUST subject inbound messages to Access Control according to the credentials presented in the DARE Message payload.

After verifying the signature and checking that the key is properly accredited in accordance with site policy, the service applies authorization controls taking account of:

  • The accreditation of the sender
  • The accreditation of the transmitting Service
  • The type of Mesh Message being sent
  • User policy as specified in their Contact Catalog
  • Site policy.

6.7.4. Recipient

Messages are received by synchronizing the outbound spool.

7. Access Control

[This section to be expanded in future drafts]

Access control is effected through the usual division of authentication and authorization.

Authentication of operation requests is performed by the RUD layer [draft-hallambaker-mesh-rud] .

7.1. Direct authorization

Any request authenticated under the profile authentication key is authorized to perform any account operation without restriction.

7.2. Access Catalog authentication

If the authentication key presented has a matching Access Catalog entry, the device is authorized to perform operations as specified in that entry.

8. Message Interactions

Message interactions are asynchronous interactions that occur between devices connected to the same account or between accounts.

All messages are signed by the sender and encrypted under the encryption key of the recipient if this is known to the sender.

8.1. Message PIN Interaction

The Message PIN Interaction is used to register and validate PIN codes used to authenticate certain transactions. This interaction allows a PIN code issued by one device to be consumed by another allowing for greater convenience in managing devices or contact exchange.

For example, Alice might delegate the PIN code issue privilege to her mobile device without delegating the administration privilege to that device. This would allow Alice to use her mobile device to initiate the connection of a large number of devices to her Mesh as her house is being built and approve them later using her administrative device.

Use of the Message PIN interaction is optional. An application that issues a PIN code to authenticate a message MAY store the PIN value within the application without persisting it to external storage.

Derivation of the SaltedPin, MessageId and Witness values from their respective inputs is described in the Schema Reference [draft-hallambaker-mesh-schema].

8.1.1. Registration

To register a PIN code to an Account, a device:

  • Generates the PIN code value
  • Calculates the SaltedPin value for the specified Action
  • Calculates the PinId binding the specified SaltedPin to the Account.
  • Creates and signs MessagePin containing the SaltedPin , Action and Account values with the MessageId value PinId.
  • Appends the MessagePin value to the Administration Spool of the Account.

Note that this construction provides limited protection against forgery attacks by a party with access to the MessagePin. A party with such access can use it to construct the witness value required to authenticate a request.

PIN Code values consist of an opaque sequence of octets represented as a UDF nonce value. Codes are presented in canonical UDF form, i.e. Base32 encoding separated into groups of 4 characters. The PIN value is converted to binary form for calculation of the SaltedPin, thus ensuring that the canonical form of the PIN value is used.

8.1.2. Authentication

The PIN Code value is passed out of band to a user who will enter it into a device to authenticate a request made to the issuer.

A request that MAY be validated by means of a PIN is a subclass of MessagePinValidated and contains the following fields:

AuthenticatedData

A DARE Envelope containing the data that is authenticated.

ClientNonce

A nonce value used to prevent certain replay attacks.

PinId

Digest value binding the SaltedPin to the Account.

PinWitness

Witness value calculated as KDF (Device.UDF + AccountAddress, ClientNonce)

The device uses the PIN code and Action identifier corresponding to the desired request to calculate the SaltedPin value in the same manner as during registration. This value is then used to calculate the PinId and PinWitness values.

8.1.3. Validation

The PIN code is validated by performing the steps of:

  • Calculating the SaltedPin value from the PIN code and Action
  • Calculating PinId from SaltedPin and Account
  • Retrieving a MessagePin from the Administration spool with the MessageId PinId.
  • Calculating the PinWitness value from SaltedPin, ClientNonce and AuthenticatedData and checking this matches the value specified in the message.
  • Performing the requested action.
  • Posting a Complete message to the Administration Spool of the Account marking the PIN code as used.

This process can fail at multiple points resulting in different error results:

PinInvalid

No PIN code is specified, the Pin code indicates an unsupported algorithm or the calculated PinWitness does not match the one specified by the request.

PinUsed

The PIN code has been used previously.

PinExpired

The PIN code is no longer valid.

Note that in the case that an attempt is made to reuse a PIN, it is not automatically the case that the first use of the PIN was the one that was valid and only the second attempt was invalid. Implementations SHOULD alert the user to the attempted re-use so that this possibility can be considered and appropriate action taken.

8.1.4. Example

Alice connects a device using a QR code presented by her administrative device.

The administration device creates a PIN code and records it to the Local spool. The message specifies the salted pin value used to verify attempts to use the PIN, the action for which it is authorized. Since this PIN has been issued to authorize a device connection, the roles for which the device are authorized as well. This allows the connection request to be accepted without asking for further input from the user.

{
  "MessagePin":{
    "MessageId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2",
    "Account":"alice@example.com",
    "Expires":"2021-10-26T15:49:02Z",
    "Automatic":true,
    "SaltedPin":"ADL6-MGFR-DK2V-XMCH-Y4VK-FG4R-AIDL",
    "Action":"Device",
    "Roles":["threshold"
      ]}}

8.2. Completion Interaction

Completion messages are dummy messages that are added to a Mesh Spool to mark a change the status of messages previously posted. Any message that is in the inbound spool and has not been erased or redacted MAY be marked as read, unread or deleted. Any message in the outbound spool MAY be marked as sent, received or deleted.

Services MAY erase or redact messages in accordance with local site policy. Since messages are not removed from the spool on being marked deleted, they may be undeleted by marking them as read or unread. Marking a message deleted MAY make it more likely that the message will be removed if the sequence is subsequently purged.

After using the PIN code to authenticate connection of a device in the previous example, the corresponding MessagePin is marked as having been used by appending a completion message to the Local spool.

{
  "MessageComplete":{
    "MessageId":"NCGB-6PXA-YG6T-GSC3-37HF-5QG2-SC43",
    "References":[{
        "MessageId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2",
        "ResponseId":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW",
        "Relationship":"Closed"}
      ]}}

The completion message is added to the spool in the same upload transaction that adds the device to the device catalog. This ensures that both operations occur or neither occurs.

8.3. Contact Exchange Interaction

The contact exchange interaction is used to support unilateral or mutual exchange of contact information. Contact exchange has three functions in the Mesh:

  • To exchange public key information to allow encryption of messages sent to and verification of signatures on messages sent from the contact subject.
  • To exchange contact information allowing use of other communication protocols (e.g. telephone, SMS, xmpp, SMTP, OpenPGP, S/MIME, etc).
  • To request that the recipient grant privileges to accept certain types of messages from the contact subject.

Registration of the subject's contact information in a registry service eliminates the need for the first of these functions but not the other two. To prevent abuse, every Mesh Message is subject to access control and a Mesh service will only accept a message from a sender if there is an entry in the Threshold Catalog of the account that expressly permits delivery of messages of the specified type that are authenticated by an authorized signature key.

The communication of unsolicited information afforded by the contact exchange interaction is deliberately limited so that a majority of users can accept contact exchange requests without prior authorization. It is however likely that some users will receive a considerable volume of requests forcing them to require contact requests be authorized through some form of third party accreditation.

8.3.1. Remote

The Remote Contact Exchange transaction consists of a sequence of MessageContact messages sent from the initiator to the responder, responder to the initiator, etc. While there is in principle no limit on the number of messages exchanged, most exchanges will be completed in three exchanges or less:

Initiator to Responder

Contains Initiator contact data without authentication context from the exchange.

Responder to Initiator (optional)

Contains Responder contact data authenticated under a PIN challenge presented in the previous message.

Initiator to Responder (optional)

Contains Initiator contact data authenticated under a PIN challenge presented in the previous message.

Each message provides the recipient with additional information which MAY motivate the recipient to provide additional contact information to the sender.

{
  "MessageContact":{
    "MessageId":"NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT",
    "Sender":"bob@example.com",
    "Recipient":"alice@example.com",
    "AuthenticatedData":[{
        "dig":"S512",
        "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb250YWN0UG
  Vyc29uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmV
  hdGVkIjogIjIwMjEtMTAtMjVUMTU6NDg6NTJaIn0"},
      "ewogICJDb250YWN0UGVyc29uIjogewogICAgIkFuY2hvcnMiOiBbewogIC
  AgICAgICJVZGYiOiAiTUJYVy1OUFdWLVY3SlEtUVI3Ri1GUDVLLVA1U0EtSkI0SCI
  sCiAgICAgICAgIlZhbGlkYXRpb24iOiAiU2VsZiJ9XSwKICAgICJOZXR3b3JrQWRk
  cmVzc2VzIjogW3sKICAgICAgICAiQWRkcmVzcyI6ICJib2JAZXhhbXBsZS5jb20iL
  AogICAgICAgICJFbnZlbG9wZWRQcm9maWxlQWNjb3VudCI6IFt7CiAgICAgICAgIC
  AgICJFbnZlbG9wZUlkIjogIk1CWFctTlBXVi1WN0pRLVFSN0YtRlA1Sy1QNVNBLUp
  CNEgiLAogICAgICAgICAgICAiZGlnIjogIlM1MTIiLAogICAgICAgICAgICAiQ29u
  dGVudE1ldGFEYXRhIjogImV3b2dJQ0pWYm1seGRXVkpaQ0k2SUNKTlFsaFhMVTVRV
  jFZdFZqZEtVUzEKICBSVWpkR0xVWlFOVXN0VURWVFFTMUtRalJJSWl3S0lDQWlUV1
  Z6YzJGblpWUjVjR1VpT2lBaVVISnZabWxzWgogIFZWelpYSWlMQW9nSUNKamRIa2l
  PaUFpWVhCd2JHbGpZWFJwYjI0dmJXMXRMMjlpYW1WamRDSXNDaUFnSWtOCiAgeVpX
  RjBaV1FpT2lBaU1qQXlNUzB4TUMweU5WUXhOVG8wT0RvMU1sb2lmUSJ9LAogICAgI
  CAgICAgImV3b2dJQ0pRY205bWFXeGxWWE5sY2lJNklIc0tJQ0FnSUNKUWNtOW1hV3
  gKICBsVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ1dGY3R
  UbEJYVmkxV04wcFJMVkZTTgogIDBZdFJsQTFTeTFRTlZOQkxVcENORWdpTEFvZ0lD
  QWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzCiAgS0lDQWdJQ0FnSUNBa
  VVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaV
  IKICBXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSmZXR2RaY21
  WdGJFUnBiVU5JTjB3d1kxcAogIE9jREkzUW10NlFsSXdZalJYTVVaa01GSlNjbG8y
  YUZaNmFtSjFRbnBWY0hWaUNpQWdUVlZFUzJWa2FraFhZCiAgblY1TVVWMmMzcG5ib
  U5CWmsxQkluMTlmU3dLSUNBZ0lDSkJZMk52ZFc1MFFXUmtjbVZ6Y3lJNklDSmliMk
  oKICBBWlhoaGJYQnNaUzVqYjIwaUxBb2dJQ0FnSWxObGNuWnBZMlZWWkdZaU9pQWl
  UVVF6TmkxUk5GTkRMVk0wVwogIFZvdFMxQlNVQzAzVnpSUUxWTk9VamN0VVUxRU1p
  SXNDaUFnSUNBaVJYTmpjbTkzUlc1amNubHdkR2x2YmlJCiAgNklIc0tJQ0FnSUNBZ
  0lsVmtaaUk2SUNKTlFWZFZMVXBQTlZNdFVWVk5VUzFJUkROUExVaFZUa3d0VHpkSF
  UKICBTMUpTMFJLSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21GdFpYUmxjbk1pT2l
  CN0NpQWdJQ0FnSUNBZ0lsQgogIDFZbXhwWTB0bGVVVkRSRWdpT2lCN0NpQWdJQ0Fn
  SUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJCiAgQ0FnSUNBZ0lsQjFZb
  XhwWXlJNklDSnpjaTF0U0dKQkxWWTVWV0ZqVjNkcE1sZElNVTh4UkhaT1dtMUhNam
  QKICBUUWpkSU4yWXRiRUpGTmpaWWJtWnNWRWRMT1dKTkNpQWdObXhCWDFKRmRFa3l
  VSGQ1VkVKeVkwNXdZbXRmYQogIEdWQkluMTlmU3dLSUNBZ0lDSkJZMk52ZFc1MFJX
  NWpjbmx3ZEdsdmJpSTZJSHNLSUNBZ0lDQWdJbFZrWmlJCiAgNklDSk5RMFJSTFVKV
  1Z6VXRVazVTVmkxR1ZFTlpMVWhHVlRZdFVVbFBNaTFIUkZkUUlpd0tJQ0FnSUNBZ0
  kKICBsQjFZbXhwWTFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW1
  4cFkwdGxlVVZEUkVnaU9pQgogIDdDaUFnSUNBZ0lDQWdJQ0FpWTNKMklqb2dJbGcw
  TkRnaUxBb2dJQ0FnSUNBZ0lDQWdJbEIxWW14cFl5STZJCiAgQ0p1WjNaMlpXcFhVM
  Ws1V0hwNVVFTkdibkpIVFVwSldFNXlVelF0UzJWMFZIbHhTemhOVW5nek1FVmpiMl
  IKICB1VFU5a1QyVm1DaUFnVm1WMVpscFZNMGhNV2tkT1NrTnJhbEZpUkZrMWRGVkJ
  JbjE5ZlN3S0lDQWdJQ0pCWgogIEcxcGJtbHpkSEpoZEc5eVUybG5ibUYwZFhKbElq
  b2dld29nSUNBZ0lDQWlWV1JtSWpvZ0lrMUJUelF0VlU5CiAgRk5DMU5TalpGTFZsV
  FVFTXRVMVpFVVMxTlJqUTNMVXBHUzBzaUxBb2dJQ0FnSUNBaVVIVmliR2xqVUdGeV
  kKICBXMWxkR1Z5Y3lJNklIc0tJQ0FnSUNBZ0lDQWlVSFZpYkdsalMyVjVSVU5FU0N
  JNklIc0tJQ0FnSUNBZ0lDQQogIGdJQ0pqY25ZaU9pQWlSV1EwTkRnaUxBb2dJQ0Fn
  SUNBZ0lDQWdJbEIxWW14cFl5STZJQ0kxVDJwMVRqazNTCiAgVlpwY0VGTlYyNVVlR
  2gyU21VNWVIZFNiSFl0VEVOSVlUSXdWVlpCTmxKU1ZWWXpXbXAzWVZsbFpXNWxDaU
  EKICBnTTBweVdERkJNMTlLYzFwTU16SldRVUp3WWtSTlRWZEJJbjE5ZlN3S0lDQWd
  JQ0pCWTJOdmRXNTBRWFYwYQogIEdWdWRHbGpZWFJwYjI0aU9pQjdDaUFnSUNBZ0lD
  SlZaR1lpT2lBaVRVRktOUzFLVGtwTExUVkJXRFV0V0VGCiAgVlJ5MVhUVFJPTFZVM
  VRGWXRXa0pKU2lJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ2
  UKICB3b2dJQ0FnSUNBZ0lDSlFkV0pzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUN
  BZ0lDQWdJbU55ZGlJNklDSgogIFlORFE0SWl3S0lDQWdJQ0FnSUNBZ0lDSlFkV0pz
  YVdNaU9pQWlTbEIzVVZZdFJVNWpSR05UTXpCNWFXNXRUCiAgV0ZpVUVKQlFuZ3hUV
  Gx4V0dvMFJVcHBOekJaVlVJMlJsUjBZMU42YTBadVl3b2dJRVp6VmpOeWVHRlVaMl
  YKICBNV2xwTWVEUm9SRE5DUjFwbFFTSjlmWDBzQ2lBZ0lDQWlRV05qYjNWdWRGTnB
  aMjVoZEhWeVpTSTZJSHNLSQogIENBZ0lDQWdJbFZrWmlJNklDSk5RbFZhTFRSTVUx
  Z3RRVWRTUmkwMFZVWldMVUZSVlRJdFZGRkJSeTFXV0V4CiAgRklpd0tJQ0FnSUNBZ
  0lsQjFZbXhwWTFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW14cF
  kKICAwdGxlVVZEUkVnaU9pQjdDaUFnSUNBZ0lDQWdJQ0FpWTNKMklqb2dJa1ZrTkR
  RNElpd0tJQ0FnSUNBZ0lDQQogIGdJQ0pRZFdKc2FXTWlPaUFpYjFCQlNXOVZNWFZU
  TFhvME9GRmFPVjkwV2xCMk4yeHlSR3RvUTBOd1NYQk9kCiAgV1JLYjFOS2JXbDRkV
  1JTZURCeVEwNVdXQW9nSUc1WVMzUmZUR2xHVG5WbVUySnBjMDF3WWxRNFowTTRRU0
  oKICA5ZlgxOWZRIiwKICAgICAgICAgIHsKICAgICAgICAgICAgInNpZ25hdHVyZXM
  iOiBbewogICAgICAgICAgICAgICAgImFsZyI6ICJTNTEyIiwKICAgICAgICAgICAg
  ICAgICJraWQiOiAiTUJYVy1OUFdWLVY3SlEtUVI3Ri1GUDVLLVA1U0EtSkI0SCIsC
  iAgICAgICAgICAgICAgICAic2lnbmF0dXJlIjogIjNISnlVall2MWQyVXlIMGlIUE
  9rTEdXWHZ6UFZBR1Fwak5FZEkyc2k3Tl9nTXZCeTgKICBLVFJWLV80ZnptZ2tvWkw
  0NnlOdGhCRHkyU0F2ZFVLdFVWUTc0c0NsQlY1aDFLSFpkcm41Wl84ekk3d0lGbAog
  IHM3MTZVUnFOa0tvdlV0OWhkQnN0emw2WURfZllWWjhSUExkMDlQQjhBIn1dLAogI
  CAgICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJDUDMxdlhrdUtFQS0tNUdaWWJ1TV
  VMZHV4dFdmZmYyZEs3RUFCLVRZX0RCSzEKICB0ZnB2Z2FiMm5zRjh4Y3JYRGZDRUp
  KQllFamd4TzFXbHJGMWl6amV2QSJ9XSwKICAgICAgICAiUHJvdG9jb2xzIjogW3sK
  ICAgICAgICAgICAgIlByb3RvY29sIjogIm1tbSJ9XX1dfX0",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MBUZ-4LSX-AGRF-4UFV-AQU2-TQAG-VXLE",
            "signature":"DbnBy9SoZHXD9EUbFvBpQW7KEKnNm-EUKMdvNE_b
  J6QU-8gVevRj1BQbnnnTt8EtA6WiTl-vMQ2ATfDuFXt8r9FtataQKWOSBq_zWqXBY
  KQiQtP0ROgYAr7b8VavWhXpJbScrFg_RDrdVo8PIPdsmDkA"}
          ],
        "PayloadDigest":"ZFUZc0MO__xinLcbyzTF33GyMZ3pqFe1WQhimoDJ
  YCGrwEvyBnsMTV4LDG3oYbwYJQQzyEF2LRC3pD76R4AcrQ"}
      ],
    "Reply":true,
    "Subject":"alice@example.com",
    "PIN":"AAIE-IVI5-54XO-5PHG-VE62-FFS7-62GQ"}}

The Mesh Contact Exchange transaction does not provide for validation of the contact information beyond the binding to the Mesh Account Address used to perform the exchange.

8.3.2. PIN

Contact exchange requests MAY be authenticated by a PIN code. Initial contact exchange requests SHOULD include a PIN code value that can be used to authenticate a response (if given). PIN codes MAY also be exchanged out of band.

A MessageContact authenticated by means of a PIN code is authenticated as described in the PIN Interaction section above.

8.3.3. EARL

A MessageContact message MAY be published as an EARL. This allows contact data to be presented to the recipient on a printed document such as a business card in machine readable format such as a QR code.

8.4. Group Invitation

The GroupInvitation interaction is used to invite a recipient to join a Mesh Group. The interaction is essentially a form of contact exchange except that a sender SHOULD NOT send group invitations unless there is an existing relationship. Thus the 'first trust' issues intrinsic to the contact exchange interaction do not apply.

The message specifies the group name and the contact entry for the group. The contact entry includes the CapabilityDecryptServiced used to decrypt messages sent to the group when combined with information provided by the threshold service for the group.

Receipt of a GroupInvitation message does not require a response.

>>>> Unfinished ProtocolGroupInvite

Missing example 3

8.5. Confirmation Interaction

The confirmation interaction consists of a RequestConfirmation message from the initiator followed by a ResponseConfirmation from the responder.

The RequestConfirmation message specifies the action that is requested.

The ResponseConfirmation message contains the enveloped RequestConfirmation message signed by the initiator and the disposition of the responder, Accept = true if the request is accepted and Accept = false otherwise.

The service sends out the following request:

{
  "RequestConfirmation":{
    "MessageId":"NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ",
    "Sender":"console@example.com",
    "Recipient":"alice@example.com",
    "Text":"start"}}

Alice accepts the request and returns the following response:

{
  "ResponseConfirmation":{
    "MessageId":"MCT4-SVZ2-BL5Y-DR5B-TF4S-WIGH-CJTM",
    "Sender":"alice@example.com",
    "Recipient":"console@example.com",
    "Request":[{
        "EnvelopeId":"MDVA-HSIH-UJBT-PEVO-GZNQ-JF3O-YHTM",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOREFELUtMSlktQz
  VKTy1KR1hMLVZVV0ctWTZQUC1QU0ZKIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
  zdENvbmZpcm1hdGlvbiIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0
  IiwKICAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ4OjU3WiJ9",
        "SequenceInfo":{
          "Index":4,
          "TreePosition":6201},
        "Received":"2021-10-25T15:48:57Z"},
      "ewogICJSZXF1ZXN0Q29uZmlybWF0aW9uIjogewogICAgIk1lc3NhZ2VJZC
  I6ICJOREFELUtMSlktQzVKTy1KR1hMLVZVV0ctWTZQUC1QU0ZKIiwKICAgICJTZW5
  kZXIiOiAiY29uc29sZUBleGFtcGxlLmNvbSIsCiAgICAiUmVjaXBpZW50IjogImFs
  aWNlQGV4YW1wbGUuY29tIiwKICAgICJUZXh0IjogInN0YXJ0In19",
      {}
      ],
    "Accept":true}}

9. Device Connection Interactions

Connection of a device to a Mesh Account combines synchronous and asynchronous elements and therefore uses a combination of Mesh Service Protocol and Mesh Messaging interactions.

Four connection interactions are currently defined support connection of devices with different affordances:

Witness Authenticated

For connecting devices that provide data entry and display affordances and are connected to a network. The account the device is to be connected to is entered into the device which displays a witness code. This code is then compared with a code displayed on the administration device to authenticate the request, after which both devices can complete the interaction.

PIN Authenticated

A variation of the Witness Authenticated interaction in which the connection process is initiated by creating a PIN value which is communicated to the device by some out of band means and used to authenticate the connection request.

Dynamic QR Code (PIN) Authenticated

For connecting devices that provide a camera affordance. The user sets the administration device into 'add device' mode, causing a QR code to be displayed. The QR code is scanned by the device being connected after which both devices can complete the interaction. Implementation of this mechanism is identical to the PIN authenticated scheme except that the PIN code is presented to the connecting device by means of a QR code.

Preconfigured (Static QR Code Authenticated)

For connecting devices that have been preconfigured with a device profile identified by means of a QR Code containing an EARL. The QR code is scanned by the administration device after which both devices can complete the interaction.

Each of these interactions provide strong mutual authentication with minimal user effort.

The witness authenticated connection interaction is intended for use in cases in which the device is already connected to a network. The QR code interactions are intended to provide support for acquisition of networking capabilities as part of the connection process. These functions are not currently specified. The Static QR Code Authenticated interaction is intended to support Internet of Things (IoT) devices which provide minimal interaction affordances.

In each case, the objectives of the device connection interaction are the same:

The connection of the device to the Mesh Account is achieved through the creation of the ActivationDevice, ConnectionDevice and CataloguedDevice records described in [draft-hallambaker-mesh-schema]. These are created by the administration device in the third phase of each of the connection interactions described below and acquired by the onboarding device in the fourth phase.

9.1. Witness/PIN Authenticated

The witness authenticated, PIN authenticated, and Dynamic QR code interactions all follow a common interaction pattern.

The Dynamic QR Code (PIN) Authenticated interaction comprises four phases as follows:

Phase 1: Issue of PIN credential (PIN and Dynamic QR code only)

A PIN code is created and registered with the PIN Registration interaction described earlier and transmitted to the user by an out of band communication. In the case of the Dynamic QR code interaction, this is a QR code that is scanned by the connecting device.

Phase 2: Onboarding Device Request to Service

The onboarding device creates a RequestConnect message. In the PIN authenticated and Dynamic QR Code interactions, the RequestConnect is authenticated by the Device Authentication key and the PIN issued earlier. In the Witness Authenticated interaction, it is authenticated by the Device Authentication key alone.

The onboarding device presents the RequestConnect message to the service by means of a Connect operation to the service servicing the account. This results in the exchange of the account and device profiles and the computation of a witness value from the two profile fingerprints and two nonce values specified by the onboarding device and the service. An AcknowledgeConnection message is posted to the Inbound spool of the account and returned to the connecting device.

Phase 3: Administration Device Acceptance

The account holder authenticates RequestConnect message and uses an administrative device to accept or reject the connection request.

If the RequestConnect message has been authenticated by a PIN code, the connection request can be accepted automatically without additional user interaction.

Phase 4: Onboarding Device Completion

The onboarding device periodically polls the service for acceptance of the request by the administration device using the Complete transaction.

The use of the PIN code to authenticate the request message is shown in $$$$.

The PIN code MAY be presented to the onboarding device in any format accepted by the device. Administration MAY support presentation of the account address PIN code as a URI code. Administration devices SHOULD support presentation of the account address PIN code as a QR code containing the corresponding URI.

9.1.1. Phase 1:

Alice> account pin /threshold
PIN=ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM
 (Expires=2021-10-26T15:49:02Z)

The registration of this PIN value was shown earlier in section $$$

The URI containing the account address and PIN is:

mcu://alice@example.com/ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM

9.1.2. Phase 2:

The onboarding device scans the QR code to obtain the account address and PIN code. The PIN code is used to authenticate a connection request:

Alice3> device request alice@example.com /pin ^
    ABQR-GO5I-FPIE-TK5O-M4VU-DALE-WM
   Device UDF = MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR
   Witness value = 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV

The device generates a RequestConnect message as follows:

{
  "RequestConnection":{
    "MessageId":"NA46-HSVG-N5NU-EXKZ-4X7G-GSF7-DUWS",
    "AuthenticatedData":[{
        "EnvelopeId":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQ1ZOLVhMTFQtTE
  xOVy1VNEhSLUJPTUctUkE2Wi1VV1JSIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
  sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi
  Q3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAyWiJ9"},
      "ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1cm
  UiOiB7CiAgICAgICJVZGYiOiAiTUNWTi1YTExULUxMTlctVTRIUi1CT01HLVJBNlo
  tVVdSUiIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJs
  aWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgI
  CAiUHVibGljIjogImQzMlg1b3NHMUtPRTVvbWZWTUZqREs0MF84eGJ5RTNrZlV3T3
  dUYlBXMXZJeW8zQ0NOdkoKICA5aXBseTFBMlg4TjVMejhXSXRTWml3S0EifX19LAo
  gICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTURNVy1XQ0lSLUZKTU8t
  N1pINi1DTjNKLUtVWkwtUkxBWCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjoge
  wogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYND
  Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAibnRfcHU0WVJieXIwWUxNY1JXdmlNLXJ
  UWlhXZlB1UVhWa1h0TWdud2hweUVXdjBHUmpsaAogIDlVcnBPc21jVTI3LWxtenhJ
  T3dTWGpBQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CM
  lUtNkdNNy1QSEkzLTNVVU4tTElaNi1VVUdKLUlXNVEiLAogICAgICAiUHVibGljUG
  FyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICA
  gICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJVbmk2NUVYY0RY
  YmVXaW1RbFk5OXhhSG5SWmpiSFpBS2lUNmRlZDR0MWp2TGpFVmhMb3lYCiAgVlFra
  WRoZ1lsV21fRHM2ODdPdUpoX1VBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IH
  sKICAgICAgIlVkZiI6ICJNQklDLUIyS0QtQkJSWC1HNFBELTRJMk8tUE1ETi1XT1d
  BIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tl
  eUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Y
  mxpYyI6ICJ5cGJTV1ZnSHEwb25oT2tUT1F4MUNkZ3dIRVRQTElSTVQ1aW1SS0pfMG
  ozVzBKZnktVk5uCiAgOTJmTzZrSFl0M2dTb0hXSm04TXZWNHdBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
            "signature":"FPjcCzr7s0FbUHrZOOhUGuesUNBJONX9Fe-C__87
  eykHW5UOylLhnfxfkULQVRIY3gdFgfLSJ5mALYQ3v9RLJthdPhMpxDfuyIiD3Vt-c
  ho2QGaSq7imO-ZlKZLP_jwO48AnqcNZnJwcdKMFhkzZDjkA"}
          ],
        "PayloadDigest":"HgKI5VcczlRi0_H9mEeby_Ylk8zCTleLmhzeWVof
  kWccfgpClI1hRH3fn_JUAJZqau76o2AaUTPu3-Deu9TXaw"}
      ],
    "ClientNonce":"-pyukA8KJqdvV_hePIKFZQ",
    "PinId":"AAPO-PUCK-AIYZ-FSOX-OBI5-YZZB-RVT2",
    "PinWitness":"wV04crBaf7h-5fclVAGMIsy5ZUZnKcqbPXDUbuZfXYozuI9
  ZB-emewnq2awvpw6i7oFvgY-oW0jQrUYqJSTWDg",
    "AccountAddress":"alice@example.com"}}

The service receives the conenct request and authenticates the message under the device key. The service cannot authenticate the message under the PIN code because that is not know to the service as the service cannot decrypt the local spool.

Having authenticated the connect request, the service generates a random nonce value. The random nonce together with the device and account profiles are used to calculate the witness value.

The AcknowledgeConnection message is created by the service:

{
  "AcknowledgeConnection":{
    "MessageId":"2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV",
    "EnvelopedRequestConnection":[{
        "EnvelopeId":"MDKW-3KOD-ZTW6-MRIB-AARK-UACM-PDOZ",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQTQ2LUhTVkctTj
  VOVS1FWEtaLTRYN0ctR1NGNy1EVVdTIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
  zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
  CiAgIkNyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0OTowMloifQ"},
      "ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJNZXNzYWdlSWQiOi
  AiTkE0Ni1IU1ZHLU41TlUtRVhLWi00WDdHLUdTRjctRFVXUyIsCiAgICAiQXV0aGV
  udGljYXRlZERhdGEiOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1DVk4tWExM
  VC1MTE5XLVU0SFItQk9NRy1SQTZaLVVXUlIiLAogICAgICAgICJkaWciOiAiUzUxM
  iIsCiAgICAgICAgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKWk
  NJNklDSk5RMVpPTFZoTVRGUXRURXhPVnkxCiAgVk5FaFNMVUpQVFVjdFVrRTJXaTF
  WVjFKU0lpd0tJQ0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBVUmxk
  bWxqWlNJc0NpQWdJbU4wZVNJNklDSmhjSEJzYVdOaGRHbHZiaTl0YlcwdmIySnFaV
  04wSWl3S0lDQQogIGlRM0psWVhSbFpDSTZJQ0l5TURJeExURXdMVEkxVkRFMU9qUT
  VPakF5V2lKOSJ9LAogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V
  3b2dJQ0FnSWxCeWIyWgogIHBiR1ZUYVdkdVlYUjFjbVVpT2lCN0NpQWdJQ0FnSUNK
  VlpHWWlPaUFpVFVOV1RpMVlURXhVTFV4TVRsY3RWCiAgVFJJVWkxQ1QwMUhMVkpCT
  mxvdFZWZFNVaUlzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWMFpYSnpJam8KIC
  BnZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0F
  nSUNBZ0ltTnlkaUk2SQogIENKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmli
  R2xqSWpvZ0ltUXpNbGcxYjNOSE1VdFBSVFZ2YldaCiAgV1RVWnFSRXMwTUY4NGVHS
  jVSVE5yWmxWM1QzZFVZbEJYTVhaSmVXOHpRME5PZGtvS0lDQTVhWEJzZVRGQk0KIC
  BsZzRUalZNZWpoWFNYUlRXbWwzUzBFaWZYMTlMQW9nSUNBZ0lrVnVZM0o1Y0hScGI
  yNGlPaUI3Q2lBZ0lDQQogIGdJQ0pWWkdZaU9pQWlUVVJOVnkxWFEwbFNMVVpLVFU4
  dE4xcElOaTFEVGpOS0xVdFZXa3d0VWt4QldDSXNDCiAgaUFnSUNBZ0lDSlFkV0pzY
  VdOUVlYSmhiV1YwWlhKeklqb2dld29nSUNBZ0lDQWdJQ0pRZFdKc2FXTkxaWGwKIC
  BGUTBSSUlqb2dld29nSUNBZ0lDQWdJQ0FnSW1OeWRpSTZJQ0pZTkRRNElpd0tJQ0F
  nSUNBZ0lDQWdJQ0pRZAogIFdKc2FXTWlPaUFpYm5SZmNIVTBXVkppZVhJd1dVeE5Z
  MUpYZG1sTkxYSlVXbGhYWmxCMVVWaFdhMWgwVFdkCiAgdWQyaHdlVVZYZGpCSFVtc
  HNhQW9nSURsVmNuQlBjMjFqVlRJM0xXeHRlbmhKVDNkVFdHcEJRU0o5Zlgwc0MKIC
  BpQWdJQ0FpVTJsbmJtRjBkWEpsSWpvZ2V3b2dJQ0FnSUNBaVZXUm1Jam9nSWsxQ01
  sVXROa2ROTnkxUVNFawogIHpMVE5WVlU0dFRFbGFOaTFWVlVkS0xVbFhOVkVpTEFv
  Z0lDQWdJQ0FpVUhWaWJHbGpVR0Z5WVcxbGRHVnljCiAgeUk2SUhzS0lDQWdJQ0FnS
  UNBaVVIVmliR2xqUzJWNVJVTkVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjblkKIC
  BpT2lBaVJXUTBORGdpTEFvZ0lDQWdJQ0FnSUNBZ0lsQjFZbXhwWXlJNklDSlZibWs
  yTlVWWVkwUllZbVZYYQogIFcxUmJGazVPWGhoU0c1U1dtcGlTRnBCUzJsVU5tUmxa
  RFIwTVdwMlRHcEZWbWhNYjNsWUNpQWdWbEZyYVdSCiAgb1oxbHNWMjFmUkhNMk9EZ
  FBkVXBvWDFWQkluMTlmU3dLSUNBZ0lDSkJkWFJvWlc1MGFXTmhkR2x2YmlJNkkKIC
  BIc0tJQ0FnSUNBZ0lsVmtaaUk2SUNKTlFrbERMVUl5UzBRdFFrSlNXQzFITkZCRUx
  UUkpNazh0VUUxRVRpMQogIFhUMWRCSWl3S0lDQWdJQ0FnSWxCMVlteHBZMUJoY21G
  dFpYUmxjbk1pT2lCN0NpQWdJQ0FnSUNBZ0lsQjFZCiAgbXhwWTB0bGVVVkRSRWdpT
  2lCN0NpQWdJQ0FnSUNBZ0lDQWlZM0oySWpvZ0lsZzBORGdpTEFvZ0lDQWdJQ0EKIC
  BnSUNBZ0lsQjFZbXhwWXlJNklDSjVjR0pUVjFablNIRXdiMjVvVDJ0VVQxRjRNVU5
  rWjNkSVJWUlFURWxTVAogIFZRMWFXMVNTMHBmTUdvelZ6Qktabmt0Vms1dUNpQWdP
  VEptVHpaclNGbDBNMmRUYjBoWFNtMDRUWFpXTkhkCiAgQkluMTlmWDE5IiwKICAgI
  CAgewogICAgICAgICJzaWduYXR1cmVzIjogW3sKICAgICAgICAgICAgImFsZyI6IC
  JTNTEyIiwKICAgICAgICAgICAgImtpZCI6ICJNQ1ZOLVhMTFQtTExOVy1VNEhSLUJ
  PTUctUkE2Wi1VV1JSIiwKICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJGUGpjQ3py
  N3MwRmJVSHJaT09oVUd1ZXNVTkJKT05YOUZlLUNfXzg3ZXlrSFc1VU95CiAgbExob
  mZ4ZmtVTFFWUklZM2dkRmdmTFNKNW1BTFlRM3Y5UkxKdGhkUGhNcHhEZnV5SWlEM1
  Z0LWNobzJRR2EKICBTcTdpbU8tWmxLWkxQX2p3TzQ4QW5xY05abkp3Y2RLTUZoa3p
  aRGprQSJ9XSwKICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJIZ0tJNVZjY3psUmkw
  X0g5bUVlYnlfWWxrOHpDVGxlTG1oemVXVm9ma1djY2YKICBncENsSTFoUkgzZm5fS
  lVBSlpxYXU3Nm8yQWFVVFB1My1EZXU5VFhhdyJ9XSwKICAgICJDbGllbnROb25jZS
  I6ICItcHl1a0E4S0pxZHZWX2hlUElLRlpRIiwKICAgICJQaW5JZCI6ICJBQVBPLVB
  VQ0stQUlZWi1GU09YLU9CSTUtWVpaQi1SVlQyIiwKICAgICJQaW5XaXRuZXNzIjog
  IndWMDRjckJhZjdoLTVmY2xWQUdNSXN5NVpVWm5LY3FiUFhEVWJ1WmZYWW96dUk5W
  gogIEItZW1ld25xMmF3dnB3Nmk3b0Z2Z1ktb1cwalFyVVlxSlNUV0RnIiwKICAgIC
  JBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSJ9fQ"
      ],
    "ServerNonce":"qO9R3oT24EDO5GCYlYCBsg",
    "Witness":"2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV"}}

The AcknowledgeConnection message is appended to the Inbound spool of the account to which connection was requested so that the user can approve the request. The ConnectResponse message is returned to the device containing the AcknowledgeConnection message and the profile of the account.

The device generates the witness value, verifies it against the value provided by the server and presents it to the user as seen in the console example above.

9.1.3. Phase 3:

The user synchronizes their pending messages:

Alice> message pending
MessageID: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV
        Connection Request::
        MessageID: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV
        To:  From:
        Device:  MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR
        Witness: 2WZP-KNZF-JMKO-RQSU-WYTH-UU35-NWXV
MessageID: NCVP-LUEL-F3OI-QOAM-HND2-WG5Z-346D
        Group invitation::
        MessageID: NCVP-LUEL-F3OI-QOAM-HND2-WG5Z-346D
        To: alice@example.com From: alice@example.com
MessageID: NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ
        Confirmation Request::
        MessageID: NDAD-KLJY-C5JO-JGXL-VUWG-Y6PP-PSFJ
        To: alice@example.com From: console@example.com
        Text: start
MessageID: NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT
        Contact Request::
        MessageID: NAP7-MRKY-LGHV-W6C2-IDAX-ELNG-V5NT
        To: alice@example.com From: bob@example.com
        PIN: AAIE-IVI5-54XO-5PHG-VE62-FFS7-62GQ
Alice> account sync /auto

The administration device determines that the device connection request is authenticated by a PIN code. The PIN code is retrieved and the message authenticated. This is shown in the PIN registration interation example in section $$$ above.

Bug: This command is currently showing superflous pending messages due to the failure to clear messages processed in earlier examples.

The Cataloged device record is created from the public key values corresponding to the combination of the public keys in the device profile and those defined by the activation.

This is returned to the onboarding device by wrapping it in a RespondConnection message posted to the local spool of the account.

{
  "RespondConnection":{
    "MessageId":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW",
    "Result":"Accept",
    "CatalogedDevice":{
      "DeviceUdf":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
      "EnvelopedProfileUser":[{
          "EnvelopeId":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
          "dig":"S512",
          "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQjVJLVIyNE0t
  UVhKVC1LREJGLVhGT0EtREdDMy1VM0FBIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ
  mlsZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIk
  NyZWF0ZWQiOiAiMjAyMS0xMC0yNVQxNTo0ODo0NFoifQ"},
        "ewogICJQcm9maWxlVXNlciI6IHsKICAgICJQcm9maWxlU2lnbmF0dXJl
  IjogewogICAgICAiVWRmIjogIk1CNUktUjI0TS1RWEpULUtEQkYtWEZPQS1ER0MzL
  VUzQUEiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibG
  ljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICA
  gIlB1YmxpYyI6ICIwUS1aNWVESHR3V1ZZZGtmeVZUOVIzNi1yMGhPMWZVSFdwbUky
  bWRJc2k4MXNkanlzZ3NBCiAgZmRLb0hacEtJWnRLa01YU29Pa0ZycE9BIn19fSwKI
  CAgICJBY2NvdW50QWRkcmVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiU2
  VydmljZVVkZiI6ICJNRDM2LVE0U0MtUzRZWi1LUFJQLTdXNFAtU05SNy1RTUQyIiw
  KICAgICJFc2Nyb3dFbmNyeXB0aW9uIjogewogICAgICAiVWRmIjogIk1CRk8tQVhR
  SC1WRUpJLUo0N0otVzNaRy0zWlBBLTdGSFMiLAogICAgICAiUHVibGljUGFyYW1ld
  GVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcn
  YiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIkdDaHlORnVIYjZfQm1vZ3F
  FQzNfUjBhWGFlbW1EbGFER3lZWWRsMkZTQXc0RW5LakM4QXEKICBHbHB5N3NRYWNS
  Vmo0LVFiUUpzel9Qa0EifX19LAogICAgIkFjY291bnRFbmNyeXB0aW9uIjogewogI
  CAgICAiVWRmIjogIk1CVUgtRlk0NS1EVk5GLVhNUVYtU1FDNC1MVExJLUs1QVYiLA
  ogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUN
  ESCI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgICAiUHVibGlj
  IjogIldTZGxEOFNMWFdDRkhoSUhqQ3dRSEI3YjRZbTc0a3BNLVhWWm5GS1dZWVlwS
  GdCbi1KSUgKICAzYVBhSHpkNjBNSDNuMWV2Vk5Vc1RiQ0EifX19LAogICAgIkFkbW
  luaXN0cmF0b3JTaWduYXR1cmUiOiB7CiAgICAgICJVZGYiOiAiTUNCTy1aSzRGLVF
  GWU0tNjNUSy1UQTJDLUxIUVktN1FXNSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJz
  IjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6I
  CJFZDQ0OCIsCiAgICAgICAgICAiUHVibGljIjogIktaUHktTzUtckRYTFRUbzlja2
  lNUjVtbE9qa3VyTUxSQlpXNVprVUpKOTdkOEhSdFRBQmQKICBMbjY2aU9mRUtDUTB
  zaV9sOE83NVZVUUEifX19LAogICAgIkFjY291bnRBdXRoZW50aWNhdGlvbiI6IHsK
  ICAgICAgIlVkZiI6ICJNQUhDLVFIM0QtVkxLQy1VVEZCLVVFRlItTTVWVi1UV0FII
  iwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleU
  VDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Ymx
  pYyI6ICJFbVNiaHFramdqWUFHUl9pTkh6R2lfU1JCNnZHbEtxZklzQ3lRdnhsVmY3
  OU5zU0VFaG15CiAgUEhxN3pKMUFJbDFlYWlkYVMycjI2M2tBIn19fSwKICAgICJBY
  2NvdW50U2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1CVVgtWUk1Vy1OVEFILV
  VKTjItNEZGQy00UEFZLU5JNzMiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHs
  KICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0
  NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJGZnZFcE11Y3dCb3hBT1NfLTB0WlVhe
  nZlNUo3SUJYb1hwakxYVFBEdW9Edk51ZGtzUl8xCiAgUkVmZ2g5SGI0YklwYlpqbF
  84bC1SaUdBIn19fX19",
        {
          "signatures":[{
              "alg":"S512",
              "kid":"MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA",
              "signature":"Z935mSJZSJRi1kXTEsD-Q9AAkAu3IuD_-QJXHa
  8WVr2xMXcA-23dcvYx9duavojUCUVkKvl1W8iAsxPtl2n0HoAKUATgpSQmW1X28In
  4RZ9e60BCW7kFIqbADT4jF0fBOVI7bf15uh3coVtpXAtHehAA"}
            ],
          "PayloadDigest":"0_av1I9T_vQ-6biLixf0vQ-_JLiUttOyYnb5fP
  bqu5l3agCn0lgRFl8uGdSgmzVqzUSIxQl36g-SDrhwApbyEw"}
        ],
      "EnvelopedProfileDevice":[{
          "EnvelopeId":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
          "dig":"S512",
          "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQ1ZOLVhMTFQt
  TExOVy1VNEhSLUJPTUctUkE2Wi1VV1JSIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ
  mlsZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKIC
  AiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAyWiJ9"},
        "ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1
  cmUiOiB7CiAgICAgICJVZGYiOiAiTUNWTi1YTExULUxMTlctVTRIUi1CT01HLVJBN
  lotVVdSUiIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdW
  JsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICA
  gICAiUHVibGljIjogImQzMlg1b3NHMUtPRTVvbWZWTUZqREs0MF84eGJ5RTNrZlV3
  T3dUYlBXMXZJeW8zQ0NOdkoKICA5aXBseTFBMlg4TjVMejhXSXRTWml3S0EifX19L
  AogICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTURNVy1XQ0lSLUZKTU
  8tN1pINi1DTjNKLUtVWkwtUkxBWCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjo
  gewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJY
  NDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAibnRfcHU0WVJieXIwWUxNY1JXdmlNL
  XJUWlhXZlB1UVhWa1h0TWdud2hweUVXdjBHUmpsaAogIDlVcnBPc21jVTI3LWxten
  hJT3dTWGpBQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1
  CMlUtNkdNNy1QSEkzLTNVVU4tTElaNi1VVUdKLUlXNVEiLAogICAgICAiUHVibGlj
  UGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgI
  CAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJVbmk2NUVYY0
  RYYmVXaW1RbFk5OXhhSG5SWmpiSFpBS2lUNmRlZDR0MWp2TGpFVmhMb3lYCiAgVlF
  raWRoZ1lsV21fRHM2ODdPdUpoX1VBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6
  IHsKICAgICAgIlVkZiI6ICJNQklDLUIyS0QtQkJSWC1HNFBELTRJMk8tUE1ETi1XT
  1dBIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0
  tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB
  1YmxpYyI6ICJ5cGJTV1ZnSHEwb25oT2tUT1F4MUNkZ3dIRVRQTElSTVQ1aW1SS0pf
  MGozVzBKZnktVk5uCiAgOTJmTzZrSFl0M2dTb0hXSm04TXZWNHdBIn19fX19",
        {
          "signatures":[{
              "alg":"S512",
              "kid":"MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR",
              "signature":"FPjcCzr7s0FbUHrZOOhUGuesUNBJONX9Fe-C__
  87eykHW5UOylLhnfxfkULQVRIY3gdFgfLSJ5mALYQ3v9RLJthdPhMpxDfuyIiD3Vt
  -cho2QGaSq7imO-ZlKZLP_jwO48AnqcNZnJwcdKMFhkzZDjkA"}
            ],
          "PayloadDigest":"HgKI5VcczlRi0_H9mEeby_Ylk8zCTleLmhzeWV
  ofkWccfgpClI1hRH3fn_JUAJZqau76o2AaUTPu3-Deu9TXaw"}
        ],
      "EnvelopedConnectionAddress":[{
          "dig":"S512"},
        "e7QRQ29ubmVjdGlvbkFkZHJlc3N7tA5BdXRoZW50aWNhdGlvbnu0EFB1
  YmxpY1BhcmFtZXRlcnN7tA1QdWJsaWNLZXlFQ0RIe7QDY3J2gARYNDQ4tAZQdWJsa
  WOIOdulr0WkJsqoELzV6ZGITa3QJhpT6D22IPFeUSgiSp-K8l1msYOAPUExAKdsvR
  WgGhs_oOv7o4kEgH19fbQHQWNjb3VudIARYWxpY2VAZXhhbXBsZS5jb219fQ",
        {
          "signatures":[{
              "alg":"S512",
              "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
              "signature":"03oFK4MzMkSRYzgImz6WJw3JSZ4fmU7djU63aS
  oQWhCmzNDCf4XCKfx-bKoJesukT_VTGq5bW-AAWqO_2ZfO3pqjr5CwSH9yOKBzH0t
  pPFDAeKi7oBM43kk5rqljTNOf4EtcaiEqYFohIVoPbn75NAwA"}
            ]}
        ],
      "EnvelopedConnectionService":[{
          "dig":"S512",
          "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0
  aW9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI
  CAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAzWiJ9"},
        "e7QRQ29ubmVjdGlvblNlcnZpY2V7tA5BdXRoZW50aWNhdGlvbnu0A1Vk
  ZoAiTURCVy03TjVTLUpJWUUtT0JPNi1HWlROLURLUTYtRDNTSLQQUHVibGljUGFyY
  W1ldGVyc3u0DVB1YmxpY0tleUVDREh7tANjcnaABFg0NDi0BlB1YmxpY4g526WvRa
  QmyqgQvNXpkYhNrdAmGlPoPbYg8V5RKCJKn4ryXWaxg4A9QTEAp2y9FaAaGz-g6_u
  jiQSAfX19fX0",
        {
          "signatures":[{
              "alg":"S512",
              "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
              "signature":"9m0vcnmYQFNYfzGd0dEH605dJzn72QGwibh4j9
  LvR2skx_QmOz52TCT9P884t5KzVfAvOSdRFsUAfqm-Olo3vDDRBaAGbm9uBQ-1YR7
  r3B43OlHR1KnUD5IwqsbxN2lpFHNPzLt0fkmliATLNRd6UiYA"}
            ],
          "PayloadDigest":"vPLHz2roZcH2iYj7GhGYup4R1v4b1WDCOrAIO3
  R-hq5AVRT8FxVmvwhFK5TF8Zh_KFSti0qU9gP6-QliFCPnCg"}
        ],
      "EnvelopedConnectionDevice":[{
          "dig":"S512",
          "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0
  aW9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI
  CJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDNaIn0"},
        "e7QQQ29ubmVjdGlvbkRldmljZXu0DkF1dGhlbnRpY2F0aW9ue7QDVWRm
  gCJNREJXLTdONVMtSklZRS1PQk82LUdaVE4tREtRNi1EM1NItBBQdWJsaWNQYXJhb
  WV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAEWDQ0OLQGUHVibGljiDnbpa9FpC
  bKqBC81emRiE2t0CYaU-g9tiDxXlEoIkqfivJdZrGDgD1BMQCnbL0VoBobP6Dr-6O
  JBIB9fX20BVJvbGVzW4AJdGhyZXNob2xkXbQJU2lnbmF0dXJle7QDVWRmgCJNQjRQ
  LU9DVjctV0RUSS1LRlk2LUE3VzUtWEdNTi1JTExMtBBQdWJsaWNQYXJhbWV0ZXJze
  7QNUHVibGljS2V5RUNESHu0A2NydoAFRWQ0NDi0BlB1YmxpY4g5juOAZ2RcHBqm9o
  YYcRAg8h4hPDUzGu0aYyTVrkOXlpyXUMblnSbyJ_Xj5KouRYnm3aOS4AtWZakAfX1
  9tApFbmNyeXB0aW9ue7QDVWRmgCJNQlZYLVVYTEQtUEg2Ry1XS1E0LTROTUItNklH
  Sy0zNVFatBBQdWJsaWNQYXJhbWV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAEW
  DQ0OLQGUHVibGljiDnXexA8QK1De4Ivy5Yaz7nO85iB8QWOGgntwgdARK7Oi9OafE
  hsyVyXISV887BxPL5rCFpmXsP2CAB9fX19fQ",
        {
          "signatures":[{
              "alg":"S512",
              "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
              "signature":"7QKcgJS4Ub14gYYjiBP3O1RC5U-tDs5mehOV_Y
  Mc7Rq4PV_I1WzTTZ5wnPPWdXxsS4-gjzlxra4AhMKYT4tN0z3Hc954sJVIAoZDHED
  bSxxeSWsp6Fd06hCa5Bt43tYt3TyEmnIHFgUmSFNIwIpOfw0A"}
            ],
          "PayloadDigest":"OstbMttGc4Jpw5qapxrMx_wAdIyJ1ozebqUCmW
  SrE0G_bbYLycdNVYq35C6hesgUUGwAItS3939DgezPSm9lxg"}
        ],
      "EnvelopedActivationDevice":[{
          "enc":"A256CBC",
          "dig":"S512",
          "kid":"EBQH-KLCY-C4F3-VF7J-YSU3-EQFU-FZHQ",
          "Salt":"6K4bKrm5-_rjgI4_I08wTw",
          "recipients":[{
              "kid":"MDMW-WCIR-FJMO-7ZH6-CN3J-KUZL-RLAX",
              "epk":{
                "PublicKeyECDH":{
                  "crv":"X448",
                  "Public":"nvVIGPvOYsOJ8Ilm-19RbyLkAWivgWgZ5a-0A
  Rp9ftWFsoSSAqQSxaxWNMJr-X4HRTb65eFiuWSA"}},
              "wmk":"Dxo1wkjSF6txOOkZ3YtNDWzK-e_95sEbZay2cEJnm3aa
  Pt-oMy9PbA"}
            ],
          "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0
  aW9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI
  CJDcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDNaIn0"},
        "ki85WOQnh96OwNqp5BCXx-pDm5ZyRU7w93rIb9kZQVcO0mvkvuiAq28q
  zje1vLZ4b-XwiqY8MOCLqRkscz_PL8ALVscz5rBQz4JsCHtD1xCRMqkGOUOYeY205
  8lGpQ5MLZgNEeQCxORAlAdNrKRLvdUG6q2G0M9GOPzG9ocyhrI3D4P4T62_KJq9-G
  YmyHA7UEIXE04mCDn7dFWeP8lzsnpBTWbIFC4SNY1tOJeudypR01PQbkvFIn4whoF
  lUDgL",
        {
          "signatures":[{
              "alg":"S512",
              "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
              "signature":"KHnfih_mZ14FUavWwY5vdhUFqu7WiBjh1hvHy0
  HTCQbdW35_6UmLcqTT2bzsxaEAXsl8yDTSvB6AK51Q3DvtVXp23AH4Try8p66EvNr
  azKWjh4CAr1QJnUdIJnu-Y3ja2WQJaseKmO4g2svNAXadhAYA",
              "witness":"TPxOv-bF8Of0cYXGhOZB-yJ5JRgwXYqmwciTxUQb
  BEE"}
            ],
          "PayloadDigest":"Mqa4f-6bQ07E2IYl2hQUqfXTighNhw9KF-WSEy
  mbPQMTqfXsXMgrExxUg4KCgPX1EYVt9k-UfdyZBWtFUxFNiw"}
        ],
      "EnvelopedActivationAccount":[{
          "enc":"A256CBC",
          "dig":"S512",
          "kid":"EBQM-73UM-YBTS-SOUZ-PADZ-SVFD-AV7U",
          "Salt":"mX9DOllVVNyFxJ9ocDg4vg",
          "recipients":[{
              "kid":"MBVX-UXLD-PH6G-WKQ4-4NMB-6IGK-35QZ",
              "epk":{
                "PublicKeyECDH":{
                  "crv":"X448",
                  "Public":"zxVZRX_9E5bQaBCq_T3de_j-6WWQvNH84u03M
  G7UfjtP6mDcbdopF3KuzMIebcuch8Lb7UtLz1AA"}},
              "wmk":"rg3puHIMXDoR7ATzOjfxsJUeIwk4Sb2-L5FzwvFVFk-V
  Hol4H35yhg"}
            ],
          "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0
  aW9uQWNjb3VudCIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI
  CAiQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjAzWiJ9"},
        "gBlhcdXySmUZ3MHsR9XY0Opwp4zrqtnfvxnEI3SlZjq7dsfAPhHoVFOI
  MT7ArKsCojQ-Tikc65a4t0my5aDr-s_CQ5QQAlY6CKhsFW01hjTiTxZnL63w8XH59
  XrniVqdI5ehtVHRO36eiuDDHe97tBrCFUky2pZdbuLO9BDm1r96GsboXBT1vuCbXE
  Y8jJreAeroNhvJkCDFqq3mOhBC1Cndj1g15_MOPPd3KQ7rryOHoGpwN2DP2kicx8F
  S3jGLtuGdIDxXawAR255D-QesHwr5zZyHY3F_FkJ-1ga5OxKHOQtU-oRIdivpnYSA
  Lt2cBTTZJ0K2qzWkYgMLPRHxtQRIVvzGt80mlncUuoGSmyJprO-BSR0ow8N573ubC
  GUQzrfwHggM36L2UrPBzm5Ou8bX5IKu4iLjgE9Wq9J1bYuerqqHYJ6csZFiGUG1pf
  IGQTuNoFJWi49_NzI-vHpo3RBu_aXsClJo3Kgi8Wn4KJsT2rtQuCTbVLmt0Vja_YJ
  lqlJJwjmBSDNqPsitwZtvW2uVZFOwhFSxXI0L9ZZiyzWOdHccOtJnZkzJiKy4RaGA
  1ArpJ2Nm4MLbKvjDb4gJOvcL_a19qFlkhPWt56SySzGN95n5FQA8nRq2EvjQdJmGC
  OCn1MGFB1NooUWi3dXOeV2acHy8nTavVNEWVQeqWid5D2QxFSmV8cWghYn5nuFsy2
  OGNbIH-kNGxjt9W5IbQKowUvhAfpqQ3P-RlNMCEKzxZZioA6YeNG6Hh9kRAk2gYAm
  Z9LlISSOmu0pvavRb8rXW-mNttPmFlC8g232avdLyZyR9XjcjkzHBNaz-cVqKraQf
  vR_3M-8mIqGKCS_1oRYGOOpDIxw9VU0JCEO6DfBHFEv-2a3JDg8XvyRuZMIlzJFzO
  9usilNnsODaygIabfqA_Gs2qe_t4iAOq1a_yBRr0PW2Tba6BuuorLYmOxL9k7EzFs
  BUlkAHjJIdEixgwerVnmAnFXfXqKsc2tQ7LRRUkMfOQ3UCypn3niYn4B7M7eJ5efq
  -xXu4hWSzrdBpxwOUiLjb9ofvClQjkFWvi-VwRtKGIqdk8V-I2Wvc2nS8zzGaK0zU
  -8GnCP9eIe-1JKa2s4qPLD6ASA9QBz6IbtYlgi8HmEh-JfVoWwVdsSMOzJ-1V2ILx
  CN2YJIWV-q49xurbCDog4CFeHLvDPlSjMGYmofzcBHkwL-0H3qee-r6A7m4UuyDUw
  9LqyWyGzo0pjDkXCEGp8v31jxHI4P7NzlT4K2rN1CzYEnVrqYuqxLR3S-7ySnEQWu
  Fk4HrX07bQG5j1iNGghQVV5rQ-uk-7-1uFY8GIIUpiBsI75IwbCeaIvOiCI4v4U3Q
  vTR8ssVOgIDDuZdvQFRCMDgnTzbQda3isGT-fdrGkp5tX94a6ASuIWQ4jC2yqfndW
  y5NVkglyPEyVCPYVyaBI-SxSwzPtmzC3Xla4GVo7gMmVOALyx-7nMzxerc8HsB-hr
  S9bAgyY7V-cCmbQ6VEteR5GVYuX1Nu2w4aXWwU3-yrIx8NXI22Pe9DPcNtj44wySa
  BijiOvduLwnlG-b5aKxfjfvCJWfqL7kEZE0ioCSLE0y-cWPM3MsM3I0gwffEuy7-8
  b-nSMPGYjcCTbXoHBxmLt_-srSDjg89fSC4pLN9He2NoamM3Bl2ZZnItE-8vmQbH8
  Wy304nJNPGhJ_W2juLh758V9XqumJHrADHrjU4n-SOjRngrFjLwYVufxtrtGehcC_
  W2BzNnFhWtBRCA0A7Jjm8tjF0fHH7hxuaFDJKpIXYbJP2LqB8USizq_KRR6i6jsKM
  pxc7wG_81b_unXx1cPs9xMFdQWnn_2Izc7jXKJYC6cVNOGH3dQDZfIgL4O2KoFXzm
  7goJ8hE1Hqx3trdsEjKC7c1UM-cdxFzNKmrto64I7kjJdVHpswFleKSHwxgQ93sLh
  J38mq2FKYQP_rMp40GgWABCtY78P-XZoc6Mev5bBWxN7NL3WlpnrZKTgJGyz92Ori
  bPQPz4Ma3aZ_3WqipO15r9QDZWWjsFzZnGSXpDnXh0uHBtqcqlu87y4LdmHkKgQqZ
  PCioP5KtpgusscKBbIhkQTHe4oe7zUEiRFLd8ff8fp0LImOnmo0WDrMgS3p96driz
  9d9FaUWOFP0rK2OnWVZ9PhvqEzLERr99WVTJ68ZITE5NoaF1OwLGdgWFYs610VJoQ
  jsXZsT0dmR0Zj-vl6yei8sVZjFLosjst9uh0Wv7k_URAUEE95p-Ty2ZLjmwhWeWNS
  Siw4Qk_LwlkxRxSuuad9RfGumOydUrsKh3I8qerv0PmHz0WD4ZHAqa8c9ZLitVX51
  WC0BeLD2iaExGdjThfnO3sJh1CC0R_SqbCV6xSmkcfN_iCEKfE_d-3Twwp2cVKJ2l
  gEvTwsbYX4PkbI_P1SzChkrlC6sn1EBsk7-tnBngnU_OVhUIq2Dxjv9KrrR3pa3DJ
  3s471xfSZpNywnmjxFFv8uPAczmBPf_5BSC5ikub2nT5UTFmUNlAERh5XoDmDZJsE
  seikGCNOyFh0ZLdiLYgL6cUpFw171QZILt7v_1a6e2wKw6gMc_9k74qTEISlLyuVP
  tNz7PryNMyVG4aEwKQMBojHqUN5R8zG3X-KxOTD7PCV9ZtgKiP9SvdzBLzN9wW5Y1
  3zGvi3f256i5vOIeO73nE-mEeTDtBdH2WTjHUPtTmTwvH1TruHJlMhV4W5Zs2XjjE
  _MsrFxV5enl3koNMwAfu0TgPpLZI9xKu6OwXwwcc9XHPQVUPUJK2qAWD1R6Dms2kd
  hmXoLC6Hia5w9R9jSnei4SNyvZAfkKH1peZHHamxeHBEZObARFnxFXq77zp9H9VqF
  pALocgAYXbuUBU6FHPIWXF1-xR4IGjswPgrKq6lA2QKsf9D7d2hheMrB0KZR5k8fV
  K5T5kRhICgu9NxErQkvf2RjfGk707lMmDdE-g8L27AxNqdku0wxRGFIUxcaVutXAB
  5cHH3pKrIJfZfEfAggDooU8RMUI20J6IVZxyZ8nsTdT9ECZuoolAoXh1C4_w-zSpr
  5A6WTLzYTLpnyChxueFeWD-qQWjzXjeN4b-aqJUcO89xEZ4AfRGE8xMeIWp72GzKE
  vMhXfL5v-zHOFJUJ-yenAkROt33qTZH2OlxMVFqIrtW_wTW7-y-B7wD9RHI67tooH
  3pm6QYFTkUdJu0nL6FV9WN28zBVPRuS0mJEm_MJXzUr5fLY7SCDbGOAbxy-a8B_yQ
  40xDftA7FNu4Ylugg2Si5NNBwoXCaWfmF0wy_0IMZhXudDTgI30LwNqpLH1hFOthv
  DKGJn4qPF-wOu5QaeRdwJgpiOE_XwQI2Xsx8ONyb7xGysaY04xtEiZALwcHO57454
  jnbJpAdoOAMLZHRiOkhYNoyjp_SRxZqr3pB27SFzCzlP5s7EnaSd79hIfKY7Ii5p5
  JjTZRKcVMF0Ger9CuuRPccR0hS6y3yCBL5VUQ_OhKmWYPJ9vE3mRz7h037cBJkVbB
  eiBOxT-EpNko9JWHtvdOjDnUPK2W2Q75R8qpvvLSX2jWibqsdvBrm2TkTXv4jx0JZ
  I-YBZZ8AmA-AQlu8-oEafCHvL65sgu9qpmTGt0NI6QO_7Fbu2WKeUuSTugbL7q2EN
  u1jQAzz2itiF9GZ9p4ol93FjsK0tiRjyoKlqSsEAa_fBETnTzmlhblMTRwNEwoVQ1
  _kygDezz0fuklkICAwLgHl6wLc_9oI3gGyS2W62dRvsIDcz4mmMsMkJizqdDNxKBr
  TJrkpWJXulKozk81xjbECG8Rbic_QGwbC7yyaiYxU9lazb7VMnlnSKwitx4GxgXN0
  nKISYPHO0jnZLMYTvhog3mbIqqNrcJGWRmEl7sRJa2_k84FI-MOEESYxaCndq0CwS
  atguRggOlY8wVFNkdAUdCT-T1j43eTVcKPqGrTB6rDxhAClHkFfwW8bIrRenLmxMW
  HplKju7xbjCaj-3Usz6v5p_-0TUdlFsoPcEU3Cb_b4LgvyvZA_stq1TbQoyctrVQA
  OcSxFX2-aImyJYuyKkyMNTKmQNgv62f6h111QO34vPZqrLgArTgpnQhu5eYEgymfU
  empry7SRLkwQdywml4jeImqtZ-AfzM3Test1FsU2xGaMslxrQz80h2J8FHzOkxTAP
  CUs68MNOXRUChYzUvRespSXCPzisFFmZWJkFAFyNayWVHPRxcWADHTJWKlc17NS1j
  b5pprmqCynRE5AbPIeDMEGx96r57nIb63l6TadwQMFiQHDiaHOdP1EAREPT9tYURx
  JelgcpNdqWELXkGGkUaBpZoF0Wh3aHJMd3beMG1dZaMkY3hMCagpeoArs4w96393w
  gQik5AFeh22kJdf2PaRAvakmMsZ9PvvyHzTRVKj0kUyegloQH5EpOheYfmXcQL2Hd
  p3_LMAIfZtT9EJ7avVQCftCaDVhAuJtVAOTUzZUTw9y5DOFXoCD8fQ0NzeAywhP-G
  XK3Bm3duH-T9BlXN3NC3hbKKaJzVkgJuVDihWuMB5aXKj_R65vLIxgx8Z4V1qYjQf
  p9vIcENaDKT0j6qRjlnwwKdPLeJQfJBqBvCU7RBXZr7k5mCLSbMij3GZWyvpb6FZ2
  ekxJO9O2Xov1-EcOPATjqFvo2ZqhLqKzGzvAa8l-blua10eF50OOYd32uk5WpY7Xl
  kcSjE8XKfCPmh-sVkrdxTV0bB-1mwbRkcofJh2SFBTvl2D9MgP13dybD3hh2Ab5fE
  02rc1kJx4kke4p8LykCpRP8KP9T1ZRmy03GxpCjW-Q7_165ZciX6JCs-_OQoTgn9R
  9DBX2KcvoBEHOCu5GJczfd_j6dS5KgLz_-sI3xLFjaKEyRdpJHlfNMv-ca9m-yCZr
  l7Rk_kHb-IxPa6DA9t-EwNvE4PKGbt9WUqYPDBUV2hJyQrIevSEqH84sSmY0ycvjN
  -ORwv1JwE0okT7uJ7TRgxf2eSGMkXJQx_FVnsj5pz_EPxMj72zAXlr5mUvFBEzlce
  Qlvwcc1HQ8_JPASkK_e1hiq7nABmYfdfAR48HKdzDxFCVd4e87oeqsQrYeaLm4nM-
  ojNYBQJmbWwhewiRai-CK_K3Q-PYlbhPvmzIbp2yE79EawtCNBTPn3myWo79ejxdY
  CekhJRdevRCPsCKTg3Yuj8m59IPCkG7-p_GFFmPnF2zu7QAyllNID7wbr16L5xqJC
  r3YYu-xHEbN8ovNXbusNCtKEBss2Evn-XS6zq4Spci8gOH7V5Pv9MK8G0MuPkbssc
  jkqc5IqsG-YVAiOtI0bn6RCqqwoQV16QfLpY0NNP7KMBjRxsspERxBd05o46xAuzZ
  jYs-JOSbR3vy8z6-lIAJEPViw2po8DnuXccwrMns2p_unIiwWqHgeUbau6MsEO6aA
  BaboDrE-aqQhlb0YcTgZmcznFOzghmlZ9X_HokeO58KT9uVR39h6o-ZPzctnN-e8c
  U07EwjWUkyGgUoYNI6MWW9J_z_pUSBYydjjm2jQchV7CcdNlUBBlid9lZbOQZpwwJ
  _RcUfTGv3LvUnUT7SxNZL2QAzFlTwXQGrVmEUzhPUxeu7m4WgQ5kTrOpoF2T2Xt8p
  QvlCnzMlz9y0akQtF8bkQfdwj_JJTMr9EGRrnkq99xmHUdyzxPWhSx9RzhPJPqEK2
  qiQxAs8Uj60m6lnDoyqmCRpjz5u5WG-lB6EMXATOVnj6Mkkylsmwb-ZiBOnPS3n8O
  m2Ua58ULY1_e5UpPsdPZDRqN2ypTgy3IFoFoXf6RR1L32us3-SoYLoqdZRO5tDzcn
  ARzlrRVomW7CoVEsHhP_IOcpy4QvK66_K3dVLQnrGoFsJHAD2AZ41f4yyQ0qy7NVT
  C8qTVyC4tJ23rQl4E9UZ0FgnK6REMFWq-UhEUrVTZWwwbLaGq1OH_cAFk9DXRwbVM
  Z_ty20Gd0e_JKFQ8zSZJxtqwFPzb2hVINzLhgeBOYfH-ExmeW4vy5THHhvfKAIL9h
  5CKGCqztEyUIpsZLOkN0NEyDHZrN2oshiq-BACnoMcE9q0z18JeNxKnw-_u3pUEFP
  JNyvWpROA3if7-lEu7bO6Rh0kmDnlU0f1kBWwsWDQkA6tdD6hwiYg1U36XuTLutD_
  FfR7IBnQqBx_QWJJzLnMyz_nkQHki1uIlWHHabOzuVbcSAH4P5M7P4Z6XKE0oLgG0
  wGFgK5MJYOC2wSGBgXIdbr-GJGp4wCZ2mGZ9zE8DW84cZWYs-Nv5rmrgrcPUEsK9W
  MXDj-T5Liqo3y8lgHuOyNjGAkYM4M9ysT-XJBHNxYC1a5SxJtAM8IxAx-ba-uOtby
  nkV7X5ANUblK03bAUlmDgndmtA3kq77ykGWL1TjT5q8O5bTe3mxWwoT724EV_rUDl
  Nba99vzfRVxtyNDxBgOZsBJUP4IghMZJm--bQ9jq28MGduAHtgicra_hzOHs1kuWw
  1qh6vsmP6RmR7R4_yDNoQl6ccHz3_DLzd2oAlWCIJ9Mi1xuP041zJ6d42Pv7w9tdb
  vDwlavTq_1n2JF2pnC-nC6frxXepuIG0eDdq1bVBLrrq0LG_HiBEZqVZFfFOMY4et
  SNcUujrtzBGqVCJbLbrkairiozJiOfW324VKW2ESFgiKjmW_gmMckQAqwsXsAKdib
  VP_pwQ9Cl9ZJGqVchgFxgmXbfCZsmPSkajWHg2YlJcOEE2vXZsN5e6dkjm1Xck2Ng
  xjRxMg54-vO_eA9UJkX8EIGeFHGvlqs43Xoi4_3JqUy2qwhFI-aPuoi0CORf-nXS4
  Ahudwcqh3uCn-JwrI4dRG4XmFhniEFS8PO4-ZPB0J-xQNGtg8qZxxSUeoMIMSITKi
  GN86Dd1tPnWBU1f5EWz0xlEOZuhteeaIkRwB1l-pBSWA-2jiHadqetS7LqMsDYeBk
  uwTehlcqWXTXuGEENiRLTWtjF6MTV84kkUuN8WsnKJ87f0Rr9oUwbDwjcJhFfV5TO
  3xWZbvL97I-ydU6h-45QoTW2myGD_OdKHzT9jEgGNJXmmdMYECAjUUdVuO1-wecfT
  VqytzQ_aYb2YbtRHwMY5D_gSj6WCqCxmnL3coPXrMcbyaRUHWzxouN9u6A2fEq-Xg
  pXDloJzlamml5NRxaYGTvAgz9wqxMyQkqsLrMri3qeGVAX1ZGm4OJREo5gbw7eSgK
  Dkz1a6O4Da6aN1GVcTtpP4oM0Cu2IsFNII2nmqawJ5iaG_U1UtD_3uwX6bjly6YAy
  m5q4YNprmKyFFwyJIPFmtd_B4QEoZ65MTcp_EUDtzFql2TLv8GKPqmvySkammIVFA
  A3eHDDusfQEI6CyaCs_DG_wmtTQkSncCmJBvWAKgkZgPkwTXtOSmjOSOxH-L250mH
  3DJhGl4PvsV-zMvcsoPhb8oENH_BZVeolpbHCL_YBFIbp4N3PlbJHZdhMLB3wgO4G
  JLs8Dz0Jl21DL7m3F997TASwyDdDymk_LzjND-T8V7YYQVVT0mxRnK9jefTF_C4YR
  mlYhN-6HA5SKYtMLRSMNNyWyYgeUMCK9m2jXW-AMc11lIkrshhb_JR8sjGR5A97_R
  qVc1AYBmaCmHiChlb39YzhEWVovNQDvTfqLwlgM6WXXN7BMrDmv898t028AEDQaRJ
  dWSCwNXq2Vs7P43gr-Vo0zf6ZErqs6S1grgPaqgpZqoKSlGbH84d_RcmDQqzhsXA0
  cR1g6qgj3w6WJd-Ft8H-JxJjEOnuNpwgVyj2Uht1-3kXC0kUTHGCZL6Wx9p4kqxYa
  GQi5MVzYg7AolcPjGagR2l0UdD5nTJdkputAIDZZ73PAFJ9H1JuZPhH7kD8eJQJyy
  Broh_pnBXpgFi_6SZVJCh5NJWErajfFibPBePkpDrXVyehFzTJw1Jzsq-rPbL_oIo
  2N08_i7GpDjSQlDI2ENkEvdMrX6zrIWoP-FbFT9U-xij4FQWiNzg4Ww7c1d7hU8lI
  4gJQSY5SzV6eSdxlSYc_6C165E3F5eN2FBSUi3kPy-jIwmQVJ59UniV8eCCBEtPDp
  nT40gCQaytamAOIATcP8IK5HRQQIksmgcZxtYITyiE0_ZK_30sSyo_Bft-USwa8MF
  0w5cEQTBsKfyGYxOr_8Wo_4N_rrEvbvJTDMWow5BTcvE8vq4r2FnXNFC4xUdy5Lk5
  HG7XKNUKeZQSTkwP0Ry95Yzw8Be4qovtYmm7UkGiwDNB_abRQGnb3bQcrZv5GXOH7
  TlDUE2m0n9BcG3W_oqCESdXpNL-w83u-puP_vF19I_maOkUtpyUWJXXj0kRd8c0WF
  osuYsGg6sIy_nC2ErgEQPDvuAL0cq0Qkc8gX9SckW0W3vOPxAkQdYN3eMt-k13Afs
  y7IePBNP_hXordX3WdkAK-55A7JuPBN7zW5MqL96jvLCJk_10ms66e2Ae5MK73Wpl
  HXQl3IQ7JwCAqXdb-uOMfdViIs6a47y7EXJikZNacrKthzunoyD1F8cZ6wL4ecRTn
  Jsl_2jstlwKcZEuEcvZGAvPqzIl9qhYqEw7O8MOWQMS8cDAUrAb0etfbSmDNWwQR3
  RgaMM6BuevUgFBdVAvf_wvI9994rQRDroeipduhis8xvFDVD_pH_ZpJEl6eQpijxA
  tIdtdap3kwib1gylmAxJ6-zfImOBJo5_aBszjOJWiMmB3Cd0",
        {
          "signatures":[{
              "alg":"S512",
              "kid":"MCBO-ZK4F-QFYM-63TK-TA2C-LHQY-7QW5",
              "signature":"V5h7pFoycR-2WNj7rSO8cyfzbrMHw8GeyME3Wp
  wnFW9a0X1f1FbKuRAQzgo6CAQR9CmOffm92lqACM-DA_Rylu0zKWbq3PK3u2iRrJt
  YZ4RyqDam8DoaDEejYJTz7CtKOh88q62L1iF7QirYhqLcWicA",
              "witness":"KqVrOTlFoo8dHQd3Slg-eowe2e_9OaoPHfDB4Duy
  Fo8"}
            ],
          "PayloadDigest":"3-0c-MhvBsyqxImZbVhOiLXXtd8Av4Rj8C-zOF
  BOutKwzhvOdQ_x5Y1DV7tEM1HQeIZnzhdber6onFEVlsdSvA"}
        ]}}}

9.1.4. Phase 4

The device periodically polls for completion of the connection request using the Complete transaction.

To provide a final check on the process, the command line tool presents the UDF of the account profile to which the device has connected if successful:

Alice3> device complete
   Device UDF = MCVN-XLLT-LLNW-U4HR-BOMG-RA6Z-UWRR
   Account = alice@example.com
   Account UDF = MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA
Alice3> account sync

The completion request specifies the witness value for the transaction whose completion is being queried:

{
  "CompleteRequest":{
    "AccountAddress":"alice@example.com",
    "ResponseID":"MDT3-TM62-G3XO-ESYO-WQZX-IR2B-YNHW"}}

The Service responds to the complete request by checking to see if an entry has been added to the local spool. If so, this contains the RespondConnection message created by the administration device.

9.2. Preconfigured (Static QR Code)

The preconfigured device connection interaction is used to connect devices that lack affordances such as a display or a keyboard. It is also known as the static QR code interaction because a static QR code printed on the device itself is used to connect it to a user's account.

Future: Note that this interaction is likely to be changed substantially in future revisions of the specification and the Claim/PollClaim mechanism removed and replaced with a messaging based approach.

The interaction has five phases:

Phase 1: Preconfiguration

The device to be onboarded is preconfigured with a ProfileDevice and private key information and a DeviceDescription posted to a publication service. This process is typically performed during manufacture. An EARL providing the ability to locate and decrypt the description is printed on the device itself as a QR code.

Phase 2: Device description acquisition

The administration device acquiring the onboarding device scans the QR code on the device and uses this information to obtain the device description by means of a Claim operation described above as described in the Device Description.

Phase 3: Administration Device Acceptance

This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device MAY advise the device that a connection request is being made by additional means described in the device description (e.g. WiFi, Bluetooth).

Phase 4: Poll Claim Notification

When connected to a network, the preconfigured device periodically attempts to poll the connection sources specified to find out if there is a pending request. If a connection request is posted, the device decrypts it to allow it to complete the connection process.

Phase 5: Onboarding Device Completion

This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device requires notice that of the pending connection request.

The main differences between this connection interaction and the witness/PIN connection interactions are that the device is preconfigured with the device profile at the time of manufacture and the onboarding device MAY be acquiring network configuration information during the connection process.

9.2.1. Phase 1

The manufacturer preconfigures the device

Maker> device preconfig
Device UDF: MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE
File: EC6P-KOIX-T3B4-YIKE-OLX3-BUUD-64.medk

This results in the creation of a primary secret which is used to compute a ProfileDevice and corresponding connection records signed by the manufacturer's administrator key.

The data is combined to create a DevicePreconfiguration record that is provisioned to the firmware of the device being preconfigured.

{
  "DevicePreconfigurationPrivate":{
    "EnvelopedProfileDevice":[{
        "EnvelopeId":"MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE",
        "dig":"S512",
        "ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRERULUtURFQtQV
  o2Mi01NUhWLUZGVlktSllOVS1ZM1lFIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
  sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi
  Q3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjA3WiJ9"},
      "ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIlByb2ZpbGVTaWduYXR1cm
  UiOiB7CiAgICAgICJVZGYiOiAiTUREVC1LVERULUFaNjItNTVIVi1GRlZZLUpZTlU
  tWTNZRSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJs
  aWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgI
  CAiUHVibGljIjogInF0TDhCYVN3UUptNk12bE1BUXY0MkpsSk9MWFZMY0gxTWNweU
  p1SWxJazhXbVpvYTlHd2MKICB4WjFIMmI5VE5MZGFZUGp1VlVaWHRkb0EifX19LAo
  gICAgIkVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTUFCQy1MR1k1LUJVMk8t
  U0FaTi1ESjJFLVMzQ0ItQkc2NSIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjoge
  wogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYND
  Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAiWDZUaF9IOEJZOC1zRHpydWNVV3F4S0c
  1YVloenhTVC12dDE5STlKOU83TmlnRGYxZmhEcQogIGZCT1pWWk9uUDhYNVdTMkJJ
  WGQ3SjlTQSJ9fX0sCiAgICAiU2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1EW
  lQtREFFNC02TkJQLUJSQ08tUzVUTC01Q1E2LVNDWTMiLAogICAgICAiUHVibGljUG
  FyYW1ldGVycyI6IHsKICAgICAgICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICA
  gICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJpM1hia3lpT201
  WnlXaWxBeU9DZnFUalBMaUtVLUgyNTJZVUdqRVd3MWgtZ2haR3Nkb09aCiAgcXRkQ
  0k4Q0hRYWtzS3JHTWZDdDMxbjRBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IH
  sKICAgICAgIlVkZiI6ICJNQk1DLVE3SFctNUlOSy1RU1pPLVBLRFEtS01aNS1BT01
  GIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tl
  eUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1Y
  mxpYyI6ICJSX08tZnpLUnp4aExsdHh1Nko5VG05MVNHSWFCY2g0LXFfNnFwNTZ4WU
  YtVTZqa0hSall2CiAgT2hjNm12OUdLOVhNUjZtVFNOUEstV0tBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE",
            "signature":"VFD-9f8AXHdm38HR7y7JKsPStGNRu7wW5SXsJgc1
  lbRyzQ0XVyDyNtqR5el9TCEuJKC0vU4lq4QAQfzJlUaa-viM7xhTcvJhVZ_YGiYEW
  wq3Nb1-sortDNUdi7FGmG9C5Nh-ErWxy2oKkH8Nht19LDQA"}
          ],
        "PayloadDigest":"PRkvfQ8djpN_Z3tY_p8qPRR4rTy_ZFEFW_WAqBcQ
  2WpffnNZf_dPVKtW1XW9IpGjxYg2h0zB-hSVnCWViSUiEQ"}
      ],
    "EnvelopedConnectionDevice":[{
        "dig":"S512",
        "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW
  9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJ
  DcmVhdGVkIjogIjIwMjEtMTAtMjVUMTU6NDk6MDdaIn0"},
      "ewogICJDb25uZWN0aW9uRGV2aWNlIjogewogICAgIkF1dGhlbnRpY2F0aW
  9uIjogewogICAgICAiVWRmIjogIk1BQkMtTEdZNS1CVTJPLVNBWk4tREoyRS1TM0N
  CLUJHNjUiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgICAiUHVi
  bGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiWDQ0OCIsCiAgICAgICAgI
  CAiUHVibGljIjogIlg2VGhfSDhCWTgtc0R6cnVjVVdxeEtHNWFZaHp4U1QtdnQxOU
  k5SjlPN05pZ0RmMWZoRHEKICBmQk9aVlpPblA4WDVXUzJCSVhkN0o5U0EifX19LAo
  gICAgIlNpZ25hdHVyZSI6IHsKICAgICAgIlVkZiI6ICJNRFpULURBRTQtNk5CUC1C
  UkNPLVM1VEwtNUNRNi1TQ1kzIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7C
  iAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkND
  Q4IiwKICAgICAgICAgICJQdWJsaWMiOiAiaTNYYmt5aU9tNVp5V2lsQXlPQ2ZxVGp
  QTGlLVS1IMjUyWVVHakVXdzFoLWdoWkdzZG9PWgogIHF0ZENJOENIUWFrc0tyR01m
  Q3QzMW40QSJ9fX0sCiAgICAiRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQ
  UJDLUxHWTUtQlUyTy1TQVpOLURKMkUtUzNDQi1CRzY1IiwKICAgICAgIlB1YmxpY1
  BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICA
  gICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJYNlRoX0g4Qlk4
  LXNEenJ1Y1VXcXhLRzVhWWh6eFNULXZ0MTlJOUo5TzdOaWdEZjFmaERxCiAgZkJPW
  lZaT25QOFg1V1MyQklYZDdKOVNBIn19fX19",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MDQJ-G5K2-BJ66-MPLM-FWSA-665O-MILP",
            "signature":"r-JxVZxihprjMs3buV4yqmgXO7NdXlAEI-Cn2nYF
  HB3rlbcNPwmi5z_0f5HpAXkQfFlVJefnxsMAffF8GNbOocmVEdaIXR8rHDkBMa1xd
  6iCaWZdv8SAGdTHK0wLHkeAUDGj2wXsINFTMfDqhh_TjRUA"}
          ],
        "PayloadDigest":"aT7dqhsuhW15GSExnBrO1nHQqAcT-uLaCUkJPhqg
  AevgNUtTUuWkHC63T2ensFiSjCAAXd1YOvp7L8V7twmvZg"}
      ],
    "EnvelopedConnectionService":[{
        "dig":"S512",
        "ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW
  9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICA
  iQ3JlYXRlZCI6ICIyMDIxLTEwLTI1VDE1OjQ5OjA3WiJ9"},
      "ewogICJDb25uZWN0aW9uU2VydmljZSI6IHsKICAgICJBdXRoZW50aWNhdG
  lvbiI6IHsKICAgICAgIlVkZiI6ICJNQUJDLUxHWTUtQlUyTy1TQVpOLURKMkUtUzN
  DQi1CRzY1IiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1
  YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgI
  CAgIlB1YmxpYyI6ICJYNlRoX0g4Qlk4LXNEenJ1Y1VXcXhLRzVhWWh6eFNULXZ0MT
  lJOUo5TzdOaWdEZjFmaERxCiAgZkJPWlZaT25QOFg1V1MyQklYZDdKOVNBIn19fX1
  9",
      {
        "signatures":[{
            "alg":"S512",
            "kid":"MDQJ-G5K2-BJ66-MPLM-FWSA-665O-MILP",
            "signature":"BwF9R7byEqkzaUblEujRrko0zPuHn7NwH__14VRv
  YH0jTblJSrmG40hujXOKqs9ElXe8F0jM26EAXm6l0Okhi_stdxotXwa8CHLZgzTGO
  T9qEKdJElqkZIWLYJ9Tv_vM-VowlOz7jlzP4ThsVkI4fhcA"}
          ],
        "PayloadDigest":"KUSigElHIQenRINVDSSgH5M9Dt5GJLzKUk5yylWM
  TNdJ_4bW-JKREQiwutelFZvKv0-rX4XFnfBPwzmUflNY2A"}
      ],
    "PrivateKey":{
      "PrivateKeyUDF":{
        "PrivateValue":"ZAAQ-APQL-QS4L-SY3L-RER2-TYEA-V4EF-Q3OB-6N2
F-DKDP-UJQ6-KXUN-LI2H-7RXH",
        "KeyType":"MeshProfileDevice"}},
    "ConnectUri":"mcu://maker@example.com/EC6P-KOIX-T3B4-YIKE-OLX3-
BUUD-64"}}

An EARL is created specifying the means by which an administration device can acquire the information required to complete a connection to the device:

QR = {Connect.ConnectEARL}

The preconfigured ProfileDevice is encrypted under the encryption key and published to the location key derived from the EARL.

9.2.2. Phase 2 & 3

The administration device scans the QR code and obtains the Device Description using the Claim operation as shown in section $$$$. The administration device creates the ActivationDevice and CatalogedDevice records and populates the service as before.

Alice> account connect ^
    mcu://maker@example.com/EC6P-KOIX-T3B4-YIKE-OLX3-BUUD-64 /web

9.2.3. Phase 4

The device polls the publication service until a claim message is returned.

Alice4> device complete
   Device UDF = MDDT-KTDT-AZ62-55HV-FFVY-JYNU-Y3YE
   Account = alice@example.com
   Account UDF = MB5I-R24M-QXJT-KDBF-XFOA-DGC3-U3AA

9.2.4. Phase 5

Having been advised that an account has published a claim to bind to it, the device posts a connection Complete request to the specified account and completes the connection process as before.

10. Protocol Schema

HTTP Well Known Service Prefix: /.well-known/mmm

Every Mesh Portal Service transaction consists of exactly one request followed by exactly one response. Mesh Service transactions MAY cause modification of the data stored in the Mesh Service or the Mesh itself but do not cause changes to the connection state. The protocol itself is thus idempotent. There is no set sequence in which operations are required to be performed. It is not necessary to perform a Hello transaction prior to any other transaction.

10.1. Request Messages

A Mesh Portal Service request consists of a payload object that inherits from the MeshRequest class. When using the HTTP binding, the request MUST specify the portal DNS address in the HTTP Host field.

10.1.1. Message: MeshRequest

Base class for all request messages.

[No fields]

10.1.2. Message: MeshRequestUser

Base class for all request messages made by a user.

Inherits: MeshRequest
Account: String (Optional)

The fully qualified account name (including DNS address) to which the request is directed.

EnvelopedProfileDevice: Enveloped (Optional)

Device profile of the device making the request.

10.2. Response Messages

A Mesh Portal Service response consists of a payload object that inherits from the MeshResponse class. When using the HTTP binding, the response SHOULD report the Status response code in the HTTP response message. However the response code returned in the payload object MUST always be considered authoritative.

10.2.1. Message: MeshResponse

Base class for all response messages. Contains only the status code and status description fields.

[No fields]

10.3. Imported Objects

The Mesh Service protocol makes use of JSON objects defined in the JOSE Signatgure and Encryption specifications and in the DARE Data At Rest Encryption extensions to JOSE.

10.4. Common Structures

The following common structures are used in the protocol messages:

10.4.1. Structure: KeyValue

Describes a Key/Value structure used to make queries for records matching one or more selection criteria.

Key: String (Optional)

The data retrieval key.

Value: String (Optional)

The data value to match.

10.4.2. Structure: ConstraintsSelect

Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.

Container: String (Optional)

The container to be searched.

IndexMin: Integer (Optional)

Only return objects with an index value that is equal to or higher than the value specified.

IndexMax: Integer (Optional)

Only return objects with an index value that is equal to or lower than the value specified.

NotBefore: DateTime (Optional)

Only data published on or after the specified time instant is requested.

Before: DateTime (Optional)

Only data published before the specified time instant is requested. This excludes data published at the specified time instant.

PageKey: String (Optional)

Specifies a page key returned in a previous search operation in which the number of responses exceeded the specified bounds.

When a page key is specified, all the other search parameters except for MaxEntries and MaxBytes are ignored and the service returns the next set of data responding to the earlier query.

10.4.3. Structure: ConstraintsData

Specifies constraints on the data to be sent.

MaxEntries: Integer (Optional)

Maximum number of entries to send.

BytesOffset: Integer (Optional)

Specifies an offset to be applied to the payload data before it is sent. This allows large payloads to be transferred incrementally.

BytesMax: Integer (Optional)

Maximum number of payload bytes to send.

Header: Boolean (Optional)

Return the entry header

Payload: Boolean (Optional)

Return the entry payload

Trailer: Boolean (Optional)

Return the entry trailer

10.4.4. Structure: PolicyAccount

Describes the account creation policy including constraints on account names, whether there is an open account creation policy, etc.

Minimum: Integer (Optional)

Specifies the minimum length of an account name.

Maximum: Integer (Optional)

Specifies the maximum length of an account name.

InvalidCharacters: String (Optional)

A list of characters that the service does not accept in account names. The list of characters MAY not be exhaustive but SHOULD include any illegal characters in the proposed account name.

10.4.5. Structure: ContainerStatus

Container: String (Optional)
Index: Integer (Optional)
Digest: Binary (Optional)

10.4.6. Structure: ContainerUpdate

Inherits: ContainerStatus
Envelopes: DareEnvelope [0..Many]

The entries to be uploaded.

10.5. Transaction: Hello

Request: HelloRequest
Response: MeshHelloResponse

Report service and version information.

The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.

The PostConstraints field MAY be used to advise senders of a maximum size of payload that MAY be sent in an initial Post request.

10.5.1. Message: MeshHelloResponse

ConstraintsUpdate: ConstraintsData (Optional)

Specifies the default data constraints for updates.

ConstraintsPost: ConstraintsData (Optional)

Specifies the default data constraints for message senders.

PolicyAccount: PolicyAccount (Optional)

Specifies the account creation policy

EnvelopedProfileService: Enveloped (Optional)

The enveloped master profile of the service.

EnvelopedProfileHost: Enveloped (Optional)

The enveloped profile of the host.

10.6. Transaction: BindAccount

Request: BindRequest
Response: BindResponse

Request creation of a new service account or group.

Attempt

10.6.1. Message: BindRequest

Request binding of an account to a service address.

Inherits: MeshRequest
AccountAddress: String (Optional)

The service account to bind to.

EnvelopedProfileAccount: Enveloped (Optional)

The signed assertion describing the account.

10.6.2. Message: BindResponse

Inherits: MeshResponse

Reports the success or failure of a Create transaction.

Reason: String (Optional)

Text explaining the status of the creation request.

URL: String (Optional)

A URL to which the user is directed to complete the account creation request.

10.7. Transaction: UnbindAccount

Request: UnbindRequest
Response: UnbindResponse

Request deletion of a service account.

10.7.1. Message: UnbindRequest

Request creation of a new portal account. The request specifies the requested account identifier and the Mesh profile to be associated with the account.

Inherits: MeshRequestUser

[No fields]

10.7.2. Message: UnbindResponse

Inherits: MeshResponse

Reports the success or failure of a Delete transaction.

[No fields]

10.8. Transaction: Connect

Request: ConnectRequest
Response: ConnectResponse

Request information necessary to begin making a connection request.

10.8.1. Message: ConnectRequest

Inherits: MeshRequest
EnvelopedRequestConnection: Enveloped (Optional)

The connection request generated by the client

Rights: String [0..Many]

List of named access rights.

10.8.2. Message: ConnectResponse

Inherits: MeshResponse
EnvelopedAcknowledgeConnection: Enveloped (Optional)

The connection request generated by the client

EnvelopedProfileAccount: Enveloped (Optional)

The user profile that provides the root of trust for this Mesh

10.9. Transaction: Complete

Request: CompleteRequest
Response: CompleteResponse

10.9.1. Message: CompleteRequest

Inherits: StatusRequest
AccountAddress: String (Optional)
ResponseID: String (Optional)

10.9.2. Message: CompleteResponse

Inherits: MeshResponse
EnvelopedRespondConnection: Enveloped (Optional)

The signed assertion describing the result of the connect request

10.10. Transaction: Status

Request: StatusRequest
Response: StatusResponse

10.10.1. Message: StatusRequest

Inherits: MeshRequestUser
DeviceUDF: String (Optional)
ProfileMasterDigest: Binary (Optional)
Catalogs: String [0..Many]
Spools: String [0..Many]

10.10.2. Message: StatusResponse

Inherits: MeshResponse
EnvelopedProfileAccount: Enveloped (Optional)

The account profile providing the root of trust for this account.

EnvelopedCatalogedDevice: Enveloped (Optional)

The catalog device entry

ContainerStatus: ContainerStatus [0..Many]

10.11. Transaction: Download

Request: DownloadRequest
Response: DownloadResponse

Request objects from the specified container with the specified search criteria.

10.11.1. Message: DownloadRequest

Inherits: MeshRequestUser

Request objects from the specified container(s).

A client MAY request only objects matching specified search criteria be returned and MAY request that only specific fields or parts of the payload be returned.

Select: ConstraintsSelect [0..Many]

Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.

ConstraintsPost: ConstraintsData (Optional)

Specifies the data constraints to be applied to the responses.

10.11.2. Message: DownloadResponse

Inherits: MeshResponse

Return the set of objects requested.

Services SHOULD NOT return a response that is disproportionately large relative to the speed of the network connection without a clear indication from the client that it is relevant. A service MAY limit the number of objects returned. A service MAY limit the scope of each response.

Updates: ContainerUpdate [0..Many]

The updated data

10.12. Transaction: Transact

Request: TransactRequest
Response: TransactResponse

Attempt an atomic transaction on the containers and spools associated with an account.

10.12.1. Message: TransactRequest

Inherits: MeshRequestUser

Upload entries to a container. This request is only valid if it is issued by the owner of the account

Updates: ContainerUpdate [0..Many]

The data to be updated

Accounts: String [0..Many]

The account(s) to which the request is directed.

Outbound: Enveloped [0..Many]

The messages to be sent to other accounts

Inbound: Enveloped [0..Many]

Messages to be appended to the user's inbound spool. this is typically used to post notifications to the user to mark messages as having been read or responded to.

Local: Enveloped [0..Many]

Messages to be appended to the user's local spool. This is used to allow connecting devices to collect activation messages before they have connected to the mesh.

10.12.2. Message: TransactResponse

Inherits: MeshResponse

Response to an upload request.

Entries: EntryResponse [0..Many]

The responses to the entries.

ConstraintsData: ConstraintsData (Optional)

If the upload request contains redacted entries, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.

10.12.3. Structure: EntryResponse

IndexRequest: Integer (Optional)

The index value of the entry in the request.

IndexContainer: Integer (Optional)

The index value assigned to the entry in the container.

Result: String (Optional)

Specifies the result of attempting to add the entry to a catalog or spool. Valid values for a message are 'Accept', 'Reject'. Valid values for an entry are 'Accept', 'Reject' and 'Conflict'.

ConstraintsData: ConstraintsData (Optional)

If the entry was redacted, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.

10.13. Transaction: Post

Request: PostRequest
Response: PostResponse

Request to post to a spool from an external party. The request and response messages are extensions of the corresponding messages for the Upload transaction. It is expected that additional fields will be added as the need arises.

10.13.1. Message: PostRequest

Inherits: MeshRequest
Accounts: String [0..Many]

The account(s) to which the request is directed.

Messages: Enveloped [0..Many]

The messages to be sent to the addresses specified in Accounts.

10.13.2. Message: PostResponse

Inherits: TransactResponse

[No fields]

10.14. Transaction: Claim

Request: ClaimRequest
Response: ClaimResponse

Claim a publication

10.14.1. Message: ClaimRequest

Inherits: MeshRequest
EnvelopedMessageClaim: Enveloped (Optional)

The claim message

10.14.2. Message: ClaimResponse

Inherits: MeshResponse
CatalogedPublication: CatalogedPublication (Optional)

The encrypted device profile

10.15. Transaction: PollClaim

Request: PollClaimRequest
Response: PollClaimResponse

Check party making claim

10.15.1. Message: PollClaimRequest

Inherits: MeshRequest
PublicationId: String (Optional)

The envelope identifier formed from the PublicationId.

TargetAccountAddress: String (Optional)

Account to which the claim is directed

10.15.2. Message: PollClaimResponse

Inherits: MeshResponse
EnvelopedMessage: Enveloped (Optional)

The claim message

10.15.3. Structure: CryptographicOperation

KeyId: String (Optional)

The key identifier

KeyCoefficient: Binary (Optional)

Lagrange coefficient multiplier to be applied to the private key

10.15.4. Structure: CryptographicOperationSign

Inherits: CryptographicOperation
Data: Binary (Optional)

The data to sign

PartialR: Binary (Optional)

Contribution to the R offset.

10.15.5. Structure: CryptographicOperationKeyAgreement

Inherits: CryptographicOperation

[No fields]

10.15.6. Structure: CryptographicOperationGenerate

Inherits: CryptographicOperation

[No fields]

10.15.7. Structure: CryptographicOperationShare

Inherits: CryptographicOperation
Threshold: Integer (Optional)
Shares: Integer (Optional)

10.15.8. Structure: CryptographicResult

Error: String (Optional)

10.15.9. Structure: CryptographicResultKeyAgreement

Inherits: CryptographicResult

[No fields]

10.15.10. Structure: CryptographicResultShare

Inherits: CryptographicResult

[No fields]

10.16. Transaction: Operate

Request: OperateRequest
Response: OperateResponse

Perform a set of cryptographic operations

10.16.1. Message: OperateRequest

Inherits: MeshRequest
AccountAddress: String (Optional)

The service account the capability is bound to

10.16.2. Message: OperateResponse

Inherits: MeshResponse

[No fields]

11. Security Considerations

The security considerations for use and implementation of Mesh services and applications are described in the Mesh Security Considerations guide [draft-hallambaker-mesh-security].

12. IANA Considerations

All the IANA considerations for the Mesh documents are specified in this document

13. Acknowledgements

A list of people who have contributed to the design of the Mesh is presented in [draft-hallambaker-mesh-architecture].

14. Normative References

[draft-hallambaker-jsonbcd]
Hallam-Baker, P., "Binary Encodings for JavaScript Object Notation: JSON-B, JSON-C, JSON-D", Work in Progress, Internet-Draft, draft-hallambaker-jsonbcd-21, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-jsonbcd-21>.
[draft-hallambaker-mesh-architecture]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part I: Architecture Guide", Work in Progress, Internet-Draft, draft-hallambaker-mesh-architecture-18, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-architecture-18>.
[draft-hallambaker-mesh-rud]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part VI: Reliable User Datagram", Work in Progress, Internet-Draft, draft-hallambaker-mesh-rud-00, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-rud-00>.
[draft-hallambaker-mesh-schema]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part IV: Schema Reference", Work in Progress, Internet-Draft, draft-hallambaker-mesh-schema-08, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-schema-08>.
[draft-hallambaker-mesh-security]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part IX Security Considerations", Work in Progress, Internet-Draft, draft-hallambaker-mesh-security-08, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-security-08>.
[draft-hallambaker-mesh-udf]
Hallam-Baker, P., "Mathematical Mesh 3.0 Part II: Uniform Data Fingerprint.", Work in Progress, Internet-Draft, draft-hallambaker-mesh-udf-14, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-udf-14>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.

15. Informative References

[draft-hallambaker-mesh-developer]
Hallam-Baker, P., "Mathematical Mesh: Reference Implementation", Work in Progress, Internet-Draft, draft-hallambaker-mesh-developer-10, , <https://datatracker.ietf.org/doc/html/draft-hallambaker-mesh-developer-10>.