| Internet-Draft | Mesh Protocol Reference | October 2024 |
| Hallam-Baker | Expires 17 April 2025 | [Page] |
The Mathematical Mesh 'The Mesh' is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. The core protocols of the Mesh are described with examples of common use cases and reference data.
[Note to Readers]
Discussion of this draft takes place on the MATHMESH mailing list (mathmesh@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=mathmesh.
This document is also available online at http://mathmesh.com/Documents/draft-hallambaker-mesh-protocol.html.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on 17 April 2025.
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
This document describes the Mesh Service protocol supported by Mesh Services, an account-based protocol that facilitates exchange of data between devices connected to a Mesh profile and between Mesh accounts.
Mesh Service Accounts support the following services:
A Mesh Profile MAY be bound to multiple Mesh Service Accounts at the same time but only one Mesh Service Account is considered to be authoritative at a time. Users may add or remove Mesh Service Accounts and change the account designated as authoritative at any time.
The Mesh Services are build from a very small set of primitives which provide a surprisingly extensive set of capabilities. These primitives are:
HelloDescribes the features and options provided by the service and provides a 'null' transaction which MAY be used to establish an authentication ticket without performing any action,
Manage the creation and deletion of accounts at the service.
Upload
Support synchronization of Mesh containers between the service (Master) and the connected devices (Replicas).
Initiate the process of connecting a device to a Mesh profile from the device itself.
Request that a Mesh Message be transferred to one or more Mesh Accounts.
Although these functions could in principle be used to replace many if not most existing Internet application protocols, the principal value of any communication protocol lies in the size of the audience it allows them to communicate with. Thus, while the Mesh Messaging service is designed to support efficient and reliable transfer of messages ranging in size from a few bytes to multiple terabytes, the near-term applications of these services will be to applications that are not adequately supported by existing protocols if at all.
This section presents the related specifications and standard, the terms that are used as terms of art within the documents and the terms used as requirements language.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The terms of art used in this document are described in the Mesh Architecture Guide [draft-hallambaker-mesh-architecture].
The implementation status of the reference code base is described in the companion document [draft-hallambaker-mesh-developer].
The Mesh specifies two separate types of protocol interactions:
A synchronous protocol supporting interactions between devices and a Mesh Service Host and between Mesh Service hosts.
An asynchronous protocol that supports interactions between devices connected to the same account and between accounts.
The Mesh Messaging Protocol uses the Mesh Service Protocol as transport. The Mesh Service Protocol in turn makes use of Reliable UDP Datagram (RUD) [draft-hallambaker-mesh-rud] for framing and authentication of individual requests and responses. These RUS packets are in turn exchanged over either HTTPS (i.e. a Web Service) or directly over UDP.
Mesh Services MUST support the HTTPS binding and MAY support the UDP binding.
A Mesh Service is a minimally trusted service. In particular a user does not need to trust a Mesh service to protect the confidentiality or integrity of most data stored in the account catalogs and spools.
Unless the use of the Mesh Service is highly restricted, a user does need to trust the Mesh Service in certain respects:
A service could refuse to respond to requests to download data.
The use of Merkle Trees limits but does not eliminate the ability of a Mesh Service to respond to requests with stale data.
A service could reject requests to post messages to or accept messages from other mesh users.
This risk is a necessary consequence of the fact that the Mesh Service Provider is accountable to other Mesh Service Providers for abuse originating from their service.
A Mesh Service has knowledge of the number of Mesh Messages being sent and received by its users and the addresses to which they are being sent to or received from.
The need to trust the Mesh Service in these respects is mitigated by accountability and the user's ability to change Mesh Service providers at any time they choose with minimal inconvenience.
It is possible that some of these risks will be reduced in future versions of the Mesh Service Protocol but it is highly unlikely that these can be eliminated entirely without compromising practicality or efficiency.
The design of the Mesh Service model followed a quasi-formal approach in which the system was reduced to schemas which could in principle be rendered in a formal development method but without construction of proofs.
Like the contents of Mesh Accounts, a Mesh Service may be represented by a collection of catalogs and spools, for example:
Contains the account entries.
Reports of potential abuse
Backup of the service MAY be implemented using the same container synchronization mechanism used to synchronize account catalogs and spools.
Mesh Services supporting a large number of accounts or large activity volume MAY partition the account catalog between one or more hosts using the usual tiered service model in which a front-end server receives traffic for any account hosted at the server and routes the request to the back-end service that provides the persistence store for that account.
In addition, the Mesh Service Protocol supports a 'direct connection' partitioning model in which devices are given a DNS name which MAY allow for direct connection to the persistence host or to a front-end service offering service that is in some way specific to that account.
The protocol binding maps the abstract protocol definition specified in this document to the network protocol format.
Currently only one protocol binding is specified: JSON-BCD Application Binding [draft-hallambaker-jsonbcd] over Reliable User Datagram (RUD) [draft-hallambaker-mesh-rud].
JSON-BCD Application Binding specifies the means by which data types such as 'integer' and 'datetime' etc. given in this document are serialized using JSON/JSON-B encoding.
Reliable User Datagram offers a presentation layer over a choice of HTTP or UDP transport.
The Mesh Service operations are divided into the following functional groups:
Describes the service.
Operations used to create, reclaim, and delete accounts.
Operations used to synchronize persistence store data across connected devices. [May be replaced in a future revision]
Operations used by devices requesting connection to the account.
Operations allowing a watched document to be posted to the service and claims made on the document returned to a device.
Cryptographic operations, including threshold operations performed by the service.
Exchange of messages between Mesh Services.
The Hello transaction is used to determine the features supported by the service and obtain the service profile.
The request payload only specifies that is is a request for the service description:
{
"HelloRequest":{}}
The response payload describes the service and the host providing that service:
{
"MeshHelloResponse":{
"EnvelopedProfileService":[{
"EnvelopeId":"MBQD-ETXU-HZRW-A26O-WDTR-K7GI-X6JD",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQlFELUVUWFUtSF
pSVy1BMjZPLVdEVFItSzdHSS1YNkpEIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZVNlcnZpY2UiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAg
IkNyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo0NFoifQ",
"dig":"S512"},
"ewogICJQcm9maWxlU2VydmljZSI6IHsKICAgICJTZXJ2aWNlQXV0aGVudG
ljYXRpb24iOiB7CiAgICAgICJVZGYiOiAiTURZSS1JMkJILUhNTDMtSDZZSy1HTll
XLUpKWEYtTlZESCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAg
ICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYNDQ4IiwKICAgI
CAgICAgICJQdWJsaWMiOiAiZ0g2UU15WXg1cWZPUmFOTnZzWnlSODNCTTBhbkVqLV
ZxQ29MLTZrX0JoZEZZUThRcHJvNQogIDhwMGhyVFJNVExacnJCZFdwanRQS2l1QSJ
9fX0sCiAgICAiU2VydmljZUVuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTUE0
TC1VRTVBLUU0VkctVUdSSy1UVlQyLTNMSEctWTdOViIsCiAgICAgICJQdWJsaWNQY
XJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgIC
AgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiS1BybjZhUHRSSEd
MYkkyYUVIeklfZHRQRGdhR01TU0x4a0RfZFdzVEJZVkUxS2ZUM2tBTwogIHFSMjlQ
ODJDLU5ydFphcG53eFpmRlRnQSJ9fX0sCiAgICAiU2VydmljZVNpZ25hdHVyZSI6I
HsKICAgICAgIlVkZiI6ICJNQzZMLVQ1UDYtVVpDUS1SUkQ3LVZNSk0tRTJLUS1BWk
hFIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0t
leUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQ
dWJsaWMiOiAieTVhN1hYZG9mX0F6aTh1ZVRkZFNJWng5ZkZnRDdaZlhCVDktTjZlN
XFlQl9wUXRudXJ5bAogIFJOeGUydzVIckNWOXNZejJqcjN1NFhxQSJ9fX0sCiAgIC
AiUm9vdFVkZnMiOiBbIllCTGtrWFZRYmRxZWE4MVFWSWtwcHAwRE9CdHRKRmNvVEk
3VVZld3JldU1CQUozejZuCiAgTW1mMzFGYjRoRnktT0pqWVdoOTVFMHNwTlV2UGpN
anczTm9wQSJdfX0",
{
"signatures":[{
"alg":"ED448",
"kid":"MAJO-JELV-KBW5-VHTL-ZVIF-JCJJ-U2OQ",
"SignatureKey":{
"PublicKeyECDH":{
"crv":"Ed448",
"Public":"HrzNjtG9zQoqxzKGX1fa5ewkB0g6P7HQfinZuUC
Y_q4Ke778BqDQPwE8kpSgU7aulAUJIk8Ue-kA"}},
"signature":"u2U3pzAR-p3SyPylngueVqwseBYnkzJ0cXSsmT5j
yKqMNKLb6EIhA4Q_m9W4qaj5MfpkFwwI6kQA6Kh59w0zmMrPPfTgPE3mxCJ5qLj4S
hkMMubJwSb_L4Ef8rqKSZ9vGHdEuTImoU1rFnQAHeorqzsA"}
],
"PayloadDigest":"GpwjTMrI_kI51EPsErCiiBEe3XJXntbI2Xkd4uX-
sW6Ix81ljSbMDnALW0hua0peCyMOVvBV2iyZb3cRnQh6mA"}
],
"Version":{
"Major":3,
"Minor":0,
"Encodings":[{
"ID":["application/json"
]}
]},
"Status":201}}
The current revision of the specification is designed for small scale deployments in which the service is provided by a single host. The approach will require revision in future versions to fully support a service being provided by multiple hosts with accounts being transferred between the hosts to allow balancing of load.
There are three account management operations:
Create an account bound to a service address.
Delete an account bound to a service address
[TBS] Reclaim an account using a recovered primary secret.
The BindAccount operation is used to create User and Group accounts. Currently, these account types are distinct. This may change in future releases.
A User Account is bound to a Mesh Service by completing a BindAccount operation with the service.
The BindAccount transaction is unique in that it can fail to complete for reasons that are outside the scope of the Mesh specifications. Creation of an account might require payment to be made or authentication of the user's credentials. It is thus quite normal for the result of a CreateRequest to be the account being created in an 'on hold' state which can only be changed out of band.
If the request is at least partially successful, a BindResponse message is returned. In the case of partial success, a description of the request status and link to a Web page providing further details MAY be returned.
The request payload contains all the information needed to create the account:
Since there is no Access Catalog until the account is created, the Bind Account request and subsequent requests used to initialize the access catalog for the account MUST be authenticated by the Account Authentication key.
Alice requests creation of the account alice@example.com. The request payload is:
{
"BindRequest":{
"AccountAddress":"alice@example.com",
"EnvelopedProfileAccount":[{
"EnvelopeId":"MBQC-7OHA-RNBA-FRDL-R4GI-YQHA-DL36",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQlFDLTdPSEEtUk
5CQS1GUkRMLVI0R0ktWVFIQS1ETDM2IiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy
ZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo0NVoifQ",
"dig":"S512"},
"ewogICJQcm9maWxlVXNlciI6IHsKICAgICJDb21tb25TaWduYXR1cmUiOi
B7CiAgICAgICJVZGYiOiAiTUROVC1XVDNHLTM0NkctNEk1VC1ZVjdGLUxUUVgtUFN
OVCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNL
ZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgICAiU
HVibGljIjogIklNeU1vN2ZFeTJ2SHA4c3lRMFZVNFhpdnBKRWhnUVFTWDNqOG12YT
RIQ19UMDVVbmhRWXEKICBWWnl1dklRRVZvMmR5TUNSbTYwUTNFMEEifX19LAogICA
gIkFjY291bnRBZGRyZXNzIjogImFsaWNlQGV4YW1wbGUuY29tIiwKICAgICJTZXJ2
aWNlVWRmIjogIk1CUUQtRVRYVS1IWlJXLUEyNk8tV0RUUi1LN0dJLVg2SkQiLAogI
CAgIkVzY3Jvd0VuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTUNLRC0zTVI2LV
AyVEUtTTZVNC00TElPLVpUUkctRFpWUyIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJ
zIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6
ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiMXZOVUFBcDNyc3pJcGhHOEVzZ
m9hTzVZNnNaQ24wSGM4ekNnZFFpdllwSkFjRHRta1NzQwogIGVJMmdtRFRDSzZTcl
MxVWdQdHVZbVR3QSJ9fX0sCiAgICAiQWRtaW5pc3RyYXRvclNpZ25hdHVyZSI6IHs
KICAgICAgIlVkZiI6ICJNRDJMLTZNN0MtWjNaMy1RM0FMLUpGWUktWklVQy1CS1VS
IiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tle
UVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQdW
JsaWMiOiAiYkhvS2IwYzEyRjdjaWJNXzNnWmNKWE16T09YNHNuSGdQVndPZlJZazZ
BUkpPc0dQZW1zZAogIDJCbTBXZm1Ba1JZTzNFUTZmajhfTnpTQSJ9fX0sCiAgICAi
Q29tbW9uRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQVlGLUQ3TEotNUlNU
C1FVUNHLUhTR0gtN0xTUi1BQVBaIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOi
B7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg
0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJjN29vcko4MDhzYzlkNDBLWERoSUhn
Q1RGejM5TUszSmpPMFE3S191ZkRFR0RLaXdWS2hkCiAgM29QUTQ0UEVxR2p3a3BwN
09mYmNCYlNBIn19fSwKICAgICJDb21tb25BdXRoZW50aWNhdGlvbiI6IHsKICAgIC
AgIlVkZiI6ICJNQUZULVNJTkEtU0ZYSS1QQkRZLVdSSEUtTlhZTC1EWFZUIiwKICA
gICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgi
OiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6I
CJYY2dFejl5MmNxc3g0WmViR0VSVGpyTi14ek44M0QtcGN4MDY1MXgtV1VDcVlOcn
NuelRICiAgNDBDcG9NeHVOLUZucFQ1bV9iME15dUtBIn19fSwKICAgICJSb290VWR
mcyI6IFsiWUJKUjNqUjJQbGpkWWs1cXhiV2RIWTByVFlFYUZBa0hZM01tc1I4enZO
MURyMzNSbkwKICBVTDNUaHJHOURNV0JaM1AtOFp5R3p5S2FRWXdlY28yWlV0Y0t3I
l19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MAJF-DXRU-OY7F-RXLC-JZVM-LNM5-DWGS",
"SignatureKey":{
"PublicKeyECDH":{
"crv":"Ed448",
"Public":"9sZGEfYSIoTvVSL0Q5c_Oip_Hi2iOTsl4L3iLwh
fOv9bA-5nd7PyRooKEsQx-lA7PMAYBewSOmIA"}},
"signature":"6x3k8AC2jkUQv0jzlUVWJDqP7zcNkKAqvPcAs7Ci
2jXULjbIFAFCct8GC8Nb8KiD5ljoLAsVHr-AnYcjklyXSHN6Gn_BIZiLiW3Yu5_Ch
XHspywX-ZGMD6soXJIilOzreauR-_aiUE7Gx0eh3Fje2wEA"}
],
"PayloadDigest":"tXPfbmg_SRmARF_7HLPq-bM6NMO1h1Oa30f_Ag_T
IRzGKMrmTKtV7XH-h3NIBFGxOQYuD0BproKNEg6uhtG0Mw"}
],
"EnvelopedCallsignBinding":[[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDYWxsc2ln
bkJpbmRpbmciLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgI
kNyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo0NVoifQ",
"dig":"S512"},
"ewogICJDYWxsc2lnbkJpbmRpbmciOiB7CiAgICAiQ2Fub25pY2FsIjog
ImFsaWNlQGV4YW1wbGUuY29tIiwKICAgICJEaXNwbGF5IjogImFsaWNlQGV4YW1wb
GUuY29tIiwKICAgICJQcm9maWxlVWRmIjogIk1CUUMtN09IQS1STkJBLUZSREwtUj
RHSS1ZUUhBLURMMzYiLAogICAgIlNlcnZpY2VzIjogW3sKICAgICAgICAiUHJlZml
4IjogIm1tbSJ9XX19",
{
"signatures":[{
"alg":"ED448",
"kid":"MD2L-6M7C-Z3Z3-Q3AL-JFYI-ZIUC-BKUR",
"signature":"-Pp_ckhL8JOcz6YRG466UJn9waIRn8KzCLZv_7
9OjTnOla3emASatCkLlMDHoppgzVnl3E8oYMuAY0W8MAZopsg5fLDAB7yTUKE1Cgi
boHAZ2FydtHpKuXMwbh9TxZUUlCA8rj4b91k75jmf7B2sJgsA"}
],
"PayloadDigest":"kLv_SVV9EuL9uUX1T38TUz5GH5z5FyEkJsHMUo
J_gDeAwsZ_3ZNmJ_cbvrQSH-wYklSjWZ69z8TI-QXeL1XaHg"}
]
]}}
The response payload currently reports the success or failure of the bind operation:
{
"BindResponse":{
"EnvelopedAccountHostAssignment":[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY2NvdW50SG
9zdEFzc2lnbm1lbnQiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCI
sCiAgIkNyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo0NVoifQ"},
"ewogICJBY2NvdW50SG9zdEFzc2lnbm1lbnQiOiB7CiAgICAiQWNjb3VudE
FkZGVzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiQWNjZXNzRW5jcnlwdCI
6IHsKICAgICAgIlVkZiI6ICJNREVULTI2TkItNUdSVi1KT1dELUhKNkQtNldVTi1K
TFdFIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY
0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIl
B1YmxpYyI6ICJlSzVIN29wbXU3VzgwY1ZtUWdzLXVQT3FUUURTbTI2Z0hFanU0SHB
FLWRBR0lEczNaMFg2CiAgMlZsaWtzZktZT3NQN0FFbkE5d2VJN1dBIn19fSwKICAg
ICJFbnZlbG9wZWRQcm9maWxlU2VydmljZSI6IFt7CiAgICAgICAgIkVudmVsb3BlS
WQiOiAiTUJRRC1FVFhVLUhaUlctQTI2Ty1XRFRSLUs3R0ktWDZKRCIsCiAgICAgIC
AgIkNvbnRlbnRNZXRhRGF0YSI6ICJld29nSUNKVmJtbHhkV1ZKWkNJNklDSk5RbEZ
FTFVWVVdGVXRTRnBTVnkxCiAgQk1qWlBMVmRFVkZJdFN6ZEhTUzFZTmtwRUlpd0tJ
Q0FpVFdWemMyRm5aVlI1Y0dVaU9pQWlVSEp2Wm1sc1oKICBWTmxjblpwWTJVaUxBb
2dJQ0pqZEhraU9pQWlZWEJ3YkdsallYUnBiMjR2YlcxdEwyOWlhbVZqZENJc0NpQQ
ogIGdJa055WldGMFpXUWlPaUFpTWpBeU5DMHhNQzB4TkZReE16b3hNRG8wTkZvaWZ
RIiwKICAgICAgICAiZGlnIjogIlM1MTIifSwKICAgICAgImV3b2dJQ0pRY205bWFX
eGxVMlZ5ZG1salpTSTZJSHNLSUNBZ0lDSlRaWEoyYVdObFFYVjBhR1YKICB1ZEdsa
llYUnBiMjRpT2lCN0NpQWdJQ0FnSUNKVlpHWWlPaUFpVFVSWlNTMUpNa0pJTFVoTl
RETXRTRFpaUwogIHkxSFRsbFhMVXBLV0VZdFRsWkVTQ0lzQ2lBZ0lDQWdJQ0pRZFd
Kc2FXTlFZWEpoYldWMFpYSnpJam9nZXdvCiAgZ0lDQWdJQ0FnSUNKUWRXSnNhV05M
WlhsRlEwUklJam9nZXdvZ0lDQWdJQ0FnSUNBZ0ltTnlkaUk2SUNKWU4KICBEUTRJa
XdLSUNBZ0lDQWdJQ0FnSUNKUWRXSnNhV01pT2lBaVowZzJVVTE1V1hnMWNXWlBVbU
ZPVG5aeldubAogIFNPRE5DVFRCaGJrVnFMVlp4UTI5TUxUWnJYMEpvWkVaWlVUaFJ
jSEp2TlFvZ0lEaHdNR2h5VkZKTlZFeGFjCiAgbkpDWkZkd2FuUlFTMmwxUVNKOWZY
MHNDaUFnSUNBaVUyVnlkbWxqWlVWdVkzSjVjSFJwYjI0aU9pQjdDaUEKICBnSUNBZ
0lDSlZaR1lpT2lBaVRVRTBUQzFWUlRWQkxVVTBWa2N0VlVkU1N5MVVWbFF5TFROTV
NFY3RXVGRPVgogIGlJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWp
vZ2V3b2dJQ0FnSUNBZ0lDSlFkV0pzYVdOCiAgTFpYbEZRMFJJSWpvZ2V3b2dJQ0Fn
SUNBZ0lDQWdJbU55ZGlJNklDSllORFE0SWl3S0lDQWdJQ0FnSUNBZ0kKICBDSlFkV
0pzYVdNaU9pQWlTMUJ5YmpaaFVIUlNTRWRNWWtreVlVVklla2xmWkhSUVJHZGhSMD
FUVTB4NGEwUgogIGZaRmR6VkVKWlZrVXhTMlpVTTJ0QlR3b2dJSEZTTWpsUU9ESkR
MVTV5ZEZwaGNHNTNlRnBtUmxSblFTSjlmCiAgWDBzQ2lBZ0lDQWlVMlZ5ZG1salpW
TnBaMjVoZEhWeVpTSTZJSHNLSUNBZ0lDQWdJbFZrWmlJNklDSk5ReloKICBNTFZRM
VVEWXRWVnBEVVMxU1VrUTNMVlpOU2swdFJUSkxVUzFCV2toRklpd0tJQ0FnSUNBZ0
lsQjFZbXhwWQogIDFCaGNtRnRaWFJsY25NaU9pQjdDaUFnSUNBZ0lDQWdJbEIxWW1
4cFkwdGxlVVZEUkVnaU9pQjdDaUFnSUNBCiAgZ0lDQWdJQ0FpWTNKMklqb2dJa1Zr
TkRRNElpd0tJQ0FnSUNBZ0lDQWdJQ0pRZFdKc2FXTWlPaUFpZVRWaE4KICAxaFlaR
zltWDBGNmFUaDFaVlJrWkZOSlduZzVaa1puUkRkYVpsaENWRGt0VGpabE5YRmxRbD
l3VVhSdWRYSgogIDViQW9nSUZKT2VHVXlkelZJY2tOV09YTlplakpxY2pOMU5GaHh
RU0o5Zlgwc0NpQWdJQ0FpVW05dmRGVmtaCiAgbk1pT2lCYklsbENUR3RyV0ZaUllt
UnhaV0U0TVZGV1NXdHdjSEF3UkU5Q2RIUktSbU52VkVrM1ZWWmxkM0oKICBsZFUxQ
1FVb3plalp1Q2lBZ1RXMW1NekZHWWpSb1Jua3RUMHBxV1Zkb09UVkZNSE53VGxWMl
VHcE5hbmN6VAogIG05d1FTSmRmWDAiLAogICAgICB7CiAgICAgICAgInNpZ25hdHV
yZXMiOiBbewogICAgICAgICAgICAiYWxnIjogIkVENDQ4IiwKICAgICAgICAgICAg
ImtpZCI6ICJNQUpPLUpFTFYtS0JXNS1WSFRMLVpWSUYtSkNKSi1VMk9RIiwKICAgI
CAgICAgICAgIlNpZ25hdHVyZUtleSI6IHsKICAgICAgICAgICAgICAiUHVibGljS2
V5RUNESCI6IHsKICAgICAgICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICA
gICAgICAgICAgIlB1YmxpYyI6ICJIcnpOanRHOXpRb3F4ektHWDFmYTVld2tCMGc2
UDdIUWZpblp1VUNZX3E0S2U3NzhCcURRCiAgUHdFOGtwU2dVN2F1bEFVSklrOFVlL
WtBIn19LAogICAgICAgICAgICAic2lnbmF0dXJlIjogInUyVTNwekFSLXAzU3lQeW
xuZ3VlVnF3c2VCWW5rekowY1hTc21UNWp5S3FNTktMYjYKICBFSWhBNFFfbTlXNHF
hajVNZnBrRnd3STZrUUE2S2g1OXcwem1NclBQZlRnUEUzbXhDSjVxTGo0U2hrTU11
YgogIEp3U2JfTDRFZjhycUtTWjl2R0hkRXVUSW1vVTFyRm5RQUhlb3JxenNBIn1dL
AogICAgICAgICJQYXlsb2FkRGlnZXN0IjogIkdwd2pUTXJJX2tJNTFFUHNFckNpaU
JFZTNYSlhudGJJMlhrZDR1WC1zVzZJeAogIDgxbGpTYk1EbkFMVzBodWEwcGVDeU1
PVnZCVjJpeVpiM2NSblFoNm1BIn1dfX0"
],
"Status":201,
"StatusDescription":"Operation completed successfully"}}
It is likely that a future revisions of the specification will specify the host(s) to which future account service operations are to be directed. This would allow the account management operations to be separated from the account maintenance operations without requiring the traditional tiered architecture in which every interaction with a service is first routed to a host that cannot perform the required action so that it can be directed to the host that can.
Mesh Group Accounts are created in the same manner as user accounts except that the ProfileGroup is specified.
Should all the administration devices be lost, an account MAY be recovered by the process of recovering the profile master secret and using it to access the account through the account authentication key.
An account registration is deleted using the UnbindAccount transaction.
>>>> Unfinished ProtocolAccountDelete
The request payload:
{
"UnbindRequest":{
"Account":"alice@example.com"}}
The response payload:
{
"UnbindResponse":{
"Status":201,
"StatusDescription":"Operation completed successfully"}}
Should a user wish to transfer their account to a new service provider, they first use the Bind Account operation to bind the account to the new service provider, then populate the account entry at the new account using the account authentication key.
Only after the new account binding has been completed and is ready for use, is the unbind operation used to delete the account entry at the old service provider.
Future versions of the protocol will elaborate on this mechanism so that the change of address can be signaled to connected devices and parties sending messages to the account.
Account recovery is necessary in the case that user has lost control of every administration device connected to the account and must re-create the account profile and bind a new set of administrative devices. Account transfer is the process of unbinding an account from one service and rebinding it to a new one.
These capabilities are both critical to the long term success of the Mesh but have been deleted from the current revision of the specification as their implementation is interdependent on the architecture of the callsign registry.
>>>> Unfinished ProtocolAccountRecover
[TBS]
All the state associated with a Mesh profile is stored as a sequence of DARE Messages in a Dare Container. The Mesh Service holding the master copy of the persistence stores and the devices connected to the profile containing complete copies (replicas) or partial copies (redactions).
Thus, the only primitive needed to achieve synchronization of the profile state are those required for synchronization of a DARE Container. These steps are:
To ensure a satisfactory user experience, Mesh Messages are intentionally limited in size to 32 KB or less, thus ensuring that an application can retrieve the most recent 100 messages almost instantaneously on a high bandwidth connection and without undue delay on a slower one.
The status transaction returns the status of the containers the device is authorized to access for the specified account together with the updated Device Connection Entry if this has been modified since the entry presented to authenticate the request was issued.
Alice adds an entry to her bookmark catalog. Before the bookmark can be added, the device synchronizes to the service. The synchronization process begins with a request for the status of all the stores associated with the account that it has access rights for:
{
"DownloadRequest":{
"MaxResults":-1,
"DeviceUDF":"MBQO-4TTM-QOTS-MKEG-XQTU-XNFM-WUWM",
"CatalogedDeviceDigest":"MC2F-2ZAT-4BRE-QDDE-HBQQ-3H7O-PB",
"Select":[{
"Store":"Credential",
"IndexMin":3},
{
"Store":"Contact",
"IndexMin":3},
{
"Store":"Task",
"IndexMin":1},
{
"Store":"Bookmark",
"IndexMin":1},
{
"Store":"Network",
"IndexMin":1},
{
"Store":"Application",
"IndexMin":1},
{
"Store":"Device",
"IndexMin":3},
{
"Store":"Access",
"IndexMin":3},
{
"Store":"Document",
"IndexMin":1},
{
"Store":"Publication",
"IndexMin":1},
{
"Store":"Inbound",
"IndexMin":3},
{
"Store":"Outbound",
"IndexMin":1},
{
"Store":"Local",
"IndexMin":2}
]}}
If the account has a very large number of stores, the device might only ask for the status of specific stores of interest.
The response specifies the status of each store specifying the index and Merkle tree apex digest values for each:
{
"DownloadResponse":{
"Updates":[{
"Envelopes":[[{
"enc":"A256CBC",
"Salt":"fYUwUF5YTfAeOgSewpXy_A",
"recipients":[{
"kid":"MDFG-UKLG-VUPZ-XAY3-BDMH-FI35-RW3Y",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"iwbMN5lNb1LLgLYYTt-1xchZIOKm_Xt8x
229dTEuZaDGfo0V1VLU19rYyWqPAif3wzWkzyFR7UmA"}},
"wmk":"0skSKfeeG4EaXByENg1R4wuXgNrWJ8nFkjpND1Wf
sGntFaADEp-knw"}
],
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICI6ZnRwLmV4
YW1wbGUuY29tIiwKICAiRXZlbnQiOiAiVXBkYXRlIn0",
"SequenceInfo":{
"Index":3,
"TreePosition":1137},
"Received":"2024-10-14T13:10:46Z",
"PayloadDigest":"M5x4gqPlFJCU1hAeHkcwuahGWSKDj7sIkn
_nkD6QtVAmWj5sjPJqsHAbaS7wIa868nZesxO9xHg3H2qs3aAZPQ",
"ApexDigest":"NcSyijJ8HTa7RoYotCszOoMrNtSjGMx7DhkNd
nrIvkJzyUwVU-UmbZBHhhfJ_sb7bZ34aSVbSjh8smDsEoPLSA",
"dig":"S512"},
"Yu50_fuQ4RhYOlOjCENjKFmKjcWcnb08of_ZaW5Kg1KovLyN5bsa
x3TH9EKsQ50AuJ_bp6xXlhYY0arhBudTm4G7oPc8TYRdCMw4-bs4iGGu8zFoXCAex
6eC9_LJbyTw20DmFIzCt6Jdpos2oQZ6GyT-x8PCxImuOzToiP6x2O4",
{}
]
],
"Store":"Credential"},
{
"Envelopes":[
],
"Store":"Contact"},
{
"Envelopes":[
],
"Store":"Task"},
{
"Envelopes":[
],
"Store":"Bookmark"},
{
"Envelopes":[
],
"Store":"Network"},
{
"Envelopes":[
],
"Store":"Application"},
{
"Envelopes":[
],
"Store":"Device"},
{
"Envelopes":[
],
"Store":"Access"},
{
"Envelopes":[
],
"Store":"Document"},
{
"Envelopes":[
],
"Store":"Publication"},
{
"Envelopes":[
],
"Store":"Inbound"},
{
"Envelopes":[
],
"Store":"Outbound"},
{
"Envelopes":[
],
"Store":"Local"}
],
"Status":201,
"StatusDescription":"Operation completed successfully"}}
Bug: The current version of the reference code is only returning the digest values for the outbound store.
The download transaction returns a collection of entries from one or more containers associated with the profile.
The service MAY limit the number of entries returned in an individual response for performance reasons.
The previous status operation has reported that a new envelope has been added to the credential store. The device requests this data from the service:
The response contains the requested envelope:
Future: The current implementation of the download operation is limited by the capabilities of the HTTP binding of the RUD transport. A future binding allowing operations that consist of a single request followed by a sequence of responses will allow much greater flexibility.
Future versions of the protocol may support optional filtering criteria so that the service only returns objects matching specific criteria and/or only return certain parts of the selected messages.
The transact transaction appends envelopes to one or more stores. The operation is atomic, that is either all the changes specified will be made to the stores or none will. This ensures that simultaneous attempts to update a store do not result in race conditions allows Mesh stores to provide ACID (Atomicity, Consistency, Isolation, Durability) properties to the applications they serve.
Clients SHOULD check to determine if updates to a container conflict with pending updates on the device waiting to be uploaded. For example, if a contact that the user modified on the device attempting to synchronize was subsequently deleted. The means of resolving such conflicts is not in the scope of this specification.
Each update to a catalog or container specifies the expected container index and apex digest. This provides a strong guarantee of consistency. The service MUST verify each update to check that the Merkle Tree values specified are consistent with the store entries and that the signature on the apex value (if specified) is valid and correct.
Services MAY impose limits on the size and number of additions performed in response to a TransactRequest message to ensure that processing time does not degrade performance for other users.
The request payload specifies the data to be appended to the stores.
{
"TransactRequest":{
"Updates":[{
"Envelopes":[[{
"enc":"A256CBC",
"kid":"EBQH-FCIB-JKQT-746V-FE2I-IEEI-GMEC",
"Salt":"WsdkI2icQX-czV4twcrQSQ",
"recipients":[{
"kid":"MDZV-J4CB-QLA5-K6GU-GGP2-OAXS-3FB6",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"nNKy3ud25ZOHhOpIoCREUMru72r9RPny4
8Tg_yw7JELHYek0nEgUiVgYJiVUweGMmPL0HC-KdY4A"}},
"wmk":"LLtDyCCrKdEbVEzohPLP2Q_ZxMLz9qv2dXLBiaB2
XVkFHt-Jxa9rgw"}
],
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQUNMLTVM
WFktS1hGNC00MzJCLVhDWkEtV1RGNC1RUDVRIiwKICAiRXZlbnQiOiAiTmV3In0",
"SequenceInfo":{
"Index":1,
"TreePosition":0},
"PayloadDigest":"jus6Cpy4Fk_4HN2oW7xhkBSv6Ah-cAImeN
rmBbcQy4heAkyzHiOouwUNiy1ek-eh68q2zgEwaqWAxVUutj9sMQ",
"ApexDigest":"rY8d41_tcAvacoZ7x5NI2GmM9R33bPgWN_uTc
VuKD6cuj6aTFqwdY2nCSRiyE6Pw_lpUIdiDEWz6XmdQh33Z3A",
"dig":"S512"},
"lzE4p_C7tj1-0YCg1J__UUvK-WqDtWDCOvsm4MN0y95R8-XpbgEi
888BlNOnp6d1pvNNKHtxtNzO9_yOMKTAur3B6a1nag1-x35DddfV-8Ho9DjSAoMGh
NWZ6I336ggTSHMOWLJXbqxBYCUrnBHMZn7ZWADU0IoqzE4VXsODflmYQihY2sPQMO
iiHM07WD_r"
]
],
"Store":"Bookmark"}
]}}
The response reports successful completion:
{
"TransactResponse":{
"Bitmask":"AAEAAA",
"Status":201,
"StatusDescription":"Operation completed successfully"}}
In order to support the wide range of affordances supported by devices, four device connection interactions are currently specified. The use of these mechanisms is described in [draft-hallambaker-mesh-architecture] and the interactions themselves are described in section ??? following.
Device connection operations are always issued by a device requesting connection to a Mesh account and must therefore be authenticated under the device profile rather than the account profile. Two device connection operations are currently defined:
Requests connection to the account.
Polls for completion of a connection request.
Since the second operation is merely polling for completion of the transaction requested by the first, it is likely that these will be combined in a future revision of the specification.
If the connection request is initiated by the device being connected, the device constructs a RequestConnection message which is posted to the Mesh Service using the Connect operation.
If the Connect operation is accepted (i.e. the service determines it is not abuse), the service constructs an AcknowledgeConnection message which is forwarded to the inbound spool of the account to which connection is requested. The requesting device receives a copy of the AcknowledgeConnection message and the profile of the account it is requesting connection to.
As described in the following section, the AcknowledgeConnection message contains the request details presented by the device and a nonce value generated by the service. This nonce value is used to compute the witness value that will be used for mutual authentication of the device and account.
The connect request is made to the service, not the account. The payload contains the enveloped connection request:
{
"ConnectRequest":{
"EnvelopedRequestConnection":[{
"EnvelopeId":"MBRN-LSG3-IBIK-2RUK-U4TO-HOZK-7ZJP",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQkFNLUlCRzctNE
lNMi1VTks2LU5RT1EtSEZTUi00TEJEIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
CiAgIkNyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo1NloifQ"},
"ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJBY2NvdW50QWRkcm
VzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiQXV0aGVudGljYXRlZERhdGE
iOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1CUUQtQ09ERS1YTVdKLVFIRTMt
MktIWi1VS0tGLVRWVkYiLAogICAgICAgICJDb250ZW50TWV0YURhdGEiOiAiZXdvZ
0lDSlZibWx4ZFdWSlpDSTZJQ0pOUWxGRUxVTlBSRVV0V0UxWFNpMQogIFJTRVV6TF
RKTFNGb3RWVXRMUmkxVVZsWkdJaXdLSUNBaVRXVnpjMkZuWlZSNWNHVWlPaUFpVUh
KdlptbHNaCiAgVVJsZG1salpTSXNDaUFnSW1OMGVTSTZJQ0poY0hCc2FXTmhkR2x2
Ymk5dGJXMHZiMkpxWldOMElpd0tJQ0EKICBpUTNKbFlYUmxaQ0k2SUNJeU1ESTBMV
EV3TFRFMFZERXpPakV3T2pVMldpSjkiLAogICAgICAgICJkaWciOiAiUzUxMiJ9LA
ogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V3b2dJQ0FnSWtWdVk
zSjVjSFJwYjI0aU9pQgogIDdDaUFnSUNBZ0lDSlZaR1lpT2lBaVRVTkVXaTFGUVRN
M0xWQlFURUV0VmpWQ1VpMHpObFJRTFU1TFJFSXROCiAgRFJYVlNJc0NpQWdJQ0FnS
UNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ2V3b2dJQ0FnSUNBZ0lDSlFkV0oKIC
BzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUNBZ0lDQWdJbU55ZGlJNklDSllORFE
0SWl3S0lDQWdJQ0FnSQogIENBZ0lDSlFkV0pzYVdNaU9pQWljbTVSUm5GWlpUSXRZ
alUxUWtveU5IZG5SRFl0ZVdkWmQyUlVWblp1YkhsCiAgalNIUlRTVFJ0TldRNWRHM
WpMVmxKTjJKYVRnb2dJRWRPTTFod2RGZG9XVGhXWm1WUFMzUnlVMjE2Vld0SFEKIC
BTSjlmWDBzQ2lBZ0lDQWlVMmxuYm1GMGRYSmxJam9nZXdvZ0lDQWdJQ0FpVldSbUl
qb2dJazFEUTBndFZWQgogIEpUQzFYUzBsR0xVRk5OVlV0U0ZSTVJpMHpNMVJNTFZa
SU4xUWlMQW9nSUNBZ0lDQWlVSFZpYkdsalVHRnlZCiAgVzFsZEdWeWN5STZJSHNLS
UNBZ0lDQWdJQ0FpVUhWaWJHbGpTMlY1UlVORVNDSTZJSHNLSUNBZ0lDQWdJQ0EKIC
BnSUNKamNuWWlPaUFpUldRME5EZ2lMQW9nSUNBZ0lDQWdJQ0FnSWxCMVlteHBZeUk
2SUNKblRYbDFPSFZuWQogIG10T01rZFFaRzEwT0VvMldrUXhZM000VW5oT2NEWmxS
MWRpV0dwVmFuUjVTMUl5UWtkSVlrOXRkbU5XQ2lBCiAgZ2RYbzVjMDlJV2tGTmVWV
kRVVkJ0WVRCd1FVcG5SR2RCSW4xOWZTd0tJQ0FnSUNKQmRYUm9aVzUwYVdOaGQKIC
BHbHZiaUk2SUhzS0lDQWdJQ0FnSWxWa1ppSTZJQ0pOUVZCSUxUWXpObEV0TjBaTFZ
TMUdNMGhLTFV4UVEwTQogIHRXa3RWUnkxWlZ6WTBJaXdLSUNBZ0lDQWdJbEIxWW14
cFkxQmhjbUZ0WlhSbGNuTWlPaUI3Q2lBZ0lDQWdJCiAgQ0FnSWxCMVlteHBZMHRsZ
VVWRFJFZ2lPaUI3Q2lBZ0lDQWdJQ0FnSUNBaVkzSjJJam9nSWxnME5EZ2lMQW8KIC
BnSUNBZ0lDQWdJQ0FnSWxCMVlteHBZeUk2SUNJdGJEZHBPV3gyTTNacmVWWkdORzV
TVHpaRlNFdFhSVXMwTAogIFUxbk5HUnNSV3BxTTFaaFZHeHFjVGR3YUZsclNuaHFW
bkV5Q2lBZ1UyOHpTVWx6WTFaU01rUkNPRkEzZWxkCiAgTk1sQjNibGRCSW4xOWZTd
0tJQ0FnSUNKU2IyOTBWV1JtY3lJNklGc2lXVXRQVkZveVRVRktZazkwVEVWU2EKIC
BXZFJMVXB4VjFOVmVVRnlNMTlXZUd4MVdtMXFZVnBOYUhSc1dGRmlkbEp0VmpJS0l
DQnhlVlpLVTFCWFJ5MQogIE9USEJ0YjNNeFFreFBNMWN3TmpRMFJsQjZZM2swVFdj
d04zcEpJbDE5ZlEiLAogICAgICB7CiAgICAgICAgInNpZ25hdHVyZXMiOiBbewogI
CAgICAgICAgICAiYWxnIjogIkVENDQ4IiwKICAgICAgICAgICAgImtpZCI6ICJNQ1
JaLUdaM0QtQUFTMy1ITEpNLUlSUkktQ0Q0Si1WRlNKIiwKICAgICAgICAgICAgIlN
pZ25hdHVyZUtleSI6IHsKICAgICAgICAgICAgICAiUHVibGljS2V5RUNESCI6IHsK
ICAgICAgICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgICAgICAgI
lB1YmxpYyI6ICJEMDlsTlpYVWNCcS1uN2V1QmduZEVfbkozeFk1bDBGRVFIZmdwZD
NCNGFtVjNmWWhsYk42CiAgQWRoVGRrRElGTGVETnZJaUJpb3ptVVVBIn19LAogICA
gICAgICAgICAic2lnbmF0dXJlIjogIkQ1RHhCZEhmRS1XaTYtTFlXSVB6SVJPMlFk
clE1VlBXb0h1RlRBblA5em9qQ0tfXzYKICBkTjZpWUtpc0NUMWRSRFhJR3dpQ2UtV
HJVdUExNExycTBibWpvTko1MEY1Z2hFTnFPbFR6ZkR6WFY4QmpXegogIFBRTDBhZ1
9WV3BOM0phaVUwSFJnVFZ2a3VnUlhwQUVFLUJaZFBHQzhBIn1dLAogICAgICAgICJ
QYXlsb2FkRGlnZXN0IjogIlhSWmZNUjA5MENuN2xEQ21HWTJnT01TX2NHaUUyYzhk
NkpMaF8zM1RKMHh4ZgogIFdXdlFFa3l1cDdyZ1FNcFdaTnFJRkVXQlFaRTJPZ040S
2IwZ2JRSGJ3In1dLAogICAgIkNsaWVudE5vbmNlIjogIlB5X003eGxvNXJMQjhhdE
VwQ0NRaUEiLAogICAgIlBpbklkIjogIkFBS1UtTUpLVy1HUkRTLVMzWkktRE9OSC1
ENlVTLTRSRVciLAogICAgIlBpbldpdG5lc3MiOiAiY3FlZDMzclJvQzRmSG5WVGp6
cmVvYV94NUJMS3BMbWhZNWpJZnhCZUNPRGdicUpjCiAgbGh5Q1dtb1ozMG9OS2NHd
TR0RXZQN3d2c2xVOGg0aU1vYlNSTmciLAogICAgIk1lc3NhZ2VJZCI6ICJOQkFNLU
lCRzctNElNMi1VTks2LU5RT1EtSEZTUi00TEJEIn19"
],
"Rights":[
]}}
The response payload contains the information the device requires to compute the witness value and to poll for completion. This is a copy of the request acknowledgement and a copy of the profile of the account the device has requested connection to:
{
"ConnectResponse":{
"EnvelopedAcknowledgeConnection":[{
"EnvelopeId":"MDU6-DXWG-L3TO-TDYK-VNXN-7ZIR-IOSW",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJBNkozLUVWVTUtUU
dCTS1XSTRaLUhZVUMtT05IUC1PM1ZDIiwKICAiTWVzc2FnZVR5cGUiOiAiQWNrbm9
3bGVkZ2VDb25uZWN0aW9uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmpl
Y3QiLAogICJDcmVhdGVkIjogIjIwMjQtMTAtMTRUMTM6MTA6NTZaIn0"},
"ewogICJBY2tub3dsZWRnZUNvbm5lY3Rpb24iOiB7CiAgICAiRW52ZWxvcG
VkUmVxdWVzdENvbm5lY3Rpb24iOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1
CUk4tTFNHMy1JQklLLTJSVUstVTRUTy1IT1pLLTdaSlAiLAogICAgICAgICJDb250
ZW50TWV0YURhdGEiOiAiZXdvZ0lDSlZibWx4ZFdWSlpDSTZJQ0pPUWtGTkxVbENSe
mN0TkVsTk1pMQogIFZUa3MyTFU1UlQxRXRTRVpUVWkwMFRFSkVJaXdLSUNBaVRXVn
pjMkZuWlZSNWNHVWlPaUFpVW1WeGRXVnpkCiAgRU52Ym01bFkzUnBiMjRpTEFvZ0l
DSmpkSGtpT2lBaVlYQndiR2xqWVhScGIyNHZiVzF0TDI5aWFtVmpkQ0kKICBzQ2lB
Z0lrTnlaV0YwWldRaU9pQWlNakF5TkMweE1DMHhORlF4TXpveE1EbzFObG9pZlEif
SwKICAgICAgImV3b2dJQ0pTWlhGMVpYTjBRMjl1Ym1WamRHbHZiaUk2SUhzS0lDQW
dJQ0oKICBCWTJOdmRXNTBRV1JrY21WemN5STZJQ0poYkdsalpVQmxlR0Z0Y0d4bEx
tTnZiU0lzQ2lBZ0lDQWlRWFYwYQogIEdWdWRHbGpZWFJsWkVSaGRHRWlPaUJiZXdv
Z0lDQWdJQ0FnSUNKRmJuWmxiRzl3WlVsa0lqb2dJazFDVVVRCiAgdFEwOUVSUzFZV
FZkS0xWRklSVE10TWt0SVdpMVZTMHRHTFZSV1ZrWWlMQW9nSUNBZ0lDQWdJQ0pEYj
I1MFoKICBXNTBUV1YwWVVSaGRHRWlPaUFpWlhkdlowbERTbFppYld4NFpGZFdTbHB
EU1RaSlEwcE9VV3hHUlV4VlRsQgogIFNSVlYwVjBVeFdGTnBNUW9nSUZKVFJWVjZU
RlJLVEZOR2IzUldWWFJNVW1reFZWWnNXa2RKYVhkTFNVTkJhCiAgVlJYVm5wak1rW
nVXbFpTTldOSFZXbFBhVUZwVlVoS2RscHRiSE5hQ2lBZ1ZWSnNaRzFzYWxwVFNYTk
RhVUYKICBuU1cxT01HVlRTVFpKUTBwb1kwaENjMkZYVG1oa1IyeDJZbWs1ZEdKWE1
IWmlNa3B4V2xkT01FbHBkMHRKUQogIDBFS0lDQnBVVE5LYkZsWVVteGFRMGsyU1VO
SmVVMUVTVEJNVkVWM1RGUkZNRlpFUlhwUGFrVjNUMnBWTWxkCiAgcFNqa2lMQW9nS
UNBZ0lDQWdJQ0prYVdjaU9pQWlVelV4TWlKOUxBb2dJQ0FnSUNBaVpYZHZaMGxEU2
xGamIKICBUbHRZVmQ0YkZKSFZqSmhWMDVzU1dwdloyVjNiMmRKUTBGblNXdFdkVmt
6U2pWalNGSndZakkwYVU5cFFnbwogIGdJRGREYVVGblNVTkJaMGxEU2xaYVIxbHBU
MmxCYVZSVlRrVlhhVEZHVVZSTk0weFdRbEZVUlVWMFZtcFdRCiAgMVZwTUhwT2JGS
lJURlUxVEZKRlNYUk9DaUFnUkZKWVZsTkpjME5wUVdkSlEwRm5TVU5LVVdSWFNuTm
hWMDUKICBSV1ZoS2FHSlhWakJhV0VwNlNXcHZaMlYzYjJkSlEwRm5TVU5CWjBsRFN
sRmtWMG9LSUNCellWZE9URnBZYgogIEVaUk1GSkpTV3B2WjJWM2IyZEpRMEZuU1VO
QlowbERRV2RKYlU1NVpHbEpOa2xEU2xsT1JGRTBTV2wzUzBsCiAgRFFXZEpRMEZuU
1FvZ0lFTkJaMGxEU2xGa1YwcHpZVmROYVU5cFFXbGpiVFZTVW01R1dscFVTWFJaYW
xVeFUKICBXdHZlVTVJWkc1U1JGbDBaVmRrV21ReVVsVldibHAxWWtoc0NpQWdhbE5
JVWxSVFZGSjBUbGRSTldSSE1XcAogIE1WbXhLVGpKS1lWUm5iMmRKUldSUFRURm9k
MlJHWkc5WFZHaFhXbTFXVUZNelVubFZNakUyVmxkMFNGRUtJCiAgQ0JUU2psbVdEQ
npRMmxCWjBsRFFXbFZNbXh1WW0xR01HUllTbXhKYW05blpYZHZaMGxEUVdkSlEwRn
BWbGQKICBTYlVscWIyZEphekZFVVRCbmRGWldRZ29nSUVwVVF6RllVekJzUjB4VlJ
rNU9WbFYwVTBaU1RWSnBNSHBOTQogIFZKTlRGWmFTVTR4VVdsTVFXOW5TVU5CWjBs
RFFXbFZTRlpwWWtkc2FsVkhSbmxaQ2lBZ1Z6RnNaRWRXZVdOCiAgNVNUWkpTSE5MU
1VOQlowbERRV2RKUTBGcFZVaFdhV0pIYkdwVE1sWTFVbFZPUlZORFNUWkpTSE5MU1
VOQloKICAwbERRV2RKUTBFS0lDQm5TVU5LYW1OdVdXbFBhVUZwVWxkUk1FNUVaMmx
NUVc5blNVTkJaMGxEUVdkSlEwRgogIG5TV3hDTVZsdGVIQlplVWsyU1VOS2JsUlli
REZQU0ZadVdRb2dJRzEwVDAxclpGRmFSekV3VDBWdk1sZHJVCiAgWGhaTTAwMFZXN
W9UMk5FV214U01XUnBWMGR3Vm1GdVVqVlRNVWw1VVd0a1NWbHJPWFJrYlU1WFEybE
JDaUEKICBnWjJSWWJ6VmpNRGxKVjJ0R1RtVldWa1JWVmtKMFdWUkNkMUZWY0c1U1I
yUkNTVzR4T1daVGQwdEpRMEZuUwogIFVOS1FtUllVbTlhVnpVd1lWZE9hR1FLSUNC
SGJIWmlhVWsyU1VoelMwbERRV2RKUTBGblNXeFdhMXBwU1RaCiAgSlEwcE9VVlpDU
1V4VVdYcE9iRVYwVGpCYVRGWlRNVWROTUdoTFRGVjRVVkV3VFFvZ0lIUlhhM1JXVW
5reFcKICBsWjZXVEJKYVhkTFNVTkJaMGxEUVdkSmJFSXhXVzE0Y0ZreFFtaGpiVVo
wV2xoU2JHTnVUV2xQYVVJM1EybAogIEJaMGxEUVdkSkNpQWdRMEZuU1d4Q01WbHRl
SEJaTUhSc1pWVldSRkpGWjJsUGFVSTNRMmxCWjBsRFFXZEpRCiAgMEZuU1VOQmFWa
3pTakpKYW05blNXeG5NRTVFWjJsTVFXOEtJQ0JuU1VOQlowbERRV2RKUTBGblNXeE
NNVmwKICB0ZUhCWmVVazJTVU5KZEdKRVpIQlBWM2d5VFROYWNtVldXa2RPUnpWVFZ
IcGFSbE5GZEZoU1ZYTXdUQW9nSQogIEZVeGJrNUhVbk5TVjNCeFRURmFhRlpIZUhG
alZHUjNZVVpzY2xOdWFIRldia1Y1UTJsQloxVXlPSHBUVld4CiAgNldURmFVMDFyV
WtOUFJrRXpaV3hrQ2lBZ1RrMXNRak5pYkdSQ1NXNHhPV1pUZDB0SlEwRm5TVU5LVT
JJeU8KICBUQldWMUp0WTNsSk5rbEdjMmxYVlhSUVZrWnZlVlJWUmt0WmF6a3dWRVZ
XVTJFS0lDQlhaRkpNVlhCNFZqRgogIE9WbVZWUm5sTk1UbFhaVWQ0TVZkdE1YRlpW
bkJPWVVoU2MxZEdSbWxrYkVwMFZtcEpTMGxEUW5obFZscExWCiAgVEZDV0ZKNU1Rb
2dJRTlVU0VKMFlqTk5lRkZyZUZCTk1XTjNUbXBSTUZKc1FqWlpNMnN3VkZkamQwNH
pjRXAKICBKYkRFNVpsRWlMQW9nSUNBZ0lDQjdDaUFnSUNBZ0lDQWdJbk5wWjI1aGR
IVnlaWE1pT2lCYmV3b2dJQ0FnSQogIENBZ0lDQWdJQ0FpWVd4bklqb2dJa1ZFTkRR
NElpd0tJQ0FnSUNBZ0lDQWdJQ0FnSW10cFpDSTZJQ0pOUTFKCiAgYUxVZGFNMFF0U
VVGVE15MUlURXBOTFVsU1Vra3RRMFEwU2kxV1JsTktJaXdLSUNBZ0lDQWdJQ0FnSU
NBZ0kKICBsTnBaMjVoZEhWeVpVdGxlU0k2SUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0F
pVUhWaWJHbGpTMlY1UlVORVNDSQogIDZJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJ
Q0pqY25ZaU9pQWlSV1EwTkRnaUxBb2dJQ0FnSUNBZ0lDQWdJCiAgQ0FnSUNBZ0lsQ
jFZbXhwWXlJNklDSkVNRGxzVGxwWVZXTkNjUzF1TjJWMVFtZHVaRVZmYmtvemVGaz
FiREIKICBHUlZGSVptZHdaRE5DTkdGdFZqTm1XV2hzWWs0MkNpQWdRV1JvVkdSclJ
FbEdUR1ZFVG5aSmFVSnBiM3B0VgogIFZWQkluMTlMQW9nSUNBZ0lDQWdJQ0FnSUNB
aWMybG5ibUYwZFhKbElqb2dJa1ExUkhoQ1pFaG1SUzFYYVRZCiAgdFRGbFhTVkI2U
1ZKUE1sRmtjbEUxVmxCWGIwaDFSbFJCYmxBNWVtOXFRMHRmWHpZS0lDQmtUalpwV1
V0cGMKICAwTlVNV1JTUkZoSlIzZHBRMlV0VkhKVmRVRXhORXh5Y1RCaWJXcHZUa28
xTUVZMVoyaEZUbkZQYkZSNlprUgogIDZXRlk0UW1wWGVnb2dJRkJSVERCaFoxOVdW
M0JPTTBwaGFWVXdTRkpuVkZaMmEzVm5VbGh3UVVWRkxVSmFaCiAgRkJIUXpoQkluM
WRMQW9nSUNBZ0lDQWdJQ0pRWVhsc2IyRmtSR2xuWlhOMElqb2dJbGhTV21aTlVqQT
VNRU4KICB1TjJ4RVEyMUhXVEpuVDAxVFgyTkhhVVV5WXpoa05rcE1hRjh6TTFSS01
IaDRaZ29nSUZkWGRsRkZhM2wxYwogIERkeVoxRk5jRmRhVG5GSlJrVlhRbEZhUlRK
UFowNDBTMkl3WjJKUlNHSjNJbjFkTEFvZ0lDQWdJa05zYVdWCiAgdWRFNXZibU5sS
WpvZ0lsQjVYMDAzZUd4dk5YSk1RamhoZEVWd1EwTlJhVUVpTEFvZ0lDQWdJbEJwYm
tsa0kKICBqb2dJa0ZCUzFVdFRVcExWeTFIVWtSVExWTXpXa2t0UkU5T1NDMUVObFZ
UTFRSU1JWY2lMQW9nSUNBZ0lsQgogIHBibGRwZEc1bGMzTWlPaUFpWTNGbFpETXpj
bEp2UXpSbVNHNVdWR3A2Y21WdllWOTROVUpNUzNCTWJXaFpOCiAgV3BKWm5oQ1pVT
lBSR2RpY1VwakNpQWdiR2g1UTFkdGIxb3pNRzlPUzJOSGRUUjBSWFpRTjNkMmMyeF
ZPR2cKICAwYVUxdllsTlNUbWNpTEFvZ0lDQWdJazFsYzNOaFoyVkpaQ0k2SUNKT1F
rRk5MVWxDUnpjdE5FbE5NaTFWVAogIGtzMkxVNVJUMUV0U0VaVFVpMDBURUpFSW4x
OSJdLAogICAgIlNlcnZlck5vbmNlIjogIncwelNUNTJvSWtmMjlLemZIR1E3OGciL
AogICAgIldpdG5lc3MiOiAiQTZKMy1FVlU1LVFHQk0tV0k0Wi1IWVVDLU9OSFAtTz
NWQyIsCiAgICAiTWVzc2FnZUlkIjogIkE2SjMtRVZVNS1RR0JNLVdJNFotSFlVQy1
PTkhQLU8zVkMifX0"
],
"EnvelopedProfileAccount":[{
"EnvelopeId":"MBQC-7OHA-RNBA-FRDL-R4GI-YQHA-DL36",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQlFDLTdPSEEtUk
5CQS1GUkRMLVI0R0ktWVFIQS1ETDM2IiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIkNy
ZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo0NVoifQ",
"dig":"S512"},
"ewogICJQcm9maWxlVXNlciI6IHsKICAgICJDb21tb25TaWduYXR1cmUiOi
B7CiAgICAgICJVZGYiOiAiTUROVC1XVDNHLTM0NkctNEk1VC1ZVjdGLUxUUVgtUFN
OVCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNL
ZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgICAiU
HVibGljIjogIklNeU1vN2ZFeTJ2SHA4c3lRMFZVNFhpdnBKRWhnUVFTWDNqOG12YT
RIQ19UMDVVbmhRWXEKICBWWnl1dklRRVZvMmR5TUNSbTYwUTNFMEEifX19LAogICA
gIkFjY291bnRBZGRyZXNzIjogImFsaWNlQGV4YW1wbGUuY29tIiwKICAgICJTZXJ2
aWNlVWRmIjogIk1CUUQtRVRYVS1IWlJXLUEyNk8tV0RUUi1LN0dJLVg2SkQiLAogI
CAgIkVzY3Jvd0VuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTUNLRC0zTVI2LV
AyVEUtTTZVNC00TElPLVpUUkctRFpWUyIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJ
zIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6
ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiMXZOVUFBcDNyc3pJcGhHOEVzZ
m9hTzVZNnNaQ24wSGM4ekNnZFFpdllwSkFjRHRta1NzQwogIGVJMmdtRFRDSzZTcl
MxVWdQdHVZbVR3QSJ9fX0sCiAgICAiQWRtaW5pc3RyYXRvclNpZ25hdHVyZSI6IHs
KICAgICAgIlVkZiI6ICJNRDJMLTZNN0MtWjNaMy1RM0FMLUpGWUktWklVQy1CS1VS
IiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tle
UVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQdW
JsaWMiOiAiYkhvS2IwYzEyRjdjaWJNXzNnWmNKWE16T09YNHNuSGdQVndPZlJZazZ
BUkpPc0dQZW1zZAogIDJCbTBXZm1Ba1JZTzNFUTZmajhfTnpTQSJ9fX0sCiAgICAi
Q29tbW9uRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQVlGLUQ3TEotNUlNU
C1FVUNHLUhTR0gtN0xTUi1BQVBaIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOi
B7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg
0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJjN29vcko4MDhzYzlkNDBLWERoSUhn
Q1RGejM5TUszSmpPMFE3S191ZkRFR0RLaXdWS2hkCiAgM29QUTQ0UEVxR2p3a3BwN
09mYmNCYlNBIn19fSwKICAgICJDb21tb25BdXRoZW50aWNhdGlvbiI6IHsKICAgIC
AgIlVkZiI6ICJNQUZULVNJTkEtU0ZYSS1QQkRZLVdSSEUtTlhZTC1EWFZUIiwKICA
gICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgi
OiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6I
CJYY2dFejl5MmNxc3g0WmViR0VSVGpyTi14ek44M0QtcGN4MDY1MXgtV1VDcVlOcn
NuelRICiAgNDBDcG9NeHVOLUZucFQ1bV9iME15dUtBIn19fSwKICAgICJSb290VWR
mcyI6IFsiWUJKUjNqUjJQbGpkWWs1cXhiV2RIWTByVFlFYUZBa0hZM01tc1I4enZO
MURyMzNSbkwKICBVTDNUaHJHOURNV0JaM1AtOFp5R3p5S2FRWXdlY28yWlV0Y0t3I
l19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MAJF-DXRU-OY7F-RXLC-JZVM-LNM5-DWGS",
"SignatureKey":{
"PublicKeyECDH":{
"crv":"Ed448",
"Public":"9sZGEfYSIoTvVSL0Q5c_Oip_Hi2iOTsl4L3iLwh
fOv9bA-5nd7PyRooKEsQx-lA7PMAYBewSOmIA"}},
"signature":"6x3k8AC2jkUQv0jzlUVWJDqP7zcNkKAqvPcAs7Ci
2jXULjbIFAFCct8GC8Nb8KiD5ljoLAsVHr-AnYcjklyXSHN6Gn_BIZiLiW3Yu5_Ch
XHspywX-ZGMD6soXJIilOzreauR-_aiUE7Gx0eh3Fje2wEA"}
],
"PayloadDigest":"tXPfbmg_SRmARF_7HLPq-bM6NMO1h1Oa30f_Ag_T
IRzGKMrmTKtV7XH-h3NIBFGxOQYuD0BproKNEg6uhtG0Mw"}
],
"Status":201,
"StatusDescription":"Operation completed successfully"}}
The complete operation is used to complete the binding of a device to the account regardless of whether the operation is initiated by the administration device or the connecting device.
The complete request is made to the service, not the account. The payload specifies the account the device is requesting completion for and the identifier of the completion message.
{
"CompleteRequest":{
"AccountAddress":"alice@example.com",
"ResponseID":"MDDD-KNM4-KUZH-QVC4-KWLI-5NBW-T54I"}}
The response payload:
{
"CompleteResponse":{
"EnvelopedRespondConnection":[{
"EnvelopeId":"MAXJ-OILL-BOXO-U6UW-C7T5-ONQV-PY7R",
"enc":"A256CBC",
"Salt":"XnZVi9-npm0l29WsKI7Leg",
"recipients":[{
"kid":"MCDZ-EA37-PPLA-V5BR-36TP-NKDB-44WU",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"wS0AFAueGZ5yW7naIw6aoRiXzlJi0WscQOMf2md
18fxRLQSO9dVGcPXJBKf7r7F9jOmX3E5SC62A"}},
"wmk":"Ve5H9q2D9v4TqVlWRIYP57loyBwVuXjMHN1LRq0j-m_8fX
42Aav5tA"}
],
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNRERELUtOTTQtS1
VaSC1RVkM0LUtXTEktNU5CVy1UNTRJIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVzcG9
uZENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
CiAgIkNyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo1NloifQ",
"SequenceInfo":{
"Index":3,
"TreePosition":449},
"Received":"2024-10-14T13:10:56Z"},
"xMjsh-u3PRAtFIo8z66UN-y-dmUHrd1HXfTWvLNg2QiUIEd_SM8FxrWJZo
-dGskr_v86x37ONuvmO1P2TiJ-TMJdp_B6oe32fhuJ8UIHzuPP9i7ZwRkMaYPE1-5
ya3ROYEloRZG3Cy1Yw-R6Cb2J0Ox1i_OWmZn7U-ppMVMd5_OcNWnR23MXT7l8ULCn
f_UcjIIUqFDQqHTJsuKMuCTUidBm4CwLZIivl9JV6-yXRNqJjO2Fthz7qE-FXuzFo
RSGI28MXy4lCgWFRnQP_pPQkVokllNZu74vYT3ZU_MoF_YRYRXD7TrjH-TI7cA-Y-
YKWpEMhBjMV-tEPHWRssztWaSdj5K5dVHHOFxQFHb1f77JdGtwkoumYB4V1VX-iq9
Qql0g6pbw1_EsOg2ycNUaXiuWdpXoVH_spEZZFLXEQCOCrnOHJxsMYahsS2NpA8oI
E9kdHhs_NQW3FNMvt5JAmON2ZWFvqxIVlElRFEONFfBgG4qwMIXJUCdS94575sLS-
9H00ff-pyIvFCF8EpWKC0z0f_v5DSUw0xyMo36zhfcpSKpxuJFrGWoEwnP1G_TyIY
fB4Pj1XD0R8JHhMrN9qp9FGswSIcZD3z_B7pS3hFr7GT0HayGH7hgs3YRdSn_0j3Y
rcSIX7XnYIus65kLcnZuq6Gawcw0_U8tMrTwDDHCuaIXVhK-_FI83RVhQygAonpAk
53XRG6VHDTK8hO1mmCdV2OMB5ZEZbCx0i-SJS871y2eNNUUIBrgP3Et6eJsRLbFHJ
anXdOL6Jv-cHN1En8NlrYOF32UXID27MOi-HfVnixawKEm_K7oyG6Zl3eHUW2OkOC
8cDRm_8OKEFMWIcdYdwMnklN-bxasoCeJas9sQwvzT9CjfAsiGM0hWryXswO1C2xb
IWrWL8QfAn-h_XpwCasR66U40EsgmWkFpwdWJa-rzqzKEIVB1CWcGNtuq3dhStI9r
KwVnyj9CNi87oZcT6fVR9xy03qRdSjzwJZmQcoDWv7LTY-sDSbGKbwsx2QEx8dw0x
vCTeaJoMQlXIP7i7GmNIE8m2WYBxJShliO3kcVL07oUeGToFus68VDuVwkMSiUQuj
eQGIyHpH5SLUhjG7cvM6eVSuh8DWOzLebSW77OdcbeEcKYDYptwgo5Zno0aoi1zxZ
2oBCqcXWkWVUbz7IK3lDAY2PFabwaEiCHYw6kTV0X-ECrxCEn_xORF1-0lDMvW1F5
3fA18D9Klz2g-eCrjbJhWSxaoP3NNBH1t1fGctbsE-Be-tw9Kval9GONTALt3CbB_
ZBWg5J6hZCOMx3Yj896Puz1OsLJBariFJWEe-3qFGVMb1NupCTslPaEjWky7MZTmC
CV8IKD1xIa-Q_nS7UUW7X8z93jrSIzpg60ghxlZ6EuJhIiaGpzW_1slUDBLh8Oa3o
WkpCATbyRoaa2yVzbp9hLyhBNqyDe8Ndc1uHEifJCXr-XNPXEyvKUt58yUhFwATN6
narNULPa7balWoKGsOHZpSs29lWjL-SXFV3hV4WYCSJc9rNbTLb9MFddwE68Y_4kp
2yIO2dcDZ1gc-EAGDBB1Bfu-wjaNAn0oLrscHdT2iA87IsNSUz72ZL2kb_ruanZtM
vGWxoP8Wlp-PFb1XgA61AdgYwtpWKkCS88BuuYYRODlwOn74dc0tXwZyS_13w0cy-
AEd1roanNtAtLPxKW4-BQF93tf3aQxHJ9FHCdxvK8p7botB6pbTHj3rYzfCHlfsUd
t8l9xvCDm-EIWx0xziLCn1f3GIrhJEcJXqQomUe5j86kCiyW01IDHJtLqDfX-_sWn
GLiYpW8WAfHmO0lzf29dzKHsdSSRepcHb0ikpDUlWPun9F4BXbc8SxfuwXFbOhEu5
0kx3M_k2Y1C0wjLUlAPE8ckT-ByYruiiOEVifXVv4lmPFcaSNwIr-L28zqqPH1NwW
tXWsQpapN-_QcBfJp4Q9kYZaN5PAbxULPN3Z2i2XDhWoHRfbWNpKrNxxS6fxcpGVR
OdYtygDyhwdueBLw3AFqE5qcyaXI9__WSni1gAxnRCrdp2rCeDPM6JurBgmNpmMp-
vuyS8CVVJ2wU1SZ8u2ZGKBTVxIoxPnKoqmjzL2d0n6kx3-qGx9o9heFC_JEj-xCUL
XXqInKcn8PHLkdfHAYjpA-BIU5LOdH6pzrHPkczbkeg_YugPg8MXtP4ykSDzz5Fwh
vqdy8V9lk1VGx9wSMSbqMPKZWyhnnNaWFw0NsU6aMHHM_RD7ZcgyC8XtlljA2_Tgm
qNc_IskgRantjiY9_uUUIOu3OXhPZv9n7wVAFwFUargeB0WIH-6CRSko0TQJ2STn_
dYHUd57FNQlUZEWrFtImtZX2m_YzUwdXeZstXi6GQVtLoF8SNQMlxXbI5iRWeaKFJ
9z3YB21N0trB7TQGwBOQPuwHLNHOemRPkQjVGkap6Dv3lq7SBBABJz-IYs6QkXbif
ahjc2KXvAKuikExdztdCozWWxUeUfLySB3dkl7syr_yJ0uN-RpWhZ59Nvg028R6JZ
p_Anvb2MNtA4OlwcXfuie8cxVmZnIrhmpdUuy9hAc0wQ0xLW1rxlMkMoxNBR7xYP6
HFKN4jp2x_gOzpulrdnR42GoQeJH54uMBPIxprhcQicnFaEVZKSFIqKkAp88ilvYf
qSKlh9YtfPEDMLHMHOmU2yExRrvUuMbA2LUi75DO3321rPrVotmUX6r1rjfasxCso
ph-aUZY2HrGrzmVcIfb-KTPQaxYcG9IMH9PrUEzzwE3z6lccnU1qAF4b4rz22Px6q
TyjcDuR2p7GbE_Fh73lTwmAkMBjJfvP8cUFGei2qe4gaJUqCk7CyLHNlAauacURzT
iRbT3fmlv11mShXNrzM6VqI2c5_2hp9mCih1xaFBJcL-zKI49yVzHoJeG_657ozzu
TATHtqrKf84vKQGOQMUMAwDm-G7w7XsKNbehEC-xxFl0ei2bn4vfP7mZQoPTCUwRO
luvLZBXvsZaiLtLx4W-rMeV46MHi9AGMnhLw6JDaGuIEQbi8brgmc3wiasRYjPgNp
fer8aj9tw_rXeFK2U-JDmaiznH7_crrv6x3QDsMEFEHazvooGdsQeP9rxdlQqSj48
QIt-kEjbNLKG6G9jAvt0jCPeqzz8oay89Kp0JGYFYeaeV3oHkMlZQ3l_JGIx8ewIy
eKgCjrNCzBJKx8cHmBwJFI7ATrQw1FoLOqm6VBYiODZOAag47qXrFjeFGBWHCjSmN
R0Qwkc7qa99N1lY-GEdvujxiljNhdrSbEUzjnsG2-3p87N5_kXzqgZKrVQykYzXYM
NtrgV9wzhVnuu28M1Vn7JPe9y2NzcxOGYtNyjj_bjY-yR63kPhQaUr4v4kEjW-koN
k15ju-9yIKyHqMVLm2gK02rRjwD1OMfISaWCyMn9sVeaXdl9o_iU_3jEGdnWnH1wt
1UtK0hkYO-ZaA9KdnhNcX-M2qMYYyG68U0iOwqng6It9Nlto-JufKbNk_a9KqOVVs
COpqzB7m7Nk8LkTZoDi7tvQ36eLDd5KGMTyJutFIbB3pdzKHKNf9cgBOozzqUephy
6uSJIhP9ntqC_DcpTBA-XnzC7cBzMviI7bAA7t4bcmUyiWz_CTViyMlfWjz5mLoxW
tXK2U0KQhuiYeun_QoYk5OIdgbBkX7Ht5XhC__mG5sngl-4Mn-0Ua4PP3pqgxrWFq
We1gxKxbCDEsEdEApzLY9yg6g9CFlb3cVtNlipaK3w-IOF2eeMqbWQx_JrpBBYf74
l56AvD2aVaN_Hlmc1sfIZRJlT2W-aK1DvI1o3QTTSUSwqIH4mDE2ZBpqxyucMHS0-
W23p8MeecbfkAVUwUrcnh36jUIQoXAdwxGei5w2zSw92LItiL3SK1s0Q3kx3XhR1D
UeIcRrHYzBkWNSf2m3JZit8M3oiHp-ZxIZKdEpVrRethPqeGg3Qy4HPiO4ONBJB-W
suKKbC_9QxrUTvPyAi2T6IKP_wrcIqE7m1wLJ57m19h1SC8CtovdCvGryqvIu0bh9
Yc7KXigPbVXsQgIvhDC_in3YPeE84yZEiZ20qMT32ab2p_hMdHORDntohEx06P5yW
y9j0uGhuFnlRwnnTWzpHl1_mPeeVeMK06VLOzjgqPM6NYq49EcTUMQMwj28OV2col
sr8JS79mTKQjwz1qOhYRVzLaj1mXrsNMZSZmr_LcJg0KHfYaOGPsvttWMV4z-6rVB
hTg87imU6Dr8GqLpwlOx6mgo8TwK-5i1SdwQoGfhtLI8Nfl9x3grYoszUuZ0EzLIy
c8Ci00Ue_Wfrnbp56CiNd6S0w0vIdZqXRt5kQz-P4SpAxtijd97pxrZArOXvKhHhN
et0dBaKPH_LEjAVgIVw9xCzONtvIuO74Ms-TWb1ox1Gl5Ud3PzyB_klw40S5tTu4o
iCksE2jRXpEDbxoX4XVVf2W-eyTBNdi6lS0-zGggJ4gWeeG8VYEYb9zD6JjrNSWtt
0ryVqvvcwGcRxhylD-j9TWdPJgyuHk2vxYbDng4yIQrYO08xoTsMOgMh-eCi1MLoQ
8oBkjFflRZ2-IvpPRmVIT-v9dinkCSYJSUAEga3joafduPcqAb3uVQNZU--Ir_evR
N_KuhRCFvPeHRuVaJfE3ZHLoXr96NAzOZScwV0wp7oqgHNxnrzksWUJac0tAd9ms3
ThoWWTY5tkqmw_0hdrY9f_tLFj5yNXnnm56gxteBH84e4ediBB52jSpuKLaKa8-i2
iUVqJR0EP9j5bg0GoM5MS0Ew2_3QWjv58lkhdMj1UQ5pk1bAaif9uOm5OkCuAb9ry
kskigSsD63U4uPsidFlcHwjCK_WSC0WC8Wh1a2dB4AxBFBMpuSNg_gzwsn3ZcCxil
MxLHZyhfdi8Kp3E12NHmxJHxmTEz8TvsZWxely-tLjzVHrnhNcDJ4rRp9Qpxmjlss
047K57--zKC7Dcvydq71KLTpoG1SKm8z9q37LWigi5v5b1qbDDB7giL3FI5tPygEl
DMXjiWOnHiqbZmp3q1Ockbhwz6BrTcPsXtsyPgnXH6c88LF8U_NJXYbkoTZszoo7x
5YrdTyQdFj6VrreaKPD15z4V6wxlN9U4b3bTD_29qtzkV4IWznI0JAEE9Dd2Y3-oJ
CXnm-I5KG94cLMnuc2DgColDSUUsJwjz8iWhhp6Z8C1cgwAAivlHr8IGZ2u14QUyu
4jQ3Qrssr4GzUJOO8tyUZIYXhz2ytRJd_my7-ZQsYunclhaT6dlvqI7-H3y3hveae
b_oTW6ITYHfOpltkedGvMhJJgx3vRA10X5s5p0ClkL2q4fAnySrZYkjj2KWWZmzdj
OVWOyzZvJSN1kFwPp-c-UhLEQhcD9jOq5_x2dK8tt1Axq8CGzZHBxzQ3C1lqxNWFH
KHwDiyB1_T73bLPG5FaaI7nbBkCbSyDBKDeWH4ARxxjgPit-jyn8xZwP4G2QmBl42
OqMavhkCPSfZwyAKcRzzLEZU267It14hvKVfnfwhxZuFYrgAMy0BK1CDkWeKR6aCu
k_XSmPpAqGBvOFttSQcsPBFpaINf38el0ATz2vUYthS35RUoy65i5-ngSGZbK_wye
RYnODJzVyy7RfGsHsXVxIBVFxrHnfw1wSK7QPNmI-7Qd9UOtXtn5JbEBiez04JqVJ
hDf5gxT9dRK2pSHgdMgljax2RxF_PX2nSO8jLm69xAjdR0mznPsjC3SynY37FDk3N
4qR5rpcQD14SKK-ys2a0Nk8YbdclXJZUdJen63vA86I8n5kIyx3GTyqviXp9EpCsC
MEJi3ce-9IwEqO9urTEPVTAbucShufORyeVp1FCFNbW04Nj4SWvnX8AMBU0okj0SQ
4fScQkynIsBFe23mpH2Ul236KYqwQN4miyAbPOsVGYsu76yfNgbW3LybTTd-wSpJk
MhXOll_Ua62B2MKTdoUMOPGqR0j6rRp4DVqdE0jd0XD4KwxURQ_-5l7MMvwZwZtKb
98NJ-D83lJy_F5b7XghPYVD22xdzLYYI7D5LVLUSEn-Jay2B568mpmkyTDnK2n1Xl
wmQv3z7Rox9uAZTfNPY5eNnio57H6w7hZYEnoqUYg31vK3QrXRXDxSOLIcb-sDW6b
He4cabXYscj1e158eIX0m8OhixBROWwEhn2Ag86QSAoySPhexspOJfmDtTc1rlWGi
VbVEfvuWiq_pnPU-6e14zIwSfdvFxNaKRx-sUUUpP-VSmiPTrmWZNCTVCxBLcPbZ6
ixCFoM3FQBk9HdQatLxeU9hUsLCoqOfKnPuWrhozrGpDtfBUGtM9dmpiIVsRXkxnH
snuv21jd2WUDbh4zNIt8QRCTz4tq3av8HFNc1dem2M_OYbYpRqv6MN8VL2tdJL367
MNIlxQrV0aHZxxyOt7K9ViOphMs1efg2oXOCim0QU4VsnwSE9PzSmjsBbrKZDGae8
DJ-yqU3VJC9A8ZgWvyRo07N-Kka1dp2rlTe9hwJwu3IsN13Qu-QUe36qZGhomSVfZ
ZmWVI3Ymna9GjJQ44MxVtkJCUePPASq6KuC64imqmNmgxPlKdEh23Ntbe8F3__-8M
dqyZqR4mvzlGQafTrmoianreGT2sbPtPpuYWHtBGBmxpPPEDrMz7CsZBW__pQrfsQ
cTNbSED71AZ8865aQXrXFMkksG3hGKd7ZVOpyWL_oavx9FfRD4FHewsiQyv5IXPsS
FaUCuOciXzD31psU9SQgDARLHK03NT4ivpx0yNfvOCFV3ow_F0WWtnPRlrnjuPPeM
mK6lHmoiaptQMpefgZDyRsa4MYi2aWvj5xM4CaJfYdJJB6F4BroRCSk955wbvzShp
asQweP_nl3LdzLTPpC9KDaUEOOm2SDzb_YoJUXZRreAMeirIg1RavW_QJQI7tY5FE
3JnZ0-FUrKtptt8GDXl4-zO4n1QeBHO1EdrhjKsbn9Jwsq00_6BvOpYww05mEBWJD
SskwFp7lJJ2MO1QEPNbp9-vbDfxR5f6CvMD1idrXowPX4PqlOBT1tM9i9W04F_jZ_
mZ2CdYqUzGG1jmUfoPra7WIdM1rcgOt3xzzr9KcofiMLuueSlGvvIVEg2dTr8OOAB
pTDtxubNtHXaCpLiZtrteMaIbCkji7sT5iK2GtQJ0VA9XaHSub9sKayzX32KYf_ct
Nvht-Q5Jeff5jSEvWI05ifWbNVfF3Mt9BwBuPxEJGK_sFWMIlaQHDwIkU-qXunMnB
ThpcbEDyDx5D7JCxrOQfeUlwVA9LGvXPaRIa425ybKYMe_5draTPud5oQkjgCIiuC
7UUGYEyXFxmqI2vUTlrCjdf7p3EsLzHpzgFjzQnWYNFgBs0qr0tnlKQFfRm3F44XR
9_joH_shMOZ3YC-qOC-2o7Uag7JLx2z3yGU2_igbalsCbh0F_9m4Qt0KxESed7pNK
Q1KN5h8XLr8tehgYE2nJics0wTqdsluXft1xtXlUh5zeVEolJiiJaj9AqF30VNtQu
ucKINFE-9iMCMvBWWlHJOK71nlkiRI9FZ6Nfn3G_0wnOS91_2SkfFbFm2JYPqJKot
i_SMIi_YDPSMEhBv2D-lMHo8HPpQJGyIlTxooFPfhws5hqEkkj-phmYgG-jiluo5r
rtiv1ctaMzv5u3QBU6QI-5FYAyP2qv7KgYcsJS135dzfmCnBJEyjxT2T7Vrrvukt_
VaYDxmD5v8IvXqPCva1Fy2p9p5lTW4vwODXuadfbhiWgGkh9x-MB5JO2c2Q63zsjC
F5QCIUtTPKPbLnryUQJxm-VeJ0Mk8tRr4e46-vHbsjAGIxznBPmsfk9Vc0Y_TSXsZ
YfoObRWN5DbPFBG-v8j_9ptKE68UiNJgFwfCx6WhnAYdWTGNBWqyMUx5oUnot7P6c
YPcw2nPsD_uh7dfVha-c25hNbWLZXAdtikSRSRrD3AMUGXwasJZOR3xlge3HRda0T
6e2lc-cGWbN4KdkPBlBSvHauswJkRUZxrB5-IcJ4K4ix6B-5DXss3GmcVlau_h8bc
2YZ2iUVbL2KMmi_PZxO4xBnKMUX8RLYeix8ilxAmhJryqRGDUScrK38WGGW7R-Po3
VfMKtDBB1NE36H67DzNyfGbz3n-lVDZwh3xxnZvOtYbp0kZ6O2SoD9CmQQ5h2PGIN
CkmyqaoXLHt5FNAcQamExyKcLi0vkMlnLW0efnVBeqZYTiA341fV9K_1Wzzteel7l
41VFtuWwS5h5HmiCBsYmPiPmZNGJdp5ZC7TwIfkYhw2JIfveYGsNHBTRS8FNzCnNi
Fjrmba-CxETd0rE_AJ3BceNzcx8tvISGxIGyff6twwB_a2A4Hjk3QUmV4fkI-dBMs
fGXs40GCcaI_AQObkCzYH8Qkz84zkyVI2JtH4CpDZMSpxIRRJm4VTOUIFkn4qwnkC
SwRp2z1Xz56xaPUxugJ1zrsFtqnNQfJe9jngxicT8io5wmRCZanZ8IqZ9l-oXR3EK
2Kcvff6vD1p-IBDgc8N7GdGlaOYUPB3vzlVf0hRQY7Qiq0x3EgtVJN6CsLlh34Ix4
DJZiyFrVF-IHegiltlFfhSVvigRfa7hYYxIVw0TmyfaICeqqeWAL93NVTX2O5Sk5Q
HlP6llwaCNsWDPgogiFyjlCRjTmioJlnxvijgJUHqZnUYnteIcicFnAeTuKvClZge
4I0m9cOokhE5Q6LlatVdTfGeCCsab1-HILIceA6hxsx_nByv6OOOBu-T1q3g3koLy
Hp24rmHjSYMc8RAha4apUMe_L9IQBucAaH1ttqx1GDd6M8I4ReGBmMcD5YOahEM7i
2ywNjLeFiXjKCAOAUIpvRAm9pcFRQgo3K-uhNs1CEUz1Tck2hBEcLW1onxXNueDr5
lPRQOTnPmfrw0YiC-RJ14TwihK6YFtnPytzRTBkpRKvwE3JYXggKMIWpetMklGxk1
LGyXPiytXKZrgivBxSfI4HMuJWf6j6jWdbRYDdtiZJtmbnBbV-J1Jof_Erd9LpIyi
YXB4eonuXKO3cnXQLdZVRSTc0nCwJqm27XA-PdzfDHvY4e6hStHelN3D76hBhAGsC
4iFv8U3As6Mwcms88fZsdW2pXahtgUPm9mmtzBJ9EK-9vpZxC6YouO2nuhWDGfVmy
Sn7S3HXhNNnwD_jlsLz5U6YakCRlLVosRwXv_WT1m3HTl0hmJsOGvyCV_aJHpZtSo
aMOTeqNlMCMhHZ1mQKmkZ8b6g81y79q-2Idqp321QAjhiReGRlueCDD-Zewuru0UX
vrv0D8bdeSjdSt8aahm8_IXdQsPKbonW2zgYWpaqkkMACyTEyFmiB_nttTsP68IrW
59gH2hl5mC8BbJvEvdVrtL3slA24_Zd29PvioUoOQkpxUZ8tLqos7M-KbEKQWpBe5
EkBY7pBhakLTUXHX6oQzDQN2PucmnNkQaAZ1uOGShU8oXDf_W5H3W8M90rsV9kH1z
rxnIx87iOLJdbAAG30t3HuNfd4feKtNdB8g-2A8-DHcItMIl8NvNoizzHoc_X9P6Q
AKeIqF3UCCtXiFYRICv0bt-FpMoPZioOSZ-1dD3iauugjy1Lz-LHynrMBA4WAph_E
MoPDqy1Nk2-LRErfS-2mKbaFidSfIA_aDgssCR9nsZwA2SsKZ5-bZlaHRcP3iH8-W
7LPNKjx4ZTHSq8W0lpez4Tytd-4mzyc5NugaOQ-l0TgzbBY4PNW4A2_WnxmpJ1xad
xbOCsnY2mV4bQSIbCYKibJrUpzNtSWm-5cGx0iElOzeVolKsjdgby7_Bn9q5VECyr
0Pcm6CZ-HjhmbRzgHqdlIgsv52jZEwwBDAe9bDE84tvnoqLWJ0Gqqm7_oYVJm6S4C
JE3VadRYRbV38Sz_8_ltVtGYGDGR2x7t0UyXFSEOSD2cJ0PGjCJKL3xPnxJHN5g1o
O--arujsB7gdSF-hfLjQVlzfrbBs4n2DRMaiXX9O2toFcWI4vEyC-AfXodLXnc_cQ
AaHwLgCDDHJWT1EF8l1fnPNCt4o4nJZxZ7Fg7_M0iGmYrY8JlJ55OLO5KPbzuWMP8
eQEMKFBcUSXIzLuVu9h76W6dwyCJzslgi1oDj1G2fWstcc2i_3fpHdr47gBE9Rb9Z
qGPhcZIFTqIlp-IL6SekFONhOD_nH5H-ImSEu21pTKOb6SbYa1_9s0HdufbGl3oA7
Mze49xrrWP65KpVuAjrAaHO96gKnofR55O37hZRijbLPCK_74Z9AFvww5At2UZ61l
_tefuiUN14nuwAxFw91AXyPLPOSuwmM1k0B0ihbvNGvo5g3pLCjFA_3lH6kaOomA6
7aQaKM5lWAFfhlqgj1z9F9RcYz2D6nUBpkSmwy4rZ58ua1nz6BTMJ24r2ZATML-fN
k4dOS8l07x6f5CFWDS3L3i0fX7HYHtqTTi-Gd08XZ-FcHw1wfxKlhzix-ncDmHAOW
nzurCeEw_SOAuBnrEz1LAZp8X9eXcJ2sm1ddM9DBtJJsgj6qycfNF7Sf9oa979jQE
iCmY2L4zf7JwP2eTX4NA8uv-Tg7g9U1iwj3kUYOjNdFzDCSJksUIfhgNn_obRg-59
_zE4TqzZCeMgb6wtMeNZ7ty7HONNO8iFwjGhySO7cGqAAdul6Pgw-MxQ6HnYjLl5i
U_fxvo-bM5opkRVLQmBR4cn27CnkMNYhK_FAXZ_CtjjNTB3tuFhhafsITXS5tLxGV
TkMwPXw0u22_Ut2sm8_6V6u5w2LnGazZxjUeqoEQwsI_qpnv-bLPVlvZZLtq6VWQT
lq6_-xXICmnQxRylpfz5yRQ7a_8B_qdm24QB7IUZemCMJGaXSJJf-5TFXierDY3SW
pacDNBWjTlAfCPlrWNveSlMVnczz0uoBV14k30DXJ1Wt9EeaMScBYMZBQTYeJwGAS
LKDyaO_sNFvY2XWRiDtYhtNUgjU5NzXPNgX7nKbHdSPBo1fIbhbV3DKYuDzVPFUQ-
ChnYOxp72pr8c6RghbYN3RBsyV_kPwsGI7vh5ikkStu1BJhfafgkdflq3hjPe7DGU
cbbXYPG2cPclmRRldx3agoBFnRWZG1xuMNrA3oQ30Vlwol9WcN8NSvJwhM5-igA1l
xA0VO7UtsnakSGXnSvWbewncusIdGwcyfAUt7a7VsNiMr5BmL_nUAV1PWmTOuQiWl
nLryJgWfJ0Hk4F6JubQ2MjC2VCyUF5JtLh9l50ga8ehSbNPP3vphcU021fh6e0Mjj
Os2x7P1XNX_BZwEToXpfAZRDVc51VVsgp4BBaB3ips8wALpPF5mVbAyb-8JyEvIYv
nAaqNQgQYS0AIZEuYHLpT9hSlhs69LdpaF9Fj3iK8k8Cf9PSF_rnjvnYoUUn6jqoy
m6QivZ6YxzB8sPWtB14ZuW0euUPBVvoFhP8ZykdLBg5U5wY32ZX0HsQZmpKmYNl7f
JgnuVChsi-Fj1ubz53BZsmHgk_UFzsxykZNXt-uNE5WGQNan_dYnD_-0QgYvSe0Ph
dElJZADtJ4Pl48xcE9Dy_v0q5KViyD2IfxBSwDoHsWFfMLRovYxFGOh8VVnky3bP9
eNYK6IFk8PmhVXMaycAjdJJy-O3TwaXS4iab3HEmShDhLcxUUDxz8ZjRHitzz25L9
W4yvsxSRNzjpazDke4E09d6GoOc8gucpFbm1oGQfA4rJ2BfsvTfRsc8ESL6tvm7n6
CahLqF0vp478uQsqZYZ4DIKIEIkqeCulWjm01u0PtO0TWmyoYgqByAlQS0ISOSUFJ
eHV4OIyx5u_EhfuDbwEer2NhDi8Q62ugj7E8-Q5j_a5qUedq_JqtJpH1AvzM5Tbcq
3G3sZ0UQw0xrQtAGRKsYe1OYRG34oRfVQuhy9498aLGIPhRUp3301sc3tSBNUEnSV
ct0fE6x7NXv8EckgeO7BSHoHj3tfjKlRhhZFTmFKaLlhEm6kVmyg6SPeHPxTQl8hM
Kpvsqf8XKN7YNWUuv0fK2iowDIlGhh6kfsF6CqLObkeTejjf3XC59vCQXs3l0Owzv
XY0albWVcU1Mny2lyTABoAcno7k56aNNWzg-YW90jHhvaKUpF80Pjge5B3xlQ5-uO
B7GkpUiMbY2dnH_YPm7L8DCFw3aZXOf68JTh7N2F16TsZrWx3ELVBz6mLAayeaxp_
DzRCnBXoD9sLZ5lk9XyOc-O_Aj_J9Yanaj51dEyzPR76qrqNWY5xDcsZbmKw48egl
5yZ-2yRQFbSaM7hPFBssPj_X0aTe-0TEwV5KWxPUHe7k5tJHXDJRQ5b8aaUaT4vwc
iGQurg5m9y8_-xmmL0KAdmOYx5x4IiynO8X3idufLQTzHOvJ5lad_dWHMu6Rq5Ksz
AoCha9P-v4OgwzQO3S0Wj-fbdiMhBDM1s6cbf_nJ2-I-XzZpqwPwOmo7KRHJiBiMI
YhVksCXDN8RQb6W1f0FH3tWCjV6PWrZwNhvItmz_nQtothRBXqFx1HfCkU4-3Jp37
cUGxAFCubor3S7MCTFcqakp1fH8JIEm-uU0DaRVftyFOW7tJvMMNGYQ15c5UXc1JP
VsS_htujEP-dUjYpHkYPJkefC4jvMW708iZBpqZmzXi8-4fXug_MViUN-R0R7R98U
rtm4RzOPfrv0lK1ZZmyiE7wD_gk56k-fxqfzo4PA0l9lRxCwMcWgokgAeyUlBMzYt
5RRRC1mgfVTa9B4OYvY0q1iCy43lTDBxK-R8RuFeQUF9cmuQljDTrQGF33tUQnqEY
TLCX7EKgYq97cjYZCuJjy6q5KRLFMUhsAYB-VGJoYs6tydhVWRZa9eqMoppRWehIE
RR1DuAms9SlGuItX1RYhQz6FaTE6uYS59ZaYPTDcp-OdqJGbHtHRpuOKiGCffKerr
bM9i9zyeN5doNBjuGRXkVj8NJ2CPNb4kMkvUDbPt1qJ8fnVuJJ91etauyvNpc0tp_
EGRZasqfEIrBp6g9qEcXNLrjufSqW6D2-PSBER8sTB8BO9QcrzHTiYiTpGvcLs1d_
G3aS53HXiXK9B383wdIuSX1uZbXOZXG8ULRpPlgpgPz6iiUrLkVBipYrnVvNYDkOm
RPne-80Rlktv48KlAP3WFSYd5EGpKBe-Zt9NHdCuqanGvklunprl9ldEF1568AQTR
MXLOUVa9Eo_OrRgiF2zAX3ArKv0nCK7_K2wu4bAqMaWwdryGSwrrLyhuWFfVbKOdm
fCGg4k47Zp_3nrYQuzntzdcJ6ViY1-wO9iFCxfzgXtG38L7gynI3I2q_IOzXegaZb
ELjR7rzSFJMyZnCC9M8qVJcTj8WCRZhrQeHF01aopOGr5gbjal7kK7IVv961AGrUa
iiOMlbjwDUoPlYdfxcftLBzp2FsmZVzjHqYbzEPZAuGeU3zQZ9nZly56SPcqZQrya
9Ey6u3h83G8xXlVrSpq_xB3B0BaiimYp53JQ_GvsRTC1uaWoUGEOAyIKaj7OXjtYA
PZmt7P3bTFqFSLWVQBTh7EkS0zpzBBpE_DkC73zrfe68Izf6e6CZmqMPyRfV1QANJ
34ZGPEI7cZACplUccjofuTeS5GHiySGYJSIi5aD8IKbiTSlAhJXvlQ_dW8lNamZ0V
TVdiHRsmaFfh9ZHlVnNAwl04AQQGXq8Ixa86-O5h4yZyhJ38SomgpBT7zsemIA1C5
msNFFBtOlFOgrAn02fR0UUrxyNeuQ4HCGTo-7JycB9sr0nAJIN8jhZ4IkMsX5o9sA
9vWBeJKfbUR4106pc6PfU2PbA4N40d1FGPQ-8yXg7TVMCsWp10poT4yK1sN2Im6sz
vuuwWrqzsEydgmuoI3drCXf63gJIqphRwMm5dx01USTPNnMCRZfWBjRTC6EBUWCdV
QcOZoVAJJV1UB_mdhNhoJpeMNMsOIpYbiISInMuISqhLUjTHS97ZbwtEmVZpbXwVP
Uit7zpRHch1jgP1t2Z_Yvqhy01GsYo3-gu3jcjtyKyili40V5ou-Q9B7R2T7L7BXp
EGSeCkdL9Eqh_Hs3dTT-gV2v6mxbGy2Nr83vHZ4W9b9_e5Qe0ufpd_sl_7c6pzl_V
calt_YiQ9Bo01MDpOG6swtEAM5Y0-jptWZuTx666j_VgiLtPJc9Fe63Jc34OBsamq
gB7SdyospxCZmhqX_JvYIb8Leb7oqPz7smvfoAa2dC2hgVcGiaSOpDd244Hp_sGd-
GfibMaaFURprzwphIlsoYoMVDUuKY2c3UTpOfiMVKfUk7x-K6wh52vcnYD7jmenrm
3X5qRcy6ujodElBu9roB9w2t9Q4TR7jzSsTW0qH1fX-5au7lWtyzAGcvPN8ZTwVbU
QdG-f4yzEtfGVaqvdV6Xu04uLNthIgVBYNcZOzm6KszngFbqBefLC-qEJWAxqFiec
thhlos9adCccMWla5Urz_fbkKFVxFZH6k7bJglkKI_Vv2k8YXyxYK5hLcO9lm7FLJ
CiUc37PGDkfC3vwNEwAYUFvusOA7JUnBYGA5sbvfPYN2wXIA0M7iiU600LUM6eo2E
aPLek9wP5ZYvwrJLqdg89T1Mo2RP3km5I2oa4x3ULvtMoGH7N0Ym26W4m2V2_hkf3
118vc4plKIpBZ4iuDsi6jP3Ak49_rP7k1guRMQFqieWfWV28n16C5XjPYhDuPreCU
TQivKqjIEtgwZPb93H4sANLeJWGKRh5kdDYWIhTH8CbVbGZyUerCrhPXTRkCvZkXl
-JkHYiOAZd4eGjJl0oG7MQEwH1NARajWsGujpjpnzaCZvOjC2xkn_7SmfgDP-bhSL
EABqQfZiRJVKDbiWcBbTM7t5NyNFY8XfOCl0Z44QRFktOlwoAfhfiZn1cZ4IGbT_4
XXj__Deeobt9gGCl8WrAHsDAcrdudZY9xFCNma5UmMeaz_QrsmLw0ARoq32oY1j_U
JjyXYLykz81To7sVvEMHUJi5A3oHHSm3C-Qt1wLBUycdDec5ze4RG4VZTFZWicPkb
Zymg8T_rBU2M_vhhWsxvaFaMpWx3KY40MxNCVZCVZ2bB4CWmkiefnutSZHxxJvFIB
Cad1kk9VMTlfmTHR4rohjX0-h-E7oyppJviiNNZ8Nsw-HJae75oph1UcptSEshb0Q
CGUn1BeZD8VEfFwCudusU7fYyBrV9yeg5jkfh3xKNgJzdiuCwgeZPUj__QdQnOugq
xkrvB2UfyG6-s34V_LEceI2kxNNZQJ9eLLHHDBX8_IXSoGK2MK6mQffqr8gw0kQNU
OANWdYXv7q6C9jNx3lgxtEarVZ_I9_w8O7wYm5CSh-S7l5pfcJPL5wjXsrU9wUXp0
cOeQJ-Mk43JPltvhp12efJSVk7kikfz3T9dhkz3WF3zWDF37TkctKiKGLEVZTgYhQ
BbAje2F6hM8TDNWmiLGvLWcQrHj9zPL6UJHdtbCK07y3ErM9mUF1TeaNK5_79ErFP
GbqLGdgjX8O2C2Fb7FP0U41prdILc3sG3zlJRz6hHaC5WASlGpY78lHwAxApY4wO0
wSpQx2RmnvuJr6IgaRdePTjiKiMBOclz7rcHNIrYbHKBHHWwtF_aEtcQV4MnWe7Da
XSR4gKZYaWmx5zxhiRODeCCFAl9egMZBwy1AeTO3WvR37KUOHXApliiM0_Wxc1TDe
wFMBh7cIwMsTNeJFRBWBP3vQLCkR8rwWTMw1vjsO35TB6rFTDZzGm84NPLbSWGG6M
gKrfuBni5LuHL1tBZy4hVrt6ov0DF8Ond1amX9P9o0RpzXl2t5kSD9pkiFOvMnoGL
4YZkRmuqFKulxFO6J_cNxVb7gMo3lqEfeszyy1eFbOyzBaQRZQ1cx5-3cFEzuNkrm
1PWtjqOWuuWpH9XdcUvCPojjwepox44A1NUMHIc5laEO_AZOo1ApqoXzqAKow758s
Y60G4mSQi09goSKBA06x_TnCbR6nSho_yb9sjcoq6hYYHB7oPL051Y0HcoOD913Bz
bIHZMwxSQSk6VRX4Rp4p4zo3a1QPCIjtF5C8EllZ2zJjpn2mM7XfdYb2-EAb4I2t5
zSunN6kpMvuNgPicXrvbBpfR6cMjTDxsFAOa1-WrnqOaQcFkEVLd11q6G-4xDMShQ
EewDZhhRqKMKkbykS6ZHMQUG6Y27cMe-B_vgSBHHM8rBebxp3JSu9Du9e4H1R-TSM
KpWp0zRsQPHHz7LnJnniS5W7t5RcaugLXJkfqFVtEeAmc3FPb_-P9F703Qg-NIJSg
bs10b13YAhNAyBRe7w9cY-RnoVnSBJ27NvcGUDNUL5QvVMJULoHDs6ZjWUoypLu6I
bvJdHLxIS6j3omWXU9TkACPOLOLvPsllg1PhYypDnzKO7NQoDBK93kYM8TudWZnUS
Sz0ji7X7hoGxMs1dTanrpHSwGarRDd_l1QzlwpMUC_DYjux3EgpBEkChwQbk_ejgy
Z3ra0FjOBN-Qt71bpEi1UypS7H39mKZN4q3AfTnbayHa3vyRwPJdYS_K2fCf5vahL
Ky1gOp7nlj-a0pHvwl3sZSsFNnKN8bCQazPcXE9luFCTKBwhSno83ZCOKDpJ95Vl7
KkUy4GP9q2m-lYPgr5r9hVhT09x76yrO8YcM4FAhgSnNuLEQXxb0dyyk3T1olOykL
pUrUZYrjgFY8Jyx0tMvza-8cgwN5uhCOMPq0nzAXryzWvsoemMRX6FdWbd4lz1Mz1
mFDy3mk0D2zcl5rukvtp2TmLTr3fxMj_GlRibx2h9GmQ5YGwtXHRzwg1HHEBGdpRy
VlQvEH-3HkMxl9WR5ZzBhkw5ZM09u9TqiuDFzRrxkxAJPdZm4EjqFMyfYGblwDG3n
nIh_qxWM7Wh8HcFDdG6nMNIL9a5FBKJNoADj3VAJLk4N4M2R0SEOFo6f6w4RMM_oL
spo4jd-EHRS5oVO38aXUAbjghPWnFOcFaa3JGB-a6Q19V5Kdd7GctGfgmdfNOu_ch
0cobzjGXAFJQuYl-XAnCxMpztF96gAkWJUaZqTtGEt_9YwcmEMMvFOkyYxBsboPvA
PD7HlJizkPApWNx6NmcNO1Mz0yUK7EWeXxjhxxmMnauE4a88B1ciqsIQYOQd2Hvgl
a21aCgW81ZdSqmSG9cn49dFVFVKDynxMcSZ7etVTIof8rW_3vH4-n7SSD0FIEne2G
F_5uVTPeWopmmRred0uUtdBllh1OWmqRNlHQuy9ti8BEiyQe9g72wrT8zokLplQFu
tpByOUHShR26MeCy5NQ9z2ArMrM69UBotD56wceEYBVN0sT0YFbXV-SKwa-20DMH0
1zK3V1yH7qn1_24oya_i08hMYV9Ha6Khns8vrPgsATPm3X0yscnVSXG-xuM6M_qak
XkTH8nTLplZUlFt6oaTadJjrKBB2gOowzMlXe3sy2XEsXsDNZGGRdxLGL_UsxnduV
NwKlB2esUr40dUYz7nPhDybOp8k_5igXbEaB2zAGSfjERkuszFnSn5UxJMvpCHTWn
_IUxdsXVhUuhCr6TVpmmeUBSnFr4TWWpjHUPAjJnivDSEtgm4JnFfmbk8YfjPohNX
Rao_VIvjhq2ervXgdZvC-0Ih1cS7WFVQdNb4Mi_x7DR9cn4sZknYyV9P8nWIM9xNf
FsPrZkp0lx9zBeHaKyOVfyg0EXzuGkUghZ5EhXyLIHSAcSYDql6kqWGCctLWoQ65s
rxlpwKeUQOmEE9bq5LOyB3scm9K71msw-b7cWFAmdZJAN-To4h_hV7JP07aO8_l6t
vH_k-3BhEnYgDL5uChSJbWjmd_LJeUrCWrc7YKYaeWL4f-bYvFILKAuAhl2KMs3ub
ruOj4Vj-FSy7lWU_izb3KQO1poSQc-U5aCHdqqZqCMI-hGHSvsFHh6QAnruVCJ1I_
r8lPpvaUnrEVI2VOBDqzc1YsA5rkvCJrIB9K8A0nvurqGg-uleOpx7m4dIRlgLk_F
Woza33YM_KgLMicuBTk9YyLO_iVkJoFCE0cfNfKfRaFop2RgvV-s2or1jVJtDlTO_
VK8xZr5Wbons3uXbLY3_Bndt43cxeHOT-Ivi57lxXyNItYLaP62GlfMRf67Qgzsei
Ew9Swm_lzhaBEnj-rLjki4--BMCCgLe6lexzflpcjpjBRXfsxpOVf8G4VqhXPZLQP
yURLJMJJ2tF_sa0nVlVYrT0x78QfHTVvBwAqayi7rhF9SPfnd5lJ4UUQRm00N3-BR
_XxQ5pKcVhvATAWhhc9d1P1HPdG3DDNYe6t6Z1ceptVzp1PE_Ne2F8a5q2jVokiNC
ftEkKL9nIkgu-f9uVvlpaD4OxTR8ubyq0nTzXAQEy2X14So-d7uljT-C5Z3ycCIE4
dU3QCR0TZsMzGu1xdCJlZHvXrP0roH3Y_ZbgtlMl4I61-xIeeJwmMWJ0yn5DKVddB
qxBSgET2K1O6Jdx5hynjnsWSuYm88cZrM3_XCShIazH-4zOaw_6knq07-ZpCdh4rO
RLkzRKUkqJPBUZYN7uVAlG997dm7dNBHLGLb7szPr9MkPhWXxl_Q_5WJd68NkfppM
CmOtxsYIdy1LsYLN6kBBtr7-bnvw8p2z12xeNTpRT5OPZ46q5MED7kEjcBD1EQWLV
VUjgv5ctd2Vx9efO6BtRqdttUXd3yM3wNCtzHqZNv762T9pWVDb5MeIihjrVr4zl9
EEwW56o9VYAFccYwEbybJP_mK2taeEIz4M9b7BkZv5wfDbSTJj93JJw09jMYag5uX
WAkEk_wbOZPe2-M6X8cr2R6WU1UMIMXF5nUARKRrXASc9UgvWcFeQtI_Zbrd-Ehj6
kgmtfw4jMHTY6FsEufTLCwVMXWRYFnB19u9XT75EmNuCbFICZPQVt6aBkV9jUMmRF
8AiA3O71XLwakh17ddd5TSBwXmuGSWMvN8RNiRyxzMmZhLHfzxqZ4Wi6qOYnrighi
BUaLHCwpWYHTHfLdh0YOLMSGhst-fXRkyKht-VklDjQ8O-6AKIH-whNN47tSWdmY1
RxhaQKDfFc2k8tWXVndBobng-Ee8djWhPddrMR2X7bq8W4GvwvkFFANtT2ZH5DeLa
6AumUD6u-LeLJoBi5a818VLtbPPlHCTihqZ4UDikgrmmN5LMjv0-WJXkhcLKL9MdQ
IXVRoL6TNBX0P_cPoqrFG2uwT8IWo_qJ8ncffmHZgFYQUMuVEcNfEH8UdqQ2ocbrj
9-jqCBf4Se7zojVJzSgPxZcL9um3a1KPqYg1lFEoUTDCVpGgoFdbu1AJgPX3aULHp
j5fuDlvwQzCbv2Jy2YHNaqlia1qILGZCr2JrG9fK37jutkh-OBhiq8BFUPKG7N8rP
iabe81t0WNssZrnFi3VGKWhdRqHyLCRbIKLB7ixAuK5rn4GGD_oeEY4W9huuCxGmT
fgyByLRAM5-GxoD3QV9u7PG1j6Ms4mgLrqL6tTIQZgn3t_wApmV3F1gjpik8mGMEA
myGXv9eB-x85gU3V2kcXIa_fNyG-vqwOuYp3DPmqZNB-zDRB99Kd5q1FH-V6E-Emt
CFhlozNgZRuQKvO_TbzPCDFDUN1b6aBjHsvkskKDqY9oZzB9S5rI61hTcFgZhuGmS
_pS9W7555PXLbr8mONIGuIDOD-b_SzUUxdRZHhdDKMWivdUxM4BPg81Z9bBTN52rG
dC6YxZjvSNrFFZ9buO7JdSFDZ4UKp20Y7Xhb4FBj1jNkbsykh-DN2WmpDedxMgIqy
2QwV6NL4R2X8erNcSbZE1SlX1EHHL5j3CeH7mqWUOTcZhNebAV-kn0Qu_7gL64S7i
QqcnWMPQI1HwzEvsw7XnWfWvQtOVtpbibmK8TXbjrNDlMuu4zfAM75ME2X8P0uVrn
gprPSzzJqdCh2o_qzNttzbFHcWns3PDx24ClNmS3Hhar5qtQ27e_2OfjKrYd_qY3f
wnQSQdfdRkIpn2qHuGD2sERXtcE1YvGD626KzFZSwFTBNiwV4eBGBvfTh6Ge8Xhap
L50Wk1fi-XvFWzbvaX47zsRJ0iILD-V5wgBl1fAUWT_SSHn4fgDyhMUHbJoK_rPkk
q5ZjYnlwHtcn66n9DOCDXG7e4-8FKTMC9wt2N4sBueHx0VxZKnheXFbgJrIcXAtAL
VvfKeEiup8aHgQmVS7hxPobgzxv3L20SYw8KiyJf7bgb-YGkCqiwYGpoDifqnsBle
fV97Aml9kK-juNgMTfTLKMwfaQkAus9Vz1xvRG1gl3t849AMTlZjo8aR9Qn08M7Sj
1YuobmJMm09uqd0I6cpPzdHWZgKcfHFCLH9dOnAiD33LB75oyghhyybnUb58nB364
Ged4-H1J5DloX58d3xcBKHnfytuNOJaF7dBbT-GoULiqb_NhX3Hz2PgifL7ELN5Y8
u6OqkcVvQAqWN8LJuHV3J5iiImomWy6-zpHKmG4suUp4_nlfNTSj3CLu0uu0ch-mn
XjUMObm0sGcaWanA1mits1b6AjmM6nvFB8Sion5am5GzEQL2qsmdUVlpc33AQTQp1
3e0S_NKIDINHpW4gIzfk6Kle93A4WYUfdjGd6TMO3yyo8Pl0nU7yvfCro9AuFN3xX
5ZkVIbHjsUqwpN2SUwhDt2_z5EGnCjwt3881YxD3qdcRswcGI-Kr1eSu-lslct0xe
H-CMzpfB4PhanQkLznBzRQ-35vod1icM9BzFcGqhyziXo8bKljJ1pXpIHDAVZZM5N
A23R2KzBQ7OGsGLWV_2GzL648lv34zSfJblZN9Tt9dQ-qvrf-vEJFY2__KxMhip28
K8s54KhMSWdoJ4iONixRxl_QZMMIPqIhfaZl-kJHyYjMJLuiuXTFk2A6qHt71N0pm
4_K6zulfRF0o1BLYwLxek1F_FryGu45o-q8DdIbLqtLwZY1yEE37XqU6RBSfW5YM0
9ZGyxao5lPYFzI07grV248omD1llnzpewRkx18pqTlzhmmkIVjJ41PdRRWXqcLm-n
stkkLoBbIXrpAiPJAn24zXLeKxfIQKAzr3hK39iURfi3wbA8NMIyk42vjfOAFWpTU
PbWF8Uaqwqmpa_2tZD84nUl2bcl-WD0Xt5FHr2nviwDZscuDz9mvpDS3PCfC6swL3
Pc5cvmcGRtHBh8PZYBQ8tchO2QASHLlRl0PimJIhNRf14lAYjh-4MNl_TrTq39Gnr
aa2NBLVqdFVluLhSIMZ16X_gYqbrKtWaN1sb5LyKYZPQEMGhRiVivZRApoLD_Gvep
myVaXjW7szGnxEiISeB4uDq6a8kfL7UMKuschL9XiXgTVvIt5q_lJHNmk8ncShk0v
bIcV0T-H-FOyocYD7VJvFqiamkpdkCYJO7AEDfpMPjt9ZPWZLUu_cpQFDLZUqE8Gw
mKAsXEPdX1m0QNVyiIVohX3yw7vlV5G-tW3q98F0p0cZ6WC747l_i2q4gMQGYeZQS
vTqknsg6x3rCmS05joCDCuEHIP0gHdZHC9-vK1gityao_BD8uVeFBxosDeoSn4hkJ
vmBLhRN_wWJt10Ha45WBCunt_BOQwSjVC78X6eBC_l1vZvnDyO_lUS2ydr3KH482w
HD-O2ycLoMJmQEyW6d_MWWPTLfhLb9qMVIXxekZKsIlQb66F_YAg3VQqkNUE8WiCQ
_8zTMUV7bf47aKkUWz7AIi_29cu3NTdDzKY_O9MT11XQms2_sSHLwe6swXxgngoc-
iWeL3QckatYaNJNez1JZ_sJKoyjgPe7k5CFu9UFnuIhA95LDJdF5c-MKqH2ZUjgNG
bXLWX8qvbSEh5zDZdiyPcd6R0gQ04JcMOmu3qNuwpVqKq6oh6iGgl7JWpBP0FcTwz
s3rDoZrpgl6PsjdxXgd-UE_CQ6AnGAkgCHCVt9s8vZxW7-_SGUHhDGNt085aWVwy0
AR01NYzNWEQMsK9oKIHCmAUi4hEc2rX_eP_o6VleUkFme5X2EHCl7TDG9Y4iO612a
qVN9EgBOFwTxhdQZE6zUjXpyADNBlq2BKUAtkAYGzfv5ts1e-lZFQbR0Acy_1MrWq
D6lpTdYMM-u3LNCk5OIiNpnipHJaNvQq7XkMtLuGCPoWVw44VdcDsMY4nOIzODs_7
SDRAJvnMSouyKwBxZ_CyIpHh6RGpCPdC1_6LEH4UZ9cU7z5iYTtu0UNpynQlXpyGp
oGg8LxznqVudGw9QdsrMJyl5KUpuONbDRB-Dfo4NSWLwxt3CieBJ8W0wneSBbhmaC
b4k2liCVEuzsg6cmPX0u7icZGwLj0ec76Myimpm_Ghy78b4Hqgb5dl1enn3OFd8er
OEfXEHI4iw-4dz22nEoEN-ytonseq5iLyOuys1OQf6HRvT5eylmJfvLdBKuGNperG
-KIqi3zjDaOwrFun9S9Lr2h_U_laKwkaqE7hkzZSOp_vAlZl_CtsU7GCz1Y7ngqvV
KIyKSZXvOZ5Xd9xynM9mB38sPYwm7rTOww2xJ2dq98-1IA_O9jyCRyEMQlag-XzmH
l6qcvJhZGmP5_rVpLarX5h85gRT0XlJO5b56Fc67t4Wrd1yakRFpilBa58WPNghyJ
p5c9-zxV5e3HGhrxN-VwMoWuCZ1eYlvaVEJQW8GaZfV2gS1MuMoPBpeMoMjGDUzK2
zJ75GqNoZU40pxUGSn_D1o80pFUVljYgk41j8Lt3IbXKYegL8exUDJJ9nH3f9QbF8
4CU1lEaVeK1wujLMYO9Qs5lq5O6fUjO7KNBvjOmWN7G4fxkV9dYlxxlmu7XQZVwpo
WNPD8pDJddkUQl5_zsnW2rJOLPNi2y2Sd8o1O_jC7O8drw2_qcKfd4Y1jO0Oj1vXW
0x10ljX3j5itQidZtEUn_8rxCngTMxYkr8wNGTlp2FxmYTWKfP2_pVmaOHzXw2y2p
B6fCXx7MtoAo8S0B5UVD7PRgiQRIggZWA2pOzKsCLpfxbGPOddBaMGR68xGyJIsgM
2TIp3s6GAMmfLnyprffgIzYMTmOO81w4TRkCLgvJPY9DTLDMDtRS2EWtuAG2POVzf
0gC-FMdWovOJfy-vIVFTP-6fBaSCzjY0JLHBhP6LiDEKU5MrRFaqhAnIVDfTBN_uP
qLoKEhgENepZDlEigwHmq9qkG23wx-RnuHvv5yWI55s9VMhJy8TCKrCuxweTqM8OA
2ClNGpFj10fVMbF5CKbl66eRYrh96GP3-WIajZ-h4_DT-d3Jcgkfa1GqsPi0JLjj4
Yl3_OESPJt57T00QwqcaGuoa61uvNCI4TDAlQsSHJBpSSWbWmPvBNV8SLXJ3p9B8P
wyZHXXTHMldWBJyA1VF0p5QK_LnZyc473b1yiAQnQTtHi2bb_cQm4jzzMuJpGI5vR
4hxNvTcxhutNPqoz7AKBPZNQ-Xhgz7Mgj0x45SMso948Sb6LFDiAWESLRjpNijt_f
ZYVeIUQFG4hT8TYdgz6kP5iK2BZ50nnE1ZpidShtgOJRL6Po6lniw1rvQYEy6dakt
mXGtGY5gegBbLORcfBiCjCV5pEpCrzicSPM7vgu1qR8toK-JH0ZKdG7F7x_Hik8o6
2Hmeo0E2KjchBqKP2nTBzpJWhcvEADVa_KP5s5KlEKtsbTcVSRdvG02Mk8eqT2f0e
hklaFNeoLL-zcoQ4KtNv7fKChQvV107uLIOgULdF27K8TDKzOV9rChoWSiLwynVL5
_KaQQHJOAZmI05716qi9y8AsH5Gp5KfRab0Hu2JevJAqC8m5adW9DEKa4G-SXBVKH
ebCmOBeQeK2-NrGS-_3B-hOVS_vLpaUQftO0voctwR5nwPWkLTwBsTvLmCsxE-8qN
v0SjORgjwgGFLkO3z1LJX3SAxieaDuJ6EIytYUCOat_X4F6DZjyCnMzcCn1WyH9eF
ntrY10eSix3_3DZgYnCtK4pIF5mBwqomDoOzdLcqUeJThGOui5gj-faJX3kOt9wXq
aeS4r7nfAzAN-4DMj3NXUuCTQ5b4PPF5zoHgmBRUGAnTmOIqJjdYQQ9gWMv8qoTcz
0ImyZcsUhL-4tp-xpzRbbZB84kG6obSOthXHGQRaRdi6lXWkC3hgkh4gBEwLC6H4L
V7r94a2WzJ-cuhj70hRnFX4AkJ_FYgM2r5XIRxGVcgyb0z9BCulTIjLifUiypUv4-
T-c8Xhi-aSgQQs-epG0VumH9abhZ1Nz5uuVa1NW6iqqQ62k_9OSUlOtZu1YWec9yN
WMgdts0ncptpC7TaDOCUfZsczcxel-9MN-nJEmUGXbPDwxg9I04oaS3-2d-mwCXeB
Jv61_3pUAPicFY9ig4_lXX9Nf7BSB0ihaSmUv5RvSUa1nVwTH0nHHNGxX9pvOA1J4
NcsxRWW86aqEFPXp8ragOm_1UMvwjm8zYVfHVDLWDGrCxOg93xmA1JdTD6RgrQh-6
jaMud3d2zHiQIJB9sXi0b189yDkOZBPVNDC6E6hWC4N4zGAu7wUfoBmOhKprRDf9U
-jQ4TUUysnQcGr4HyqfX1NL5jHHWP8fDtmX93MpEpnhKDhL7sI02ZDwrSA0rzG6Ip
J8GPuBHme2BcDx1_C6dev5aM5mLISqHv1q3Vn0yaB6OZRkkU-6wy4gaXewWQkyTwj
IjKfLhOFrFvlqmTbqOVFC7KVLnbAtGzW_Sp4vBewskwzA0dqmuayugujJSGhbxeeW
i3If2_mU6iwXepxWU3hAIGg-nB_UWMx_661JtTJYczhRCVSb12nivrk5bAcvbf9fy
w-f_CLSpAjiBXs5Z4bVGPHBbk0hefxjvMQISmpATDhvZzvjay49ZAHbuvnDCHQowq
1fRQkJr-gpQUWIL_2_eLqL2kCevUlAdqc1R_4yLDoM_k-38naKlFl3hQ4pEOCU8vI
fzrXeD7LvHiMfBZiWKJEjK90vwfbUmMCMLxiAlHNEjeVo1929DfN0oS8lRVzkDHv2
HaTTqPYhqP-BDJpXWV788Ko67nIT3PpwFqD9dd4l1ncpfCHAxFKCI0xekZ7qQQcop
G3Ex29o2nYW1RPksivcGfBvBccFkmgVWitzLlVQ_NluPpsRLRU7WQ2_3mKI49vQ5_
KA7Ob7eL4Pl91YOTl9jAuzpc8mNnWbZnkOZuSr41nSjHiD06w_fjGDwdtYe6XOQ2s
exi33y_3zXU1tCFFijzEe3qHsopY1ZTNHbTzyA1GXRlNDxLKtrHFnlUEd9MOH5CHP
mBVzVWs8te0AjCj7TvOtWzLj-0G1qic2Lse8a709TrG6RKwZuo09HzIyCRn970C6P
1ZQjFnMYOkzT-wXEJEsGqv0ciTNJJwLmVsaiVix7ZF3ksSZ5o0pvoO5o_PBe7CFz6
lJYiRjCwL3uorAAmpX_qkZ9ev6T-vmaulj_prbB-4pWlF8iqyVo7JNl5Ml3OCyHgn
nSiOwVmLnEpoqlsjbm598fDXT-qpc82IlTThu3JkvNqMFM02UUD4-n7gxRBgURZfO
GuQKpjMKAbeuTeNTlIXzHNTHB9X89oaLHSq7bmR_xVbOQzTIexQm0Db_6YIkps06t
nFkGTafw5zuQkqOz0RaMPuQ6p4nRKZT8ulJYUa-8sM_jP-XQhWbEHIqJzGGfvWLLe
XZQFxfbpcEi6uQn86rew0L8hMVkj_t0KPVQVhiEHceA3Xtp4dy-G4fTOmKshKFAAa
6iVhc-rOwXn7cFCi4ZyzpPb8dt2B61GpCH5YKJnFmA1KQU1jxy_nVMAwKQM5eNEew
VjlciWQBnoDh8sgSbusLYWSRFrYSJcxzFyhIpY80cGIEPsIVrp62CDB9n_IGJtarT
mAiBFhO5WNl7RSz1dXGxACtakAUV91DY_6bDpRKTD3y00TekmGn6mcOBWFJAJtvfc
6ojxas570aSEeQIxv-dsTOs8GXnpD0BzS5cjSGjRNfymeCctXjg2QyVGqeYXMxCYB
-Chc0fpc-pOKKQpWVq6o5MydtQfF2XNSUd2lkLNcqo0j4yucypDv-AqKMdiwZXcV0
GRjQVMqXhYKcCoDfldpWGvbF2ikjIDdhz-fP47k6dyNVselh0w0w2AczKkn-kpOLs
5XcBguyZOmBwceMUG2RgB3oKJfIXqqia02zZHXunX7VE2QNQ18hr0sCqVXToky_1N
qB_XlfvuR7hmo5PvGQVf0UPJDcXM6ez3PPQEWx_aSf-ejEA5Cz7CF6J9wO2VgrkGp
a7Uu0U5CFSYly4pcg2cr4iuVCd_QlkKIffpttU3PDKnafmbKWs65NVkOD-YpxvhnH
T5uZAeTzn-ET0s_vGORRRvQDscJjjcNx7Mqin6x2nkICqWHt78XNqIa1qaw9g0ZvI
xfBw-8W1AcUDWCPfEAQWxTT0tsCZvBs3EV1QTDhh2XfjAhUc5DEXvJu9F2NqPljwC
lZmy3mHvybRIcnsd7DCdKkWfMQH-SHuo0U53vm9QVo2XPi_6i9BljyB3REhihf2Ds
7__W5Se2nzPG3RfoRNHVDHQTZPgwz2HRVuYZqDumBJKSEu_qrdsrRN5HtrWbTvRH1
TppgSDFVwFIzl92JwCwUpJv41VAgd11ggdY7TPvMB4ICKvkyiBp08LrEXOUz-rAr7
fvEXcGooY6MHXHDa1fUoNXRWqPAsK6jWWWJUQdCg1Q8_PVLbPmr8V2kfiB6cyUjAq
rxCR7jtPPsv3kt8Lw2Xl3RqKVErkpJHUQmoLp5a-xpbPhS6kbZRYH_PTOK13wWckp
QjxYIY1ketAWGdCuVKp3UuS06UIHPHJsp044KvFYfiq-N3o4q3MqOKFa7WWK_Tg8S
Y6MsTq4Q2ukgMLbEIIBHzWxBZmI1p4ZMrZzMgOaiX5Rqkoqs0HxN2jMRerWnaQs-t
Vz_CCZXCPnuKoz84jv23dh7uzjPSZdIkNqxDRTCcvMxAaLIRPj92OoZxTJzkZFy8T
GNmPJlfuz5rDv1voQFgM90ghKBMPaUunOvx91eGxXvMAQeoeZfB1I_lOeL7JOMIyi
SqJEyO--Mhlxq3xgN4BnBcgx6obNqskWNB1z3NZEINaQSXEq7qLO9D3jnVZSV8ATF
B1snCiiN2nRXDKViy7Qi4q1bb2_SIsQGIVrktnKtosbrPOzsYS_S3APII4EBkh_OC
fHnWbLRn_fup-8oqZiD7KqaKNy2M_13Jrp3wD-ue5vFwlcjz726EiJngUwa8xQhPC
ZKrHXHVahMH5hRpZQ5XUL-Sj8R4E-ifjB0CBZRwBVDEWKF7XKQ1vq04wBhOp16mrF
HVgwu6vcYb2aFny4TAM12SHghIG2WM9-8Kw0pY1bCm9EcmUGu9cKaBtPN24nfDwHS
mKn-jyaax0zvzz5lrXOCsakZjD6iozWmtFpbbD-hZ-VaqZ0vDsXSVM_OYkSy3SHQS
X7DIEYz6JF8lm7vVlZLG82MqHaU8Pky9rwbj_jOldqaVxBcP1imMd2raUG7z94y3B
eq-78Zxhq29zS4Spcx0yoo7O7lY194PjNYVbpN6jDvjI9-nZ69YlQSELAB89soodc
RxDdEMf5933Je_T1tr-s6fZIr0ZqsWp8yhgEzJoA-6l_2lJE86UwUYtuavYzpVyWM
F3b8kFymuMSDX0yLlEEeqdT64NfvZDgHS7QcueV5XpyHv2jYpoB57YQQpJB5l1Z-4
_hUCFcNm34qY1cgBK7NXm-dVenBuuoGc6GlbNDuGiz_RIxYRAGS1vhTbHqkvFQR8B
ZulW2X6Ou6L92DFSm91x6P9gIsnSJ-a4tBfN19EKjXZShxhSB2Ie-it4uQZKm-upW
G1RU4WLT9hXY8qHyHuwhTOSTPKgfeVApvPthV7HDtrq46bQhXp_ibac2Wr4-pbtnq
wZVykX3B9HyWUT9py9xSUqJ0yZU0vNPuQPJxDohwRDTJXsBEIygbo1R_UMdmco8-9
0TXM0hrQDOvvwepKqHXHk1eGe3zKfff0p-zeBm1ODwTS-jtjOhicFrxQWPWXGSDvM
0V1smkDmYdHHoof_DPVud9XsT6x4xHseK3jedfYqBGfJ6Xefq23-CWsAHSFzVzxW2
ORkZDmPnSVB06h_q0xVLJ5EljX3h28UxahzQ59Jp2Ggq0wQoqBLhERaqyETe-r6nJ
1EXv531TLCDOo5vB8BTO1i-VlYSFEsJJHKjiC-7wBCtMjrAtNCokgMXzbqSsoGoCL
hv6nq2zHGUJeby-zWfVhbSBX0hqIhbzEcPTRFgynnQAdFMsL03Ymb-E2QJQlsvNj6
J64Ne14Kufayn5AdkDNSx-BaG1rB6VM_w5Q_yAZaOjgKMVVC5jw5u_vn-Bsrw-tNA
6CoWIuN-i0sVGXSAauIAKYo-N82UuepHETwFXyM6yPLuzuKkh7lJZoYhM_OFWz73p
hX7JWdolQ3qu1jZVVmTc0C-DkmMFQiJbqLM2ovHq3o4YLdG-ppCbSBQxYTaEM7xSa
fBfgU9LruKgx1C-PsrF6I7vpPeVAJmh9n9F_Ep0i-uBdz746-JO36ECkSy9T17Exn
MZcdlZ9Z5hn4EtmFHYrAZWxqYqtrICg6V4lWn1OQ-ClVsMd8-53MRdwJ397fJVRMV
CPeE6au0dNJQlSWWdiTPIWya7pf65u-fh2828cvBKYbe_64LI0H88kFa6xhd8uVfQ
kqj1JD_2wr0BYTO5Nf6Y4wC-9w2pbmmpiIqUyZ5D_7s-V-PVl18OwXDHVJ0DdByH0
22GVfzlFsYAV2pBR3Zei2IU6DBSdG73L8mnTxPqLvwwYszms9-wyePmp45YE3cYRf
QIBbv6sqLgj_z3Sq1bSDTlsMKAxSw6F-lybyrLkPVvSEFyoUGCaLUhvFZg1y7XJD7
4H_xgWmkKbzS2saL2MMkhTwd2RdFmTojRXpZcVO-9gF9Njf85yS2TRwlDelxBOIR9
eJbv26JYqmdo_4mS3nDb37Qu5EiOCwvbElcKZBlulkqAah_3Bzm3Uiz65N2oZgK5A
yOwwgnGAiTAcr7-oNzMztjdOZSI_F4Jb1T6pIusXdlDGqTfDXoWk-LYdXhkUYyr30
XunGF8PXxiAcK0uUN2h-0Nyd1NouZjuRbWy0dljs15bOR40hWeGLy2RjORJAuK9LI
AE1mz4-TmbmwvnA5kfaS41GJG-Ta0O2fAMu7rU8smO8bqAEqiwuW6QGmPE-0Bj6nP
yFUCIpj4-eYRb9nV-YfKPOxHDRzuSLbkkU05Egy4G1kYsQX6uxutOOtoef6GU8IQ9
Veoa-oqxIZYdWyeD71Uz21YZaTjwWuxHFZ5nLPWaGU_8-euuvsAe73ZymiHhhdiU1
q1iFneyjjH1zklLJtJMzP7hCY5nJnw3orhQKj3j29NCVjplaChKeHmgD-_tpE6yp3
vEwx_LG4qqbja337Sc46SZzlyDvxVjU3InIBNOvba302FT3IdTukgEJmUeaR1oiUv
uVamUNnd4QRd4m3Xh_-cVNKD7MsMCaj44QSlvbTUsYQ5cHSxR0iTB5jH1POVNKVjJ
ee1SQYXw63ut77nowFnWFGz4G-O8KknaJb151FsuHORoeV07UHXRpG0ilxUWggUFJ
LKACMMlqHqlUduAe7XJPkE0r8AEor2zbjDmSXzhIGRA5u0RB-f7VPDD3i278G2qIn
LLk189IBDFW8nE87wtK-P6iO2jCitPg4VKwA-DYm0ltRFw_NX6Or_hBVha9TWPB1c
4XycfZPZtdEf4mVTOu8x4iN3qLs-eMVAOASTdBTGDulRp0-WwcrlK3sG2faGax62I
eTzhOMT7gQRwhUfqKQjGyXOaxDV0rxFrn3JUuDvXxBDteouP8fXsol6TQRVwyzAuJ
fv3sryfv9fYjNGzcaXFnLK0tyVj0DdiEvtxqFY3pG86oYgyv3i1YpyZ16V3VjJdtl
-WRUI8_8g4NxsVztA29tm8GVbQBj0onBXqZ3iER9W-5FONYcmL-QLD_wv9O2PnVf6
mN8zcNsvSBWBVVui0oM2iXAbFS8DxLlRgVJWrReBE0rwm-EepBe9ZgIhIlIoeJE6h
EDHnmYQ2rzYJg016NDHfBPdpo6wGbstJcRamlzxl7HXMrjaZi2GY_iL8_kIE1sVU1
c2FQgzlLLvuG3Q2EeNTORwTPaSUH77w01fEzAeBB3VX8w62kk1JDOt46KizWbrEHW
zjY0c3-wmd3aZ6awSCPHxeORbAT2sV2jJWp5i4yQ3NCP_3QElBidl5AhlwZRIsJy4
-4YXuC4EpB9QJizKBdjCzTwo8kZoCcd4LeKThFTStU32xut9hXKPZ1w8qC88Kji3s
ecHF0EgVv348zsKKwaG7nApMI9h3JXLIu5JtsMwwCrvPiKn23GWLWzEBpBLI1QixF
EGCo0Y3LKNmY3hOCTBZhsxYtobzGUOMSXmF3zZiPoLo3_uNgYySGg5aZ4-YhDqoXO
qZNSFx9Ssga7V7p_nUY8jtBVvBnSEu9XoAlEpnoBogO6CJRlCVVUMc8vNOlzyjL9O
S4DuAV9Y-xl0NY4tu_3TMOfv4iGr34isYpxQu0qCuSG4esoxvKgMxjR3RrHl_m3K5
ForwiWogupLmNc7S8ce9hPa4pYIghx6sQZZX2cvzMeWDAo3lwN7GdxHRRLYP9BOwu
u-rB45NmzHDzu-rYUbtd-4VDUxgHHnDpyAOQ22g4X0MnZKeBt9KLpnQPAgelKL_R1
zjq03meI9hLdAjzG9822Mfnjl2-ADZQsIArYRutohEwnKLKGU1Ig4KfE35KPWHdy8
HAK7fmH2OmEG_6FDCtx2ws9LIks3SkviaUXLtKMco582ShcUdh_zWmTWM_oQt0psT
w6WUkJT26P_fyTOKxlDfbhQPkEblBJmH__GmZJhNdHXh5nAe26O42oRxYToo9ehJ4
zgUo4jNwluDusMjSA0gFW9xUNOZ83IBnYFKQ9KqP1AUlA_eMtcXmdii-TYAnrFRfB
r6R81McAiqG_KGUfGGyBdxsjv0aXIySDrNbnw5Ymc6KRdRuXtq-3sumdIcB28Hz29
Pcea0iz2T9Jy_EhawYpRTQR4xxWspboa73_tzq20Pup4R-CMw2GOHSGZ-Hx9HBYb0
LUtxFt9dVdKTMliCftcqmyv04DYW3hL2_zRhpxlLJrRjfesdjOGZ7jJe4-mnA29z6
jy31eDKDg0_Xk7sY6IvLR-hItxbR1reOFwwb1Q8tL_AVKLd5S32TPlVP_9eePWZmM
oJCGFo9LStcMDAakcoEgFwYWksMAn0ZsnEuXbMa8yrfHE3eoy7tdvL7EroMzDlWHh
ZHdLcIFg3R3OnCwVlcvLuL4AcbUqSy_RHdyX65GvprGLlWazHXEXuKbTXz7k6cvy9
osfPp06EpDkaQ1byT6gWz6axdAABC7g8IGj2TtJScq6BcpWA4niq1TIKSjvE-iNFJ
UeXbYSiv_ne8HKYp4KP2hW_XrAc3Uev7ZclQW1PFLU_XtDBZMFMtsVNpZJFmbt-s7
u4dhuDqCsg9a4EOJ1-VdDZC5FVrweUhon-yB9t3o5gX-NtULnmLjij_jCfM7oE6sT
zD7CwY-4Oh1ojSf4uGVnCeP-NVObDc8zZHNROl61Hj4Bm7cPbvWrO0ARBJCmbLSCC
A26E0wsJR1f6MUyD6c896nvVfvNb9UJOoH4uGPPkiVCPLtorYAAaz7Hcw9RlFI25S
LQ8jSA82SwkAAQ2EnFNclvBdRne2KDL9NaDGgLSUTXpohbWvCP_zUBrtdZ6JEz0ps
kSfvmQ4JiNQ-1az5wseY909W-TgpN2apMpsWVxdWcN0uCcmVkotVtrd2r2XV3tFkW
hfrsTlvCFe9yvD129lhV9Ga4xLmuIhpeBPbLglxwc9VVbuRRhyygv1HT2JObgEBhW
KctXsVFxPYx71_5Souu24GvR232wFEFsIs8WiQQXywI5NiLS46BAUbKvpZZiNmbbi
9nf_6wUyIBmFAQ4HZwpnYSGBS-BdIHMLzDXQmkgYnP6HHExMi7tSyNIlfKXyrmOad
hla9cN0ifguz3LGn4l-tgmmYEhEAnXhAfWKC-qD-2Q_eooulcDlu3BRK1gxUUNHOc
TO3YGufUml4mh1ZTbxVK0fxC6Iri_kK8Vla9azm8P_7elpij2sdl6qTAKSoZjeBwq
I0lTqSDtDzllV6IiyoL7n736rD3gCgYnq1nHu6SKdUV8cxs7TmrgmgOFuxffeiZBn
305qAhF1WQe_8bFEnNkXhTHD_maGgnwSlqsKt7iD6u5ieqjIpId9uh5mXtu0IjQaa
R3PaqZ-9kR_XBaYJ1FNHi4V1-XyWEBsrGHWGKFxsqGZTPlQB4HEo9i2pFmbpdMWVV
YMJasNtmVx7JIUlkgNMxFuyeZdyti1tU9PFRcMVxQ_XQdzqFKq_u_8d2fSH9ViK7y
Rnkbs4ExvhpP95JOGydnPqyZbX3X61zlLI630RYn9Oeqv70OORyXsZxw_9exIxQRz
pjN0-Vyu0KSt_X9FChUnKOu2teU2zX1795inRvXz_dT7X6854ZA0XyLSEc4h0tWC2
SAAbCE1PJ9RJeQoaMTUiYLoHieYj5A88mYWXkHyrYplpEtn7_uMZK1bff7gBkx7o_
E5t0mBgFcsl1WKUTi_vkHS8_ImzY3f4GLhXZ__9ZQLPOrieTDsuU6T__gCAfLTyek
ewuLq3Xr7iLWdXLvqVjzf-NeakDQMQ_hGvxWL5A2a1bSwJ5Hz74emXWNiC45h8yIe
l1YLTJxA_-d15iD80Tu17Wgxv8lR7we25olxBICkVxDkjZNAGTpPuc4zMNJReDKdE
l4g3QB_Ke8uaSxJaladJceoTo_Vu_qzVcKZRONkkBeHWEv-kicB79XRJ10TI4VG2a
wVR5YwAGqPZWLJwvHvfNdELY4z9ayL4eo8EtmBQw7FcrPKy9m5pUPTkuEZfgc-aEi
vQvWGpJgsB5VWcTMvju4l5rasGwVno7MqBkcsFzDoj-q-QFzYxu2CF2zsjflwsQoq
ch2sB_N6r4Xod_xvhcv2-tpGo7zXiCJnmonMaZ5gru51a2_cRozVKYWnwXs9nTQWM
lGCOKmz7ZGG9V9ocFsSYFyHygGZ1PxDAlbsepAZCVjSMUsDsz-2G-DaPg_Pe3W3Yv
zZd5B7zEohBfLmTDClH3ZS_d2Yo2Zmi51tJuZ2vZRpjOC3a-WgCGURR1F5vCHxRw-
5Im22na_ekwAhqLWyoTYXilE3kpbkRXFPJ6TYOLb3vpFOBl0azqUVyNNI",
{}
],
"Status":201,
"StatusDescription":"Operation completed successfully"}}
[Future: Consider eliminating this mechanism entirely and instead using messaging flows. The means of achieving this should become better apparent when the problem of publishing large messages via a pull mechanism is considered.]
The Publication mechanism allows content to be published through a Mesh Account and retrieved by means of the EARL mechanism described in Uniform Data Fingerprint [draft-hallambaker-mesh-udf]. This mechanism is used in certain flows supported by the Mesh Device Connection and Contact Exchange functions. There are two operations:
ClaimPost a claim to a published document
PollClaimCheck to see if a claim has been posted.
Content is published by appending an entry to an account's Publication catalog by means of a Transact operation. The content may then be retrieved by issuing a claim to the account specifying the publication identifier that is authenticated under the value specified in the EARL.
Use of the Publication catalog to post content necessarily requires that the content be smaller than the maximum message size imposed by the Mesh Service so that it can be uploaded to the service by means of a Transact transaction.
Publication of large data items will require modification of the protocol to support use of a detached message body. Transfer of a detached message body is outside the scope of this document.
The claim transaction is used to post a claim to a document published by means of an EARL. The claim interaction is used in the Static QR Code connection interaction but MAY be used for other purposes as required by Mesh applications.
A claim is made by sending a ClaimRequest message to the service to which the publication is posted. The service responds with a ClaimRespose message specifying the success or failure of the claim.
A device is preconfigured during manufacture and a Device Description published to the EARL:
The client claiming the publication creates a claim message specifying the resource being claimed and the address of the Mesh account making the claim.
{
"MessageClaim":{
"PublicationId":"EBQJ-VQU2-NBCP-XCDF-PFWE-J5H4-BR26",
"ServiceAuthenticate":"AAF3-24BG-U75Y-3GT3-K6NG-KXWE-QCWA",
"DeviceAuthenticate":"AD7A-4KSW-37QZ-JGT7-SKGV-KZH2-36C3",
"MessageId":"NB4P-XQDR-JVO4-MD6R-47BZ-G6ED-J543",
"Sender":"alice@example.com",
"Recipient":"maker@example.com"}}
The message is signed by the claimant to make a RequestClaim to the service:
{
"ClaimRequest":{
"EnvelopedMessageClaim":[{
"EnvelopeId":"MCET-4P2O-3PEK-4PCH-7HGM-N5RL-M36D",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQjRQLVhRRFItSl
ZPNC1NRDZSLTQ3QlotRzZFRC1KNTQzIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F
nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD
cmVhdGVkIjogIjIwMjQtMTAtMTRUMTM6MTA6NThaIn0",
"dig":"S512"},
"ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiUHVibGljYXRpb25JZCI6IC
JFQlFKLVZRVTItTkJDUC1YQ0RGLVBGV0UtSjVINC1CUjI2IiwKICAgICJTZXJ2aWN
lQXV0aGVudGljYXRlIjogIkFBRjMtMjRCRy1VNzVZLTNHVDMtSzZORy1LWFdFLVFD
V0EiLAogICAgIkRldmljZUF1dGhlbnRpY2F0ZSI6ICJBRDdBLTRLU1ctMzdRWi1KR
1Q3LVNLR1YtS1pIMi0zNkMzIiwKICAgICJNZXNzYWdlSWQiOiAiTkI0UC1YUURSLU
pWTzQtTUQ2Ui00N0JaLUc2RUQtSjU0MyIsCiAgICAiU2VuZGVyIjogImFsaWNlQGV
4YW1wbGUuY29tIiwKICAgICJSZWNpcGllbnQiOiAibWFrZXJAZXhhbXBsZS5jb20i
fX0",
{
"signatures":[{
"alg":"ED448",
"kid":"MDNT-WT3G-346G-4I5T-YV7F-LTQX-PSNT",
"signature":"z03VvboD_IvshEuYEuRalFRGERvq1vHOJIWJzPNU
gwLURsGLxxtfjE_1JtNWYe8kndOhVJo9_46A_Vx2DiAZ4ngzzYXoSpqAFgz7Ejqd5
s1B7K1ehk5ToIK0oYOGoQ--npioQHEccyfUrQalwe76zx4A"}
],
"PayloadDigest":"aobSWyLEGCMF0JbRdOst2LQPvpXI3ZVd45r3sjaV
uO0FwMNtiiCGmjArENV3rVarWEAwLGBVYhVnpqw-S43pXw"}
]}}
The publication is found and the claim is accepted, the publication is returned in the response.
{
"ClaimResponse":{
"CatalogedPublication":{
"Id":"EBQJ-VQU2-NBCP-XCDF-PFWE-J5H4-BR26",
"Authenticator":"ECMR-LTTI-XRTX-EXOY-K7U4-WHBZ-B6RQ-EECF-S44N
-ZACS-OPFF-73UN-WOHB-U",
"EnvelopedData":[{
"enc":"A256CBC",
"kid":"EBQL-OM6D-RFHG-GGS3-DROH-6PLS-MU3G",
"Salt":"Y5tvWUmCqp4z2DDdAWa_tw",
"recipients":[{
"kid":"EBQJ-VQU2-NBCP-XCDF-PFWE-J5H4-BR26",
"wmk":"YfJu1nJPXW1hRH7eDes_N9LMAXai-3hjO9uUKvFpC2MY
vZQllFjIhw"}
]},
"6HQDAIDsWjnl6nkYcLwyXpNcxXCgsEq1S9E9M2FiLYImPgefjo4baMQL
fQWa_Al9yjHLNSziOPidvQ-tpk-PmhrtwzAC4-9FC7AHPyicqzTk3dtsRLigqi9mL
VW02h1zrJnTR8sHkt_WO4_FrmkqLHeTsZlqXm9No78UINGHt_ntffBd2NPwfiejkV
l6X5DA_CxwPZdFS3cOUORyJjgMCKcrbast50u2rGieT9nBCGAxqMffwK5T35eRGKS
OLh-92hXRF0K6yM1RBkXCTpCFdz807NnJPXiY1kwPwjptPVwTNsTgAXMl-IqGuaM5
Qglj4thR-OnQgDui_T51VAKBaICGjYbsGsq9XfJlrrQf9VJIVQ42C3REPaE1a07wI
USLrjKxEgT9K13Y9BrP47rI43Z-75rC60C0nA5gzFQSlOtRt8LdcN_sX-JN_maY7M
hZCVYdehKxUgAUqCt5MHuliQA4atczYIyDbUy2o31xj5vUtL0cX7MSIDu3F26P3w0
jVwDeNW1HfCs33_kqQHzLATr6vTwsgFkwhrq_DGbkJhGAiZjGfG-9s4CEckUUByDr
Qu-umCAsnIWHPeLywTFiOtE9t7oPD_C1oIzf0MG0Jxl4CCS23X59lIrQzba1a7tXs
6oCJtSsPqLVdIHzOW0pK96725VLPnBHwo2DcjM4aWHLqr1dk5WGrSNBgeT_y6hH2y
pE6xfeh57oTxCX8S0ThzKrm7nnVWVxBKE9YEyWJExEBqJEbiTeQqk0RwhLcgb1ECN
DHuwIe9FWwfJOltyI1bja65EzBKiJrHLF1mjJEZIlTfLzzH-49Mf4zO9N6pdO_MmG
VJJw_WvZZ-aBHoGLtP6SLLbAFPizSX_-io_eqIzmAnDLVZUJXNpHpUad87tX7gSJj
J4J83E9vD1sA9BYzwRZiX6aRpaUxn-8Q2Af9Po4_mOjZPMtwwWrk883Wpz23WiIxf
pVOPVazd95pqCdrQXLRQbTE-xa8ZI5uPz3vtNdiNy5I7gMYzANoU764CAWjVap8Fi
dQBlALt2rEJ6fG87ulmYcmP-D3aeh9Cs-0r3mBlNWZnlf7y7yjfKRGmQRC6QyPToL
kdg6bXAxpf7Mxao28VCcClTKsdr5IxknIZiarsi6lqOgYvYS2hbC2fnuSU6cRRAUH
7EIVS--7nDLYtDAZAoS1ZEkAbc4R6Qq5LeDTbW3I9UwjhY5d0wKeQh_6MBzU4wUAV
2kLDaOFId5PEYJMXdo2OwKTv6IGMEx7umcM0TReGp8-uqElp2Fp7VZGzzeCI4g0_C
FsO3aY_uyHBYLZq9JiHgDG7decs0YxOzHmpiYaMqgCNkfJNTsbJ1sCUdTXabUM5Tp
JB2UO6uetpl_oOoA-vKGcQMnzMIh2S-mm2NsVkZktDinBjnwb_X3EyPVBUybKj8RC
K4RN5clEXb7l-ddQqIxNZlxUd5o3XyICYMGSPvq9DiXktnpnH9bQDhHrdB4_r_3u3
XENxlytln3p5Cwk37pJyQTYGknmLtmyNFGWo_RVUZCivnT5OEgkUm1FkTdH9xZ_WF
JwEs7Yxt9pRQQKFj2AtcB0DqeGtOvJc1eg1z51xe-Le8tkBlQzz4XS58HDrNnrlw9
QSaoUCEP2sO_8M2SgCNBkeFQO0EAf0pdAClJUy52xyTqSJo_FsjJkE0h1wnSxxFd4
SMRiGpbpGh1VxzrWgM_3txrjk8Sp7OQqzN3kquc2OS86PuZfDOBEsq_-gr2pLNGGH
xxZ4EW82TUgynRBohITHmYwGfisUx0YWtWR2ZhlS-KyvFaNCE6hdN2BwOtdsfouOO
xjjOZfwiOxFx0MMkN2WSoocXxS1HudynfI23J5FWfJRhWpsDXfcOznZ2kAB014Kj5
MF42ZusxrHlRTnHQG3OmfcW6NnoyjOPXjiGk-CgHVI-P2xZi77xbr9okZlW7QmNvE
ZZtgYZosLWc9QdLEnR17S8hScjgDC06ByRvVHKocSs-CdwtjfjXBAXitJRkNryzPr
NOaYMLGhrMLeMA1X3eVfyB0zEyN6rEndnNwquqzevvV-J-p6hfuVVAkEK1ya7Suo_
j_vDOXtuX2mBr0l0DkkdgYlJcrLX7Slb6G40vVDZPmd2aQbB3ZGExTEL9Zlczp7T5
2fuK75lnbn9Osd50BnuSZ_LBGmpDNp2IxPqz7nel7wMEZW0zEyw_RAGqrzWLasi4t
GovT0VNI4oc-h46I6e09eY83RoUwVNfgy9WSCR2Fb1fubqURgTkoOdptFAVy2Efel
gRaWoaSnnz8xo8Pt2JAb1zRiWDgBrICe4QelPRlokNrAORCMBL2_GgWd_gv9h5Hrl
gumJOmUiae8Iar7Gh08VzlYwk5JqA3xX6ooy2rnTKTJjKb9UdeApxooHvMnwxdnK9
A9LT5vbKYIQEcyOm6A3pcesJIUy5CF9fHsOvh-tS4Hg86xRoq1O6UEInwAJ7P5l5s
9Yh9Ge6EIq7JoffWFADCD0TN2MqrACBDdsbblE2TeC5nRJqKvGRv35j0PUVxCozb5
tEpj__CbXzJs4PrtCeu96npz6JTXesUIYNuvQD-7MkHjuAI7A-P4KrER14mjfftwi
G6TlF9CMAhCTmDcFg21g7xtk_Ku6CA_diXU7dcjHyXzy0nECoTPzyJYBkoy22RLpu
K65JbMR8cpDjB5hyYkiuDtVGRGcGpWWdq0qJPaXwIl2rmEHnjzzOyKovXFJyzEhmY
m5jYwHbRhtBAUl3zZ5A5xHKi05OyDeiOESC7gJaISHPi0cWxIRc7hZ0VZ0n2asMi2
kW5ddh4MyLSD4qIwgCB5QC8CdTOoG2mM4PLgmJ1bLhi7Wkr7ndAPD4TA5FyPUD8L8
LjolfOQWwJfSe6UknbDYcRnUHVRp689OwzIPMHV00fxkK7ZCbL-Kcg8ea9oaZ-s5v
_mkv7KMCed3B7V38FokYxuw1dVZODgxthk2nahCZ-cxAkgqgPDIuTrITIeqeykJiF
UZRAldM_781GmMr-p_8HS25QVht"
]},
"Status":201,
"StatusDescription":"Operation completed successfully"}}
The device waiting to be connected uses the PollClaim transaction to receive notification of a claim having been posted.
The PollClaim transaction is used to discover if a claim has been posted to a published document.
When an authenticated, authorized request is made, the service responds with the latest claim posted to the publication.
The device in the example above periodically polls the service to which the device description is published to find if a claim has been registered.
The PollClaimRequest contains the account to which the document is published and the publication ID:
{
"PollClaimRequest":{
"PublicationId":"EBQJ-VQU2-NBCP-XCDF-PFWE-J5H4-BR26",
"TargetAccountAddress":"maker@example.com"}}
The response returns the latest claim made as signed message:
{
"PollClaimResponse":{
"EnvelopedMessage":[{
"EnvelopeId":"MDNB-MBUA-NUS2-B7D3-6FIZ-OAPG-D4L5",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQjRQLVhRRFItSl
ZPNC1NRDZSLTQ3QlotRzZFRC1KNTQzIiwKICAiTWVzc2FnZVR5cGUiOiAiTWVzc2F
nZUNsYWltIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJD
cmVhdGVkIjogIjIwMjQtMTAtMTRUMTM6MTA6NThaIn0",
"SequenceInfo":{
"Index":1,
"TreePosition":0},
"Received":"2024-10-14T13:10:58Z",
"signatures":[{
"alg":"ED448",
"kid":"MDNT-WT3G-346G-4I5T-YV7F-LTQX-PSNT",
"signature":"z03VvboD_IvshEuYEuRalFRGERvq1vHOJIWJzPNU
gwLURsGLxxtfjE_1JtNWYe8kndOhVJo9_46A_Vx2DiAZ4ngzzYXoSpqAFgz7Ejqd5
s1B7K1ehk5ToIK0oYOGoQ--npioQHEccyfUrQalwe76zx4A"}
],
"PayloadDigest":"aobSWyLEGCMF0JbRdOst2LQPvpXI3ZVd45r3sjaV
uO0FwMNtiiCGmjArENV3rVarWEAwLGBVYhVnpqw-S43pXw",
"dig":"S512"},
"ewogICJNZXNzYWdlQ2xhaW0iOiB7CiAgICAiUHVibGljYXRpb25JZCI6IC
JFQlFKLVZRVTItTkJDUC1YQ0RGLVBGV0UtSjVINC1CUjI2IiwKICAgICJTZXJ2aWN
lQXV0aGVudGljYXRlIjogIkFBRjMtMjRCRy1VNzVZLTNHVDMtSzZORy1LWFdFLVFD
V0EiLAogICAgIkRldmljZUF1dGhlbnRpY2F0ZSI6ICJBRDdBLTRLU1ctMzdRWi1KR
1Q3LVNLR1YtS1pIMi0zNkMzIiwKICAgICJNZXNzYWdlSWQiOiAiTkI0UC1YUURSLU
pWTzQtTUQ2Ui00N0JaLUc2RUQtSjU0MyIsCiAgICAiU2VuZGVyIjogImFsaWNlQGV
4YW1wbGUuY29tIiwKICAgICJSZWNpcGllbnQiOiAibWFrZXJAZXhhbXBsZS5jb20i
fX0",
{}
],
"Status":201,
"StatusDescription":"Operation completed successfully"}}
The Operate transaction is used to perform one or more cryptographic operations using private key material recorded in the Threshold Catalog. Such operations typically represent one part of a threshold key operation divided between the service and a device connected to an account.
As with all operations involving the Access catalog, the request MUST meet the authentication criteria specified by the catalog entry. These typically include the request being authenticated by a specific key.Key Agreement
CryptographicOperationKeyAgreement is used to request a threshold key agreement operation on a specified public key.
Alice added Bob to groupw@example.com as a member. This resulted in Bob receiving the invitation described in section ??? and the following access entry being added to the Access catalog of the group account:
{
"CatalogedAccess":{
"Capability":{
"CapabilityDecryptServiced":{
"GranteeUdf":"bob@example.com",
"EnvelopedKeyShare":[{
"enc":"A256CBC",
"kid":"EBQH-2PZ5-HTKM-HC3Y-N6YT-VQ3A-ZZCR",
"Salt":"H00N80phHkIfP95CI5ZlZw",
"recipients":[{
"kid":"MDET-26NB-5GRV-JOWD-HJ6D-6WUN-JLWE",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"MDbm9mOsQDWbtNQahw0CnoIFuZpoVsj8gtZ
8F-yN11ioJnoxCz9S_v_mIDFOWiZAqy0a5I3YTjOA"}},
"wmk":"p2KrCgM3HliVXkJLugonLHpT8ZPxxBWm1jZxOOWkBp
8uxIAXFySoeA"}
],
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJLZXlEYX
RhIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmVhdGV
kIjogIjIwMjQtMTAtMTRUMTM6MTA6NTVaIn0"},
"wsXytUHUeYC6ko5uTPalgTsmTG1car6vZIbVPUcbgS81xAawr1wwAr
ytRIJE2Ji3FbY4pQA8RRdzBAuxAbSTZIIvsCic3nYQ8wuxyX3JWkUPtuHj-5G4R3W
o2TVHS2BQUywYgnCHOcfTaPLr2O1arDQ3fo401dYeJtFSPiOexmwjsghD_KXILmBA
tUTZnp6UPI0yQd90Qmxs6QonkHgYwY8pmCoLJxebyf80C0teU4u5O8I1t0Nxlw1oH
8Z6zgB-0K8u8lmf0h0IwxZRLnGjMAivV8D1n9SIYMZEnYzpItXu5zxf8z_RV15GO5
d9qy3SRtPOlGSZXI3Xn_CRk9dt6jUbpGl-NCbqXAweA71x1dgTMXcDozHbL0UQhHH
ZZlq8crxgfGAGr1PBHFc8Wg4yDxU_JLzwz3V2r7RnnMXfJsgE2-F-SZVYTtpZQ5LW
DiuEMF5UR6wxz7cdd4hY-z2CjoydhrWmBBOCGgn7wwzd6XkvMg02trFAYM63psNr1
YWh8qvI1rtx1h8DVKErp-2w2x64Hc1Tf7gW7eExGoFHG8nIWfEpJ28arPLoD0Z2tE
5xAZ6UmlY3zYjU_rTmf62qhjNVdag5qu_YPilWHlD4oHvGh67e04QUOnzLR-UoScy
BSdF1u6_HxenHJ46NV4mbzmZV2KvQw9Y7aMDLeR3gufmRR2Tr9nuKhQnO3zWSE68p
VXIRxz5rVmo_fYtg3PrcdQ"
],
"Id":"MBNJ-RWYE-WXIY-ETHX-RIVA-RKHM-Q7QC",
"Active":true}}}}
The private key (in this case a key share) is encrypted under the service key.
To make use of the access entry, a request is made that specifies the key share to be operated on and the public key parameters to perform the agreement with.
The request payload:
{
"OperateRequest":{
"AccountAddress":"groupw@example.com",
"Operations":[{
"CryptographicOperationKeyAgreement":{
"PublicKey":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"ZoSHmhH63m5wJqoaS3V0-B3KN2WL29IsJWdRDyIaT
-glv5ZhlHZq0gN0_qWhpYt8yZYm0St0P9aA"}},
"KeyId":"MBNJ-RWYE-WXIY-ETHX-RIVA-RKHM-Q7QC"}}
]}}
The service checks to see if the request is authorized and if so, performs the operation and returns the result:
{
"OperateResponse":{
"Results":[{
"CryptographicResultKeyAgreement":{
"KeyAgreement":{
"KeyAgreementECDH":{
"Curve":"X448",
"Result":"9iLvBSWGWu_iAvqdLxB8D-0yNFhNDe8it5FMZ4J7Q
w6y25Z_oP4GTB9mxMucGukzeF0V0HiQeU4A"}}}}
],
"Status":201,
"StatusDescription":"Operation completed successfully"}}
Future: Currently, the access catalog is encrypted under the service encryption key. It would be better to encrypt the catalog under an encryption key specified by the service during the process of account binding. This would allow a service to assign a unique encryption key to each account and limit access to that key to the hosts servicing that specific account.
Threshold signature is planned but not currently supported.
Mesh Messaging is an asynchronous messaging service that allows exchange of information between devices connected to a Mesh account and between Mesh users.
To enable effective abuse mitigation, Mesh Messaging enforces a four-corner communication model in which all outbound and inbound messages pass through a Mesh Service which accredits and authorizes the messages on the user's behalf.
The Post transaction is only used to exchange messages between services. The client sends and receives messages through interactions with the outbound and inbound spools of the account.
To send a message, the client creates the Mesh Message structure, encapsulates it in a DARE Message and appends the message to the Outbound spool of the account using the Transact operation..
The DARE Message MUST be signed under the account signature key.
The Mesh Service receiving the message from the user's device MAY attempt immediate retransmission or queue it to be sent at a future time. Mesh Services SHOULD forward messages without undue delay.
The Post transaction forwarding the message to the destination service carries the same payload as the original request but is authenticated by the service forwarding it. This authentication MAY be my means of either profile or ticket authentication.
>>>> Unfinished ProtocolPostServiceService
[Not Yet Implemented]
After the message has been sent, the service updates the message status on the outbound spool.
Services SHOULD implement Denial of Service mitigation strategies including limiting the maximum time taken to complete a transaction and refusing connections from clients that engage in patterns of behavior consistent with abuse.
The limitation in message size allows Mesh Services to aggressively time out connections that take too long to complete a transaction. A Mesh Service that hosted on a 10Mb/s link should be able to transfer 20 messages a second. If the service is taking more than 5 seconds to complete a transaction, either the source or the destination service is overloaded or the message itself is an attack.
Imposing hard constraints on Mesh Service performance requires deployments to scale and apply resources appropriately. If a service is attempting to transfer 100 messages simultaneously and 40% are taking 4 seconds or more, this indicates that the number of simultaneous transfers being attempted should be reduced. Contrawise, if 90% are completed in less than a second, the number of threads allocated to sending outbound messages might be increased.
The inbound service MUST subject inbound messages to Access Control according to the credentials presented in the DARE Message payload.
After verifying the signature and checking that the key is properly accredited in accordance with site policy, the service applies authorization controls taking account of:
[This section to be expanded in future drafts]
Access control is effected through the usual division of authentication and authorization.
Authentication of operation requests is performed by the RUD layer [draft-hallambaker-mesh-rud] .
If the authentication key presented has a matching Access Catalog entry, the device is authorized to perform operations as specified in that entry.
Message interactions are asynchronous interactions that occur between devices connected to the same account or between accounts.
All messages are signed by the sender and encrypted under the encryption key of the recipient if this is known to the sender.
The Message PIN Interaction is used to register and validate PIN codes used to authenticate certain transactions. This interaction allows a PIN code issued by one device to be consumed by another allowing for greater convenience in managing devices or contact exchange.
For example, Alice might delegate the PIN code issue privilege to her mobile device without delegating the administration privilege to that device. This would allow Alice to use her mobile device to initiate the connection of a large number of devices to her Mesh as her house is being built and approve them later using her administrative device.
Use of the Message PIN interaction is optional. An application that issues a PIN code to authenticate a message MAY store the PIN value within the application without persisting it to external storage.
Derivation of the SaltedPin, MessageId and Witness values from their respective inputs is described in the Schema Reference [draft-hallambaker-mesh-schema].
To register a PIN code to an Account, a device:
PIN code valueSaltedPin value for the specified Action
PinId binding the specified SaltedPin to the Account.MessagePin containing the SaltedPin , Action and Account values with the MessageId value PinId.MessagePin value to the Administration Spool of the Account.Note that this construction provides limited protection against forgery attacks by a party with access to the MessagePin. A party with such access can use it to construct the witness value required to authenticate a request.
PIN Code values consist of an opaque sequence of octets represented as a UDF nonce value. Codes are presented in canonical UDF form, i.e. Base32 encoding separated into groups of 4 characters. The PIN value is converted to binary form for calculation of the SaltedPin, thus ensuring that the canonical form of the PIN value is used.
The PIN Code value is passed out of band to a user who will enter it into a device to authenticate a request made to the issuer.
A request that MAY be validated by means of a PIN is a subclass of MessagePinValidated and contains the following fields:
A DARE Envelope containing the data that is authenticated.
A nonce value used to prevent certain replay attacks.
Digest value binding the SaltedPin to the Account.
Witness value calculated as KDF (Device.UDF + AccountAddress, ClientNonce)
The device uses the PIN code and Action identifier corresponding to the desired request to calculate the SaltedPin value in the same manner as during registration. This value is then used to calculate the PinId and PinWitness values.
The PIN code is validated by performing the steps of:
SaltedPin value from the PIN code and Action
PinId from SaltedPin and Account
MessagePin from the Administration spool with the MessageId PinId.PinWitness value from SaltedPin, ClientNonce and AuthenticatedData and checking this matches the value specified in the message.Complete message to the Administration Spool of the Account marking the PIN code as used.This process can fail at multiple points resulting in different error results:
PinInvalidNo PIN code is specified, the Pin code indicates an unsupported algorithm or the calculated PinWitness does not match the one specified by the request.
PinUsedThe PIN code has been used previously.
PinExpiredThe PIN code is no longer valid.
Note that in the case that an attempt is made to reuse a PIN, it is not automatically the case that the first use of the PIN was the one that was valid and only the second attempt was invalid. Implementations SHOULD alert the user to the attempted re-use so that this possibility can be considered and appropriate action taken.
Alice connects a device using a QR code presented by her administrative device.
The administration device creates a PIN code and records it to the Local spool. The message specifies the salted pin value used to verify attempts to use the PIN, the action for which it is authorized. Since this PIN has been issued to authorize a device connection, the roles for which the device are authorized as well. This allows the connection request to be accepted without asking for further input from the user.
{
"MessagePin":{
"Account":"alice@example.com",
"Expires":"2024-10-15T13:10:56Z",
"Automatic":true,
"SaltedPin":"ABYY-PTS3-HOUO-E3VH-TOCJ-GFJI-XPHS",
"Action":"Device",
"Roles":["threshold"
],
"MessageId":"AAKU-MJKW-GRDS-S3ZI-DONH-D6US-4REW"}}
Completion messages are dummy messages that are added to a Mesh Spool to mark a change the status of messages previously posted. Any message that is in the inbound spool and has not been erased or redacted MAY be marked as read, unread or deleted. Any message in the outbound spool MAY be marked as sent, received or deleted.
Services MAY erase or redact messages in accordance with local site policy. Since messages are not removed from the spool on being marked deleted, they may be undeleted by marking them as read or unread. Marking a message deleted MAY make it more likely that the message will be removed if the sequence is subsequently purged.
After using the PIN code to authenticate connection of a device in the previous example, the corresponding MessagePin is marked as having been used by appending a completion message to the Local spool.
{
"MessageComplete":{
"References":[{
"MessageId":"AAKU-MJKW-GRDS-S3ZI-DONH-D6US-4REW",
"ResponseId":"MDDD-KNM4-KUZH-QVC4-KWLI-5NBW-T54I",
"Relationship":"Closed"}
],
"MessageId":"NARB-QXHR-HQFR-PCAS-D3L6-YGJX-LXCL"}}
The completion message is added to the spool in the same upload transaction that adds the device to the device catalog. This ensures that both operations occur or neither occurs.
The contact exchange interaction is used to support unilateral or mutual exchange of contact information. Contact exchange has three functions in the Mesh:
Registration of the subject's contact information in a registry service eliminates the need for the first of these functions but not the other two. To prevent abuse, every Mesh Message is subject to access control and a Mesh service will only accept a message from a sender if there is an entry in the Threshold Catalog of the account that expressly permits delivery of messages of the specified type that are authenticated by an authorized signature key.
The communication of unsolicited information afforded by the contact exchange interaction is deliberately limited so that a majority of users can accept contact exchange requests without prior authorization. It is however likely that some users will receive a considerable volume of requests forcing them to require contact requests be authorized through some form of third party accreditation.
The Remote Contact Exchange transaction consists of a sequence of MessageContact messages sent from the initiator to the responder, responder to the initiator, etc. While there is in principle no limit on the number of messages exchanged, most exchanges will be completed in three exchanges or less:
Contains Initiator contact data without authentication context from the exchange.
Contains Responder contact data authenticated under a PIN challenge presented in the previous message.
Contains Initiator contact data authenticated under a PIN challenge presented in the previous message.
Each message provides the recipient with additional information which MAY motivate the recipient to provide additional contact information to the sender.
{
"MessageContact":{
"Reply":true,
"Subject":"alice@example.com",
"PIN":"AB3A-ETHW-4RGL-GEYG-KEAP-TLEM-UKDQ",
"AuthenticatedData":[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb250YWN0UG
Vyc29uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJDcmV
hdGVkIjogIjIwMjQtMTAtMTRUMTM6MTA6NDlaIn0",
"dig":"S512"},
"ewogICJDb250YWN0UGVyc29uIjogewogICAgIkNvbW1vbk5hbWVzIjogW2
51bGxdLAogICAgIkFuY2hvcnMiOiBbewogICAgICAgICJVZGYiOiAiTUJRTS1NUkF
TLVRCRUMtT09MTS1OUFFZLVhGN08tS1FNRSIsCiAgICAgICAgIlZhbGlkYXRpb24i
OiAiU2VsZiJ9XSwKICAgICJOZXR3b3JrQWRkcmVzc2VzIjogW3sKICAgICAgICAiT
mV0d29ya1Byb2ZpbGUiOiB7CiAgICAgICAgICAiRW52ZWxvcGVkUHJvZmlsZUFjY2
91bnQiOiBbewogICAgICAgICAgICAgICJFbnZlbG9wZUlkIjogIk1CUU0tTVJBUy1
UQkVDLU9PTE0tTlBRWS1YRjdPLUtRTUUiLAogICAgICAgICAgICAgICJDb250ZW50
TWV0YURhdGEiOiAiZXdvZ0lDSlZibWx4ZFdWSlpDSTZJQ0pOUWxGTkxVMVNRVk10V
kVKRlF5MQogIFBUMHhOTFU1UVVWa3RXRVkzVHkxTFVVMUZJaXdLSUNBaVRXVnpjMk
ZuWlZSNWNHVWlPaUFpVUhKdlptbHNaCiAgVlZ6WlhJaUxBb2dJQ0pqZEhraU9pQWl
ZWEJ3YkdsallYUnBiMjR2YlcxdEwyOWlhbVZqZENJc0NpQWdJa04KICB5WldGMFpX
UWlPaUFpTWpBeU5DMHhNQzB4TkZReE16b3hNRG8wT1ZvaWZRIiwKICAgICAgICAgI
CAgICAiZGlnIjogIlM1MTIifSwKICAgICAgICAgICAgImV3b2dJQ0pRY205bWFXeG
xWWE5sY2lJNklIc0tJQ0FnSUNKRGIyMXRiMjVUYVdkdVlYUjFjbVUKICBpT2lCN0N
pQWdJQ0FnSUNKVlpHWWlPaUFpVFVKUFJTMVlSMFJZTFZwVVZrVXRWRFJOUVMxUlNr
bE9MVGRhVgogIHpVdFJWVlZNeUlzQ2lBZ0lDQWdJQ0pRZFdKc2FXTlFZWEpoYldWM
FpYSnpJam9nZXdvZ0lDQWdJQ0FnSUNKCiAgUWRXSnNhV05MWlhsRlEwUklJam9nZX
dvZ0lDQWdJQ0FnSUNBZ0ltTnlkaUk2SUNKRlpEUTBPQ0lzQ2lBZ0kKICBDQWdJQ0F
nSUNBaVVIVmliR2xqSWpvZ0lsWlJVbWhmV1hOd1ZHYzNXRmRSY0hOTGRqWXdiVmhD
U0c5Zk5uSgogIDFiR1ZJZFhKWFNGcHViSEV5U2xWb0xYWk9TbTA0T0d3S0lDQmtRM
jVCVnpSU1dVWlpUR0V3Tmt4dVVYUXRlCiAgVEZtUlVFaWZYMTlMQW9nSUNBZ0lrRm
pZMjkxYm5SQlpHUnlaWE56SWpvZ0ltSnZZa0JsZUdGdGNHeGxMbU4KICB2YlNJc0N
pQWdJQ0FpVTJWeWRtbGpaVlZrWmlJNklDSk5RbEZFTFVWVVdGVXRTRnBTVnkxQk1q
WlBMVmRFVgogIEZJdFN6ZEhTUzFZTmtwRUlpd0tJQ0FnSUNKRmMyTnliM2RGYm1Oe
WVYQjBhVzl1SWpvZ2V3b2dJQ0FnSUNBCiAgaVZXUm1Jam9nSWsxRFdsa3ROakpNTm
kxVVNUYzFMVE5GTlU0dFMxVkxXUzFLVGxFekxUSTNRbFVpTEFvZ0kKICBDQWdJQ0F
pVUhWaWJHbGpVR0Z5WVcxbGRHVnljeUk2SUhzS0lDQWdJQ0FnSUNBaVVIVmliR2xq
UzJWNVJVTgogIEVTQ0k2SUhzS0lDQWdJQ0FnSUNBZ0lDSmpjbllpT2lBaVdEUTBPQ
0lzQ2lBZ0lDQWdJQ0FnSUNBaVVIVmliCiAgR2xqSWpvZ0lsWXRUbE50VHpSdWNqUl
FlV2RxVkhCUVNFSnlWMVpTVG5WeE1taFpRbmRpVm1WelRGOVNOa28KICB6VUZOQ0x
XNDBZa1ZvUlRNS0lDQlVVbUZqVUVkWFJIcHljM3BYV0hwbmEyUmZabGxEYTBFaWZY
MTlMQW9nSQogIENBZ0lrRmtiV2x1YVhOMGNtRjBiM0pUYVdkdVlYUjFjbVVpT2lCN
0NpQWdJQ0FnSUNKVlpHWWlPaUFpVFVSCiAgQ1VpMUtXVkZITFZoSVNWa3RNMHRRV0
MxTk5sSlpMVXBIV1ZrdFFqVlJTU0lzQ2lBZ0lDQWdJQ0pRZFdKc2EKICBXTlFZWEp
oYldWMFpYSnpJam9nZXdvZ0lDQWdJQ0FnSUNKUWRXSnNhV05MWlhsRlEwUklJam9n
ZXdvZ0lDQQogIGdJQ0FnSUNBZ0ltTnlkaUk2SUNKRlpEUTBPQ0lzQ2lBZ0lDQWdJQ
0FnSUNBaVVIVmliR2xqSWpvZ0lsVkpTCiAgRGhMTVcxdldXOVZlWGt3ZUhGMlREaG
9VVkYxVXpodFpWaEZObGhoWmtwRlgyOWpSVFZrU0VGVVJuTnVWa04KICBpWVdFS0l
DQXRNazlpV0VkRldGWkxXVUZNUVhGNmNuQTNjREZHYTBFaWZYMTlMQW9nSUNBZ0lr
TnZiVzF2YgogIGtWdVkzSjVjSFJwYjI0aU9pQjdDaUFnSUNBZ0lDSlZaR1lpT2lBa
VRVUkVWaTFHTlZsR0xWbE1NMDh0TjBwCiAgVFRTMU9TRmRFTFVwYVVsZ3RXa2RIUl
NJc0NpQWdJQ0FnSUNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ2UKICB3b2dJQ0F
nSUNBZ0lDSlFkV0pzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUNBZ0lDQWdJbU55
ZGlJNklDSgogIFlORFE0SWl3S0lDQWdJQ0FnSUNBZ0lDSlFkV0pzYVdNaU9pQWlhe
TFzUkVOdVJ6TjFlbDl2WkZWVllUTnRVCiAgMUY0UjBOWFlUSnVUbXBLY201aWMzVj
ZVVjk0ZFVoc1NuZHllRlJOWWxkV2RRb2dJR2R4YTJkckxXVlFjMmQKICBFV0ZKdVV
WZEtSVk4zWjFwMVFTSjlmWDBzQ2lBZ0lDQWlRMjl0Ylc5dVFYVjBhR1Z1ZEdsallY
UnBiMjRpTwogIGlCN0NpQWdJQ0FnSUNKVlpHWWlPaUFpVFVSVFZ5MDBWRWd5TFRWS
lVqY3RXazlVVnkxVVNFVTNMVVJRU1U0CiAgdFIxbEtUQ0lzQ2lBZ0lDQWdJQ0pRZF
dKc2FXTlFZWEpoYldWMFpYSnpJam9nZXdvZ0lDQWdJQ0FnSUNKUWQKICBXSnNhV05
MWlhsRlEwUklJam9nZXdvZ0lDQWdJQ0FnSUNBZ0ltTnlkaUk2SUNKWU5EUTRJaXdL
SUNBZ0lDQQogIGdJQ0FnSUNKUWRXSnNhV01pT2lBaWVsOUdiME5QWkRVdFRGWklRa
2xxUTNaZlgxUmxYMFI0ZUdWMlprVk5RCiAgMTlsUlVwQ1pFZG5SMmxuZUZZMlNFUm
pkbEpZUlFvZ0lHNDBRVUpwZERsV05FTnJVamRpV0ZCb2VYbERiSEoKICBWUVNKOWZ
YMHNDaUFnSUNBaVVtOXZkRlZrWm5NaU9pQmJJbGxNVnpoUk5rSlBNbGRIUlVGMVJV
Tk9iRkJKVAogIFVkdmJFdExVRUl4VlRoaWMxSjROVTFSWlRsNU5uWnhTMUZTVVRSY
UNpQWdaRTlIUVU0NFYwWXlRMWhOWTE5CiAgdGJWZDFjVXd3UmxjMk1FSjFiMGxZVl
ZKbE4xVlFOQ0pkZlgwIiwKICAgICAgICAgICAgewogICAgICAgICAgICAgICJzaWd
uYXR1cmVzIjogW3sKICAgICAgICAgICAgICAgICAgImFsZyI6ICJFRDQ0OCIsCiAg
ICAgICAgICAgICAgICAgICJraWQiOiAiTUMyMy1ZUTVBLUozTVctREJBQy00RUJEL
U1VNkktR0JWQyIsCiAgICAgICAgICAgICAgICAgICJTaWduYXR1cmVLZXkiOiB7Ci
AgICAgICAgICAgICAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICA
gICAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICAgICAgICAgICAg
ICJQdWJsaWMiOiAiMFk0cF8tR21jeWkydUFRYnJHOXFOVmNUREQ0aVBXQ2dJcnpBa
GJBMXV6bTMyTlpXa3NzVAogIGxEVHc5WW91RldqY3NoNWRGV095Vmh3QSJ9fSwKIC
AgICAgICAgICAgICAgICAgInNpZ25hdHVyZSI6ICJIaWtuV2hBYzFHa3BTTkxVMnV
nLUs4SWwwSG5zX3ZxMEM4RTR2cTFYdDdTNktGWDNNCiAgOUc3cTB3VHlvOVhrLWc4
VTdDWHczcFl2dG1BaTB2ZmtSbFhnWmd0OHBaSWQydnZrSlZ4ZG1ZeFkxbXQxcnYKI
CBLQXhJbzV6VkowQXRYOUhjVVBULU81R0Z3SUJzQlF2eXJuMHhqdkFJQSJ9XSwKIC
AgICAgICAgICAgICAiUGF5bG9hZERpZ2VzdCI6ICJ3WDQ4MjlaVlBIeDFOd0pwT1R
VV1VRZi1uM2t2MEF1bkp5LUhCcEk3SXFObUsKICB5WFUxakczTWZucXRzV2Z2Zkg2
UUpnd0t6NW13b1BxeF8zdHQ0MU5MdyJ9XSwKICAgICAgICAgICJBZGRyZXNzIjogI
mJvYkBleGFtcGxlLmNvbSJ9fV19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MBOE-XGDX-ZTVE-T4MA-QJIN-7ZW5-EUU3",
"signature":"AS3_3bTTS5t7txywPXMdENgK5g4P2Ulcoyhu9gL2
I4FGaEdjeEuGJbIIDqNcCl3xq0Wk4ATnBIqAAXtRTtEfx1UOveTRvbS77VhMq8Hz6
VU83pwUWfdpGWtKUgTVOuMLVggT199OfZ42ItIIA3w_ogEA"}
],
"PayloadDigest":"KaXz5nh1C7D_t2XInJ6tHMXDU5oz4B3EfPJpGzzT
FQVdNpo3LcvYm7oHhh9wM72GQ_fcd0o9HOEF8xmv74Mblw"}
],
"MessageId":"NAJJ-X5FX-POHN-TTR4-3TXK-KTE7-3KKM",
"Sender":"bob@example.com",
"Recipient":"alice@example.com"}}
The Mesh Contact Exchange transaction does not provide for validation of the contact information beyond the binding to the Mesh Account Address used to perform the exchange.
Contact exchange requests MAY be authenticated by a PIN code. Initial contact exchange requests SHOULD include a PIN code value that can be used to authenticate a response (if given). PIN codes MAY also be exchanged out of band.
A MessageContact authenticated by means of a PIN code is authenticated as described in the PIN Interaction section above.
The GroupInvitation interaction is used to invite a recipient to join a Mesh Group. The interaction is essentially a form of contact exchange except that a sender SHOULD NOT send group invitations unless there is an existing relationship. Thus the 'first trust' issues intrinsic to the contact exchange interaction do not apply.
The message specifies the group name and the contact entry for the group. The contact entry includes the CapabilityDecryptServiced used to decrypt messages sent to the group when combined with information provided by the threshold service for the group.
Receipt of a GroupInvitation message does not require a response.
>>>> Unfinished ProtocolGroupInvite
Missing example 14
The confirmation interaction consists of a RequestConfirmation message from the initiator followed by a ResponseConfirmation from the responder.
The RequestConfirmation message specifies the action that is requested.
The ResponseConfirmation message contains the enveloped RequestConfirmation message signed by the initiator and the disposition of the responder, Accept = true if the request is accepted and Accept = false otherwise.
The service sends out the following request:
{
"RequestConfirmation":{
"Text":"start",
"MessageId":"NAZG-5KBV-D32X-O24L-XTYS-26GV-FC6Z",
"Sender":"console@example.com",
"Recipient":"alice@example.com"}}
Alice accepts the request and returns the following response:
{
"ResponseConfirmation":{
"Request":[{
"EnvelopeId":"MCDS-ZYU5-TXDG-FAHW-BAVA-VFRM-XOXD",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQVpHLTVLQlYtRD
MyWC1PMjRMLVhUWVMtMjZHVi1GQzZaIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
zdENvbmZpcm1hdGlvbiIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0
IiwKICAiQ3JlYXRlZCI6ICIyMDI0LTEwLTE0VDEzOjEwOjUyWiJ9",
"SequenceInfo":{
"Index":7,
"TreePosition":6211},
"Received":"2024-10-14T13:10:52Z",
"signatures":[{
"alg":"ED448",
"kid":"MDMO-SHNV-SDLR-GGIH-W2MA-QTNA-OQUG",
"signature":"4oOI79pmsbJKxPfdZZgm0h60ZN9Ec5dSXtyBtLHk
4tKfxRMy-s4JlBO1SZ4xsRzkPkjh_bozL2IAiil1f6F8Kva5UMDMwOs1E363x5zfs
4ttnMz9KjHD_LSNiG5S7iwMh4XF6-GB-s-ge1a7Cf4TqjwA"}
],
"PayloadDigest":"5oqE8QWpLfTmxhs4GpDS6_Od2dd8PcdDMfI9bgoN
NrYNnZaNwOI_oloD2i2k65_ENqyBTdM8TLlkc-TtywwwqQ",
"dig":"S512"},
"ewogICJSZXF1ZXN0Q29uZmlybWF0aW9uIjogewogICAgIlRleHQiOiAic3
RhcnQiLAogICAgIk1lc3NhZ2VJZCI6ICJOQVpHLTVLQlYtRDMyWC1PMjRMLVhUWVM
tMjZHVi1GQzZaIiwKICAgICJTZW5kZXIiOiAiY29uc29sZUBleGFtcGxlLmNvbSIs
CiAgICAiUmVjaXBpZW50IjogImFsaWNlQGV4YW1wbGUuY29tIn19",
{}
],
"Accept":true,
"MessageId":"MDRR-IKIO-BXGJ-Y2QA-ZLJI-YDA2-HC4I",
"Sender":"alice@example.com",
"Recipient":"console@example.com"}}
Connection of a device to a Mesh Account combines synchronous and asynchronous elements and therefore uses a combination of Mesh Service Protocol and Mesh Messaging interactions.
Four connection interactions are currently defined support connection of devices with different affordances:
For connecting devices that provide data entry and display affordances and are connected to a network. The account the device is to be connected to is entered into the device which displays a witness code. This code is then compared with a code displayed on the administration device to authenticate the request, after which both devices can complete the interaction.
A variation of the Witness Authenticated interaction in which the connection process is initiated by creating a PIN value which is communicated to the device by some out of band means and used to authenticate the connection request.
For connecting devices that provide a camera affordance. The user sets the administration device into 'add device' mode, causing a QR code to be displayed. The QR code is scanned by the device being connected after which both devices can complete the interaction. Implementation of this mechanism is identical to the PIN authenticated scheme except that the PIN code is presented to the connecting device by means of a QR code.
For connecting devices that have been preconfigured with a device profile identified by means of a QR Code containing an EARL. The QR code is scanned by the administration device after which both devices can complete the interaction.
Each of these interactions provide strong mutual authentication with minimal user effort.
The witness authenticated connection interaction is intended for use in cases in which the device is already connected to a network. The QR code interactions are intended to provide support for acquisition of networking capabilities as part of the connection process. These functions are not currently specified. The Static QR Code Authenticated interaction is intended to support Internet of Things (IoT) devices which provide minimal interaction affordances.
In each case, the objectives of the device connection interaction are the same:
The connection of the device to the Mesh Account is achieved through the creation of the ActivationDevice, ConnectionDevice and CataloguedDevice records described in [draft-hallambaker-mesh-schema]. These are created by the administration device in the third phase of each of the connection interactions described below and acquired by the onboarding device in the fourth phase.
The witness authenticated, PIN authenticated, and Dynamic QR code interactions all follow a common interaction pattern.
The Dynamic QR Code (PIN) Authenticated interaction comprises four phases as follows:
A PIN code is created and registered with the PIN Registration interaction described earlier and transmitted to the user by an out of band communication. In the case of the Dynamic QR code interaction, this is a QR code that is scanned by the connecting device.
The onboarding device creates a RequestConnect message. In the PIN authenticated and Dynamic QR Code interactions, the RequestConnect is authenticated by the Device Authentication key and the PIN issued earlier. In the Witness Authenticated interaction, it is authenticated by the Device Authentication key alone.
The onboarding device presents the RequestConnect message to the service by means of a Connect operation to the service servicing the account. This results in the exchange of the account and device profiles and the computation of a witness value from the two profile fingerprints and two nonce values specified by the onboarding device and the service. An AcknowledgeConnection message is posted to the Inbound spool of the account and returned to the connecting device.
The account holder authenticates RequestConnect message and uses an administrative device to accept or reject the connection request.
If the RequestConnect message has been authenticated by a PIN code, the connection request can be accepted automatically without additional user interaction.
The onboarding device periodically polls the service for acceptance of the request by the administration device using the Complete transaction.
The use of the PIN code to authenticate the request message is shown in $$$$.
The PIN code MAY be presented to the onboarding device in any format accepted by the device. Administration MAY support presentation of the account address PIN code as a URI code. Administration devices SHOULD support presentation of the account address PIN code as a QR code containing the corresponding URI.
Alice> meshman account pin /threshold PIN=ADE7-U5DR-2YNJ-XKVX-4RUE-SVL5-5I (Expires=2024-10-15T13:10:56Z)
The registration of this PIN value was shown earlier in section $$$
The URI containing the account address and PIN is:
mcd://alice@example.com/ADE7-U5DR-2YNJ-XKVX-4RUE-SVL5-5I
The onboarding device scans the QR code to obtain the account address and PIN code. The PIN code is used to authenticate a connection request:
Alice3> meshman device request alice@example.com /pin ^
ADE7-U5DR-2YNJ-XKVX-4RUE-SVL5-5I
Device UDF = MBQD-CODE-XMWJ-QHE3-2KHZ-UKKF-TVVF
Witness value = A6J3-EVU5-QGBM-WI4Z-HYUC-ONHP-O3VC
The device generates a RequestConnect message as follows:
{
"RequestConnection":{
"AccountAddress":"alice@example.com",
"AuthenticatedData":[{
"EnvelopeId":"MBQD-CODE-XMWJ-QHE3-2KHZ-UKKF-TVVF",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQlFELUNPREUtWE
1XSi1RSEUzLTJLSFotVUtLRi1UVlZGIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi
Q3JlYXRlZCI6ICIyMDI0LTEwLTE0VDEzOjEwOjU2WiJ9",
"dig":"S512"},
"ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIkVuY3J5cHRpb24iOiB7Ci
AgICAgICJVZGYiOiAiTUNEWi1FQTM3LVBQTEEtVjVCUi0zNlRQLU5LREItNDRXVSI
sCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlF
Q0RIIjogewogICAgICAgICAgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsa
WMiOiAicm5RRnFZZTItYjU1QkoyNHdnRDYteWdZd2RUVnZubHljSHRTSTRtNWQ5dG
1jLVlJN2JaTgogIEdOM1hwdFdoWThWZmVPS3RyU216VWtHQSJ9fX0sCiAgICAiU2l
nbmF0dXJlIjogewogICAgICAiVWRmIjogIk1DQ0gtVVBJTC1XS0lGLUFNNVUtSFRM
Ri0zM1RMLVZIN1QiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgI
CAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogIC
AgICAgICAgIlB1YmxpYyI6ICJnTXl1OHVnYmtOMkdQZG10OEo2WkQxY3M4UnhOcDZ
lR1diWGpVanR5S1IyQkdIYk9tdmNWCiAgdXo5c09IWkFNeVVDUVBtYTBwQUpnRGdB
In19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQVBIL
TYzNlEtN0ZLVS1GM0hKLUxQQ0MtWktVRy1ZVzY0IiwKICAgICAgIlB1YmxpY1Bhcm
FtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICA
iY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICItbDdpOWx2M3ZreVZG
NG5STzZFSEtXRUs0LU1nNGRsRWpqM1ZhVGxqcTdwaFlrSnhqVnEyCiAgU28zSUlzY
1ZSMkRCOFA3eldNMlB3bldBIn19fSwKICAgICJSb290VWRmcyI6IFsiWUtPVFoyTU
FKYk90TEVSaWdRLUpxV1NVeUFyM19WeGx1Wm1qYVpNaHRsWFFidlJtVjIKICBxeVZ
KU1BXRy1OTHBtb3MxQkxPM1cwNjQ0RlB6Y3k0TWcwN3pJIl19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MCRZ-GZ3D-AAS3-HLJM-IRRI-CD4J-VFSJ",
"SignatureKey":{
"PublicKeyECDH":{
"crv":"Ed448",
"Public":"D09lNZXUcBq-n7euBgndE_nJ3xY5l0FEQHfgpd3
B4amV3fYhlbN6AdhTdkDIFLeDNvIiBiozmUUA"}},
"signature":"D5DxBdHfE-Wi6-LYWIPzIRO2QdrQ5VPWoHuFTAnP
9zojCK__6dN6iYKisCT1dRDXIGwiCe-TrUuA14Lrq0bmjoNJ50F5ghENqOlTzfDzX
V8BjWzPQL0ag_VWpN3JaiU0HRgTVvkugRXpAEE-BZdPGC8A"}
],
"PayloadDigest":"XRZfMR090Cn7lDCmGY2gOMS_cGiE2c8d6JLh_33T
J0xxfWWvQEkyup7rgQMpWZNqIFEWBQZE2OgN4Kb0gbQHbw"}
],
"ClientNonce":"Py_M7xlo5rLB8atEpCCQiA",
"PinId":"AAKU-MJKW-GRDS-S3ZI-DONH-D6US-4REW",
"PinWitness":"cqed33rRoC4fHnVTjzreoa_x5BLKpLmhY5jIfxBeCODgbqJ
clhyCWmoZ30oNKcGu4tEvP7wvslU8h4iMobSRNg",
"MessageId":"NBAM-IBG7-4IM2-UNK6-NQOQ-HFSR-4LBD"}}
The service receives the conenct request and authenticates the message under the device key. The service cannot authenticate the message under the PIN code because that is not know to the service as the service cannot decrypt the local spool.
Having authenticated the connect request, the service generates a random nonce value. The random nonce together with the device and account profiles are used to calculate the witness value.
The AcknowledgeConnection message is created by the service:
{
"AcknowledgeConnection":{
"EnvelopedRequestConnection":[{
"EnvelopeId":"MBRN-LSG3-IBIK-2RUK-U4TO-HOZK-7ZJP",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJOQkFNLUlCRzctNE
lNMi1VTks2LU5RT1EtSEZTUi00TEJEIiwKICAiTWVzc2FnZVR5cGUiOiAiUmVxdWV
zdENvbm5lY3Rpb24iLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIs
CiAgIkNyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo1NloifQ"},
"ewogICJSZXF1ZXN0Q29ubmVjdGlvbiI6IHsKICAgICJBY2NvdW50QWRkcm
VzcyI6ICJhbGljZUBleGFtcGxlLmNvbSIsCiAgICAiQXV0aGVudGljYXRlZERhdGE
iOiBbewogICAgICAgICJFbnZlbG9wZUlkIjogIk1CUUQtQ09ERS1YTVdKLVFIRTMt
MktIWi1VS0tGLVRWVkYiLAogICAgICAgICJDb250ZW50TWV0YURhdGEiOiAiZXdvZ
0lDSlZibWx4ZFdWSlpDSTZJQ0pOUWxGRUxVTlBSRVV0V0UxWFNpMQogIFJTRVV6TF
RKTFNGb3RWVXRMUmkxVVZsWkdJaXdLSUNBaVRXVnpjMkZuWlZSNWNHVWlPaUFpVUh
KdlptbHNaCiAgVVJsZG1salpTSXNDaUFnSW1OMGVTSTZJQ0poY0hCc2FXTmhkR2x2
Ymk5dGJXMHZiMkpxWldOMElpd0tJQ0EKICBpUTNKbFlYUmxaQ0k2SUNJeU1ESTBMV
EV3TFRFMFZERXpPakV3T2pVMldpSjkiLAogICAgICAgICJkaWciOiAiUzUxMiJ9LA
ogICAgICAiZXdvZ0lDSlFjbTltYVd4bFJHVjJhV05sSWpvZ2V3b2dJQ0FnSWtWdVk
zSjVjSFJwYjI0aU9pQgogIDdDaUFnSUNBZ0lDSlZaR1lpT2lBaVRVTkVXaTFGUVRN
M0xWQlFURUV0VmpWQ1VpMHpObFJRTFU1TFJFSXROCiAgRFJYVlNJc0NpQWdJQ0FnS
UNKUWRXSnNhV05RWVhKaGJXVjBaWEp6SWpvZ2V3b2dJQ0FnSUNBZ0lDSlFkV0oKIC
BzYVdOTFpYbEZRMFJJSWpvZ2V3b2dJQ0FnSUNBZ0lDQWdJbU55ZGlJNklDSllORFE
0SWl3S0lDQWdJQ0FnSQogIENBZ0lDSlFkV0pzYVdNaU9pQWljbTVSUm5GWlpUSXRZ
alUxUWtveU5IZG5SRFl0ZVdkWmQyUlVWblp1YkhsCiAgalNIUlRTVFJ0TldRNWRHM
WpMVmxKTjJKYVRnb2dJRWRPTTFod2RGZG9XVGhXWm1WUFMzUnlVMjE2Vld0SFEKIC
BTSjlmWDBzQ2lBZ0lDQWlVMmxuYm1GMGRYSmxJam9nZXdvZ0lDQWdJQ0FpVldSbUl
qb2dJazFEUTBndFZWQgogIEpUQzFYUzBsR0xVRk5OVlV0U0ZSTVJpMHpNMVJNTFZa
SU4xUWlMQW9nSUNBZ0lDQWlVSFZpYkdsalVHRnlZCiAgVzFsZEdWeWN5STZJSHNLS
UNBZ0lDQWdJQ0FpVUhWaWJHbGpTMlY1UlVORVNDSTZJSHNLSUNBZ0lDQWdJQ0EKIC
BnSUNKamNuWWlPaUFpUldRME5EZ2lMQW9nSUNBZ0lDQWdJQ0FnSWxCMVlteHBZeUk
2SUNKblRYbDFPSFZuWQogIG10T01rZFFaRzEwT0VvMldrUXhZM000VW5oT2NEWmxS
MWRpV0dwVmFuUjVTMUl5UWtkSVlrOXRkbU5XQ2lBCiAgZ2RYbzVjMDlJV2tGTmVWV
kRVVkJ0WVRCd1FVcG5SR2RCSW4xOWZTd0tJQ0FnSUNKQmRYUm9aVzUwYVdOaGQKIC
BHbHZiaUk2SUhzS0lDQWdJQ0FnSWxWa1ppSTZJQ0pOUVZCSUxUWXpObEV0TjBaTFZ
TMUdNMGhLTFV4UVEwTQogIHRXa3RWUnkxWlZ6WTBJaXdLSUNBZ0lDQWdJbEIxWW14
cFkxQmhjbUZ0WlhSbGNuTWlPaUI3Q2lBZ0lDQWdJCiAgQ0FnSWxCMVlteHBZMHRsZ
VVWRFJFZ2lPaUI3Q2lBZ0lDQWdJQ0FnSUNBaVkzSjJJam9nSWxnME5EZ2lMQW8KIC
BnSUNBZ0lDQWdJQ0FnSWxCMVlteHBZeUk2SUNJdGJEZHBPV3gyTTNacmVWWkdORzV
TVHpaRlNFdFhSVXMwTAogIFUxbk5HUnNSV3BxTTFaaFZHeHFjVGR3YUZsclNuaHFW
bkV5Q2lBZ1UyOHpTVWx6WTFaU01rUkNPRkEzZWxkCiAgTk1sQjNibGRCSW4xOWZTd
0tJQ0FnSUNKU2IyOTBWV1JtY3lJNklGc2lXVXRQVkZveVRVRktZazkwVEVWU2EKIC
BXZFJMVXB4VjFOVmVVRnlNMTlXZUd4MVdtMXFZVnBOYUhSc1dGRmlkbEp0VmpJS0l
DQnhlVlpLVTFCWFJ5MQogIE9USEJ0YjNNeFFreFBNMWN3TmpRMFJsQjZZM2swVFdj
d04zcEpJbDE5ZlEiLAogICAgICB7CiAgICAgICAgInNpZ25hdHVyZXMiOiBbewogI
CAgICAgICAgICAiYWxnIjogIkVENDQ4IiwKICAgICAgICAgICAgImtpZCI6ICJNQ1
JaLUdaM0QtQUFTMy1ITEpNLUlSUkktQ0Q0Si1WRlNKIiwKICAgICAgICAgICAgIlN
pZ25hdHVyZUtleSI6IHsKICAgICAgICAgICAgICAiUHVibGljS2V5RUNESCI6IHsK
ICAgICAgICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogICAgICAgICAgICAgICAgI
lB1YmxpYyI6ICJEMDlsTlpYVWNCcS1uN2V1QmduZEVfbkozeFk1bDBGRVFIZmdwZD
NCNGFtVjNmWWhsYk42CiAgQWRoVGRrRElGTGVETnZJaUJpb3ptVVVBIn19LAogICA
gICAgICAgICAic2lnbmF0dXJlIjogIkQ1RHhCZEhmRS1XaTYtTFlXSVB6SVJPMlFk
clE1VlBXb0h1RlRBblA5em9qQ0tfXzYKICBkTjZpWUtpc0NUMWRSRFhJR3dpQ2UtV
HJVdUExNExycTBibWpvTko1MEY1Z2hFTnFPbFR6ZkR6WFY4QmpXegogIFBRTDBhZ1
9WV3BOM0phaVUwSFJnVFZ2a3VnUlhwQUVFLUJaZFBHQzhBIn1dLAogICAgICAgICJ
QYXlsb2FkRGlnZXN0IjogIlhSWmZNUjA5MENuN2xEQ21HWTJnT01TX2NHaUUyYzhk
NkpMaF8zM1RKMHh4ZgogIFdXdlFFa3l1cDdyZ1FNcFdaTnFJRkVXQlFaRTJPZ040S
2IwZ2JRSGJ3In1dLAogICAgIkNsaWVudE5vbmNlIjogIlB5X003eGxvNXJMQjhhdE
VwQ0NRaUEiLAogICAgIlBpbklkIjogIkFBS1UtTUpLVy1HUkRTLVMzWkktRE9OSC1
ENlVTLTRSRVciLAogICAgIlBpbldpdG5lc3MiOiAiY3FlZDMzclJvQzRmSG5WVGp6
cmVvYV94NUJMS3BMbWhZNWpJZnhCZUNPRGdicUpjCiAgbGh5Q1dtb1ozMG9OS2NHd
TR0RXZQN3d2c2xVOGg0aU1vYlNSTmciLAogICAgIk1lc3NhZ2VJZCI6ICJOQkFNLU
lCRzctNElNMi1VTks2LU5RT1EtSEZTUi00TEJEIn19"
],
"ServerNonce":"w0zST52oIkf29KzfHGQ78g",
"Witness":"A6J3-EVU5-QGBM-WI4Z-HYUC-ONHP-O3VC",
"MessageId":"A6J3-EVU5-QGBM-WI4Z-HYUC-ONHP-O3VC"}}
The AcknowledgeConnection message is appended to the Inbound spool of the account to which connection was requested so that the user can approve the request. The ConnectResponse message is returned to the device containing the AcknowledgeConnection message and the profile of the account.
The device generates the witness value, verifies it against the value provided by the server and presents it to the user as seen in the console example above.
The user synchronizes their pending messages:
Alice> meshman message pending
MessageID: A6J3-EVU5-QGBM-WI4Z-HYUC-ONHP-O3VC
Connection Request::
MessageID: A6J3-EVU5-QGBM-WI4Z-HYUC-ONHP-O3VC
To: From:
Device: MBQD-CODE-XMWJ-QHE3-2KHZ-UKKF-TVVF
Witness: A6J3-EVU5-QGBM-WI4Z-HYUC-ONHP-O3VC
MessageID: NCX7-ADC5-L2CD-W5IY-SFT4-NX2U-XZQL
MessageID: NAZG-5KBV-D32X-O24L-XTYS-26GV-FC6Z
Confirmation Request::
MessageID: NAZG-5KBV-D32X-O24L-XTYS-26GV-FC6Z
To: alice@example.com From: console@example.com
Text: start
MessageID: NANN-LZ5N-6AHO-AOBD-VD6I-X7C3-GJHY
MessageID: NBCN-N55H-QYZX-F2TB-U5R3-2T6B-5W47
MessageID: NDHA-E73C-WZUG-QCMR-5IPX-52JV-WYX6
Alice> meshman account sync /auto
The administration device determines that the device connection request is authenticated by a PIN code. The PIN code is retrieved and the message authenticated. This is shown in the PIN registration interation example in section $$$ above.
Bug: This command is currently showing superflous pending messages due to the failure to clear messages processed in earlier examples.
The Cataloged device record is created from the public key values corresponding to the combination of the public keys in the device profile and those defined by the activation.
This is returned to the onboarding device by wrapping it in a RespondConnection message posted to the local spool of the account.
{
"RespondConnection":{
"Result":"Accept",
"CatalogedDevice":{
"DeviceUdf":"MBQD-CODE-XMWJ-QHE3-2KHZ-UKKF-TVVF",
"EnvelopedProfileUser":[{
"EnvelopeId":"MBQC-7OHA-RNBA-FRDL-R4GI-YQHA-DL36",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQlFDLTdPSEEt
Uk5CQS1GUkRMLVI0R0ktWVFIQS1ETDM2IiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ
mlsZVVzZXIiLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1tL29iamVjdCIsCiAgIk
NyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo0NVoifQ",
"dig":"S512"},
"ewogICJQcm9maWxlVXNlciI6IHsKICAgICJDb21tb25TaWduYXR1cmUi
OiB7CiAgICAgICJVZGYiOiAiTUROVC1XVDNHLTM0NkctNEk1VC1ZVjdGLUxUUVgtU
FNOVCIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaW
NLZXlFQ0RIIjogewogICAgICAgICAgImNydiI6ICJFZDQ0OCIsCiAgICAgICAgICA
iUHVibGljIjogIklNeU1vN2ZFeTJ2SHA4c3lRMFZVNFhpdnBKRWhnUVFTWDNqOG12
YTRIQ19UMDVVbmhRWXEKICBWWnl1dklRRVZvMmR5TUNSbTYwUTNFMEEifX19LAogI
CAgIkFjY291bnRBZGRyZXNzIjogImFsaWNlQGV4YW1wbGUuY29tIiwKICAgICJTZX
J2aWNlVWRmIjogIk1CUUQtRVRYVS1IWlJXLUEyNk8tV0RUUi1LN0dJLVg2SkQiLAo
gICAgIkVzY3Jvd0VuY3J5cHRpb24iOiB7CiAgICAgICJVZGYiOiAiTUNLRC0zTVI2
LVAyVEUtTTZVNC00TElPLVpUUkctRFpWUyIsCiAgICAgICJQdWJsaWNQYXJhbWV0Z
XJzIjogewogICAgICAgICJQdWJsaWNLZXlFQ0RIIjogewogICAgICAgICAgImNydi
I6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsaWMiOiAiMXZOVUFBcDNyc3pJcGhHOEV
zZm9hTzVZNnNaQ24wSGM4ekNnZFFpdllwSkFjRHRta1NzQwogIGVJMmdtRFRDSzZT
clMxVWdQdHVZbVR3QSJ9fX0sCiAgICAiQWRtaW5pc3RyYXRvclNpZ25hdHVyZSI6I
HsKICAgICAgIlVkZiI6ICJNRDJMLTZNN0MtWjNaMy1RM0FMLUpGWUktWklVQy1CS1
VSIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0t
leUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQ
dWJsaWMiOiAiYkhvS2IwYzEyRjdjaWJNXzNnWmNKWE16T09YNHNuSGdQVndPZlJZa
zZBUkpPc0dQZW1zZAogIDJCbTBXZm1Ba1JZTzNFUTZmajhfTnpTQSJ9fX0sCiAgIC
AiQ29tbW9uRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQVlGLUQ3TEotNUl
NUC1FVUNHLUhTR0gtN0xTUi1BQVBaIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMi
OiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogI
lg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJjN29vcko4MDhzYzlkNDBLWERoSU
hnQ1RGejM5TUszSmpPMFE3S191ZkRFR0RLaXdWS2hkCiAgM29QUTQ0UEVxR2p3a3B
wN09mYmNCYlNBIn19fSwKICAgICJDb21tb25BdXRoZW50aWNhdGlvbiI6IHsKICAg
ICAgIlVkZiI6ICJNQUZULVNJTkEtU0ZYSS1QQkRZLVdSSEUtTlhZTC1EWFZUIiwKI
CAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDRE
giOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI
6ICJYY2dFejl5MmNxc3g0WmViR0VSVGpyTi14ek44M0QtcGN4MDY1MXgtV1VDcVlO
cnNuelRICiAgNDBDcG9NeHVOLUZucFQ1bV9iME15dUtBIn19fSwKICAgICJSb290V
WRmcyI6IFsiWUJKUjNqUjJQbGpkWWs1cXhiV2RIWTByVFlFYUZBa0hZM01tc1I4en
ZOMURyMzNSbkwKICBVTDNUaHJHOURNV0JaM1AtOFp5R3p5S2FRWXdlY28yWlV0Y0t
3Il19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MAJF-DXRU-OY7F-RXLC-JZVM-LNM5-DWGS",
"SignatureKey":{
"PublicKeyECDH":{
"crv":"Ed448",
"Public":"9sZGEfYSIoTvVSL0Q5c_Oip_Hi2iOTsl4L3iL
whfOv9bA-5nd7PyRooKEsQx-lA7PMAYBewSOmIA"}},
"signature":"6x3k8AC2jkUQv0jzlUVWJDqP7zcNkKAqvPcAs7
Ci2jXULjbIFAFCct8GC8Nb8KiD5ljoLAsVHr-AnYcjklyXSHN6Gn_BIZiLiW3Yu5_
ChXHspywX-ZGMD6soXJIilOzreauR-_aiUE7Gx0eh3Fje2wEA"}
],
"PayloadDigest":"tXPfbmg_SRmARF_7HLPq-bM6NMO1h1Oa30f_Ag
_TIRzGKMrmTKtV7XH-h3NIBFGxOQYuD0BproKNEg6uhtG0Mw"}
],
"EnvelopedProfileDevice":[{
"EnvelopeId":"MBQD-CODE-XMWJ-QHE3-2KHZ-UKKF-TVVF",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQlFELUNPREUt
WE1XSi1RSEUzLTJLSFotVUtLRi1UVlZGIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZ
mlsZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKIC
AiQ3JlYXRlZCI6ICIyMDI0LTEwLTE0VDEzOjEwOjU2WiJ9",
"dig":"S512"},
"ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIkVuY3J5cHRpb24iOiB7
CiAgICAgICJVZGYiOiAiTUNEWi1FQTM3LVBQTEEtVjVCUi0zNlRQLU5LREItNDRXV
SIsCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNLZX
lFQ0RIIjogewogICAgICAgICAgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJ
saWMiOiAicm5RRnFZZTItYjU1QkoyNHdnRDYteWdZd2RUVnZubHljSHRTSTRtNWQ5
dG1jLVlJN2JaTgogIEdOM1hwdFdoWThWZmVPS3RyU216VWtHQSJ9fX0sCiAgICAiU
2lnbmF0dXJlIjogewogICAgICAiVWRmIjogIk1DQ0gtVVBJTC1XS0lGLUFNNVUtSF
RMRi0zM1RMLVZIN1QiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICA
gICAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAog
ICAgICAgICAgIlB1YmxpYyI6ICJnTXl1OHVnYmtOMkdQZG10OEo2WkQxY3M4UnhOc
DZlR1diWGpVanR5S1IyQkdIYk9tdmNWCiAgdXo5c09IWkFNeVVDUVBtYTBwQUpnRG
dBIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQVB
ILTYzNlEtN0ZLVS1GM0hKLUxQQ0MtWktVRy1ZVzY0IiwKICAgICAgIlB1YmxpY1Bh
cmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgI
CAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICItbDdpOWx2M3ZreV
ZGNG5STzZFSEtXRUs0LU1nNGRsRWpqM1ZhVGxqcTdwaFlrSnhqVnEyCiAgU28zSUl
zY1ZSMkRCOFA3eldNMlB3bldBIn19fSwKICAgICJSb290VWRmcyI6IFsiWUtPVFoy
TUFKYk90TEVSaWdRLUpxV1NVeUFyM19WeGx1Wm1qYVpNaHRsWFFidlJtVjIKICBxe
VZKU1BXRy1OTHBtb3MxQkxPM1cwNjQ0RlB6Y3k0TWcwN3pJIl19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MCRZ-GZ3D-AAS3-HLJM-IRRI-CD4J-VFSJ",
"SignatureKey":{
"PublicKeyECDH":{
"crv":"Ed448",
"Public":"D09lNZXUcBq-n7euBgndE_nJ3xY5l0FEQHfgp
d3B4amV3fYhlbN6AdhTdkDIFLeDNvIiBiozmUUA"}},
"signature":"D5DxBdHfE-Wi6-LYWIPzIRO2QdrQ5VPWoHuFTA
nP9zojCK__6dN6iYKisCT1dRDXIGwiCe-TrUuA14Lrq0bmjoNJ50F5ghENqOlTzfD
zXV8BjWzPQL0ag_VWpN3JaiU0HRgTVvkugRXpAEE-BZdPGC8A"}
],
"PayloadDigest":"XRZfMR090Cn7lDCmGY2gOMS_cGiE2c8d6JLh_3
3TJ0xxfWWvQEkyup7rgQMpWZNqIFEWBQZE2OgN4Kb0gbQHbw"}
],
"EnvelopedConnectionService":[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0
aW9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI
CAiQ3JlYXRlZCI6ICIyMDI0LTEwLTE0VDEzOjEwOjU2WiJ9",
"dig":"S512"},
"e7QRQ29ubmVjdGlvblNlcnZpY2V7tApQcm9maWxlVWRmgCJNQlFDLTdP
SEEtUk5CQS1GUkRMLVI0R0ktWVFIQS1ETDM2tA5BdXRoZW50aWNhdGlvbnu0A1VkZ
oAiTURPNS1YTkpPLUxDUVctR1pTSy1RMklKLU4zQk4tQ0JDN7QQUHVibGljUGFyYW
1ldGVyc3u0DVB1YmxpY0tleUVDREh7tANjcnaABFg0NDi0BlB1YmxpY4g5tfcoRrH
-moXof3ppxP-1rsXnpnEc37YXEQumpfPz-MS_fTyxbhajFi1bpr5dZQjrPqCVVWMP
FmiAfX19fX0",
{
"signatures":[{
"alg":"ED448",
"kid":"MD2L-6M7C-Z3Z3-Q3AL-JFYI-ZIUC-BKUR",
"signature":"9TrTu8tVJ2f9e7_PgVQD2O9JwsxrEyzjTWyqoV
rlqW1NA4EKkPcPnnMKFFMflbte38rYUSIngUUApFwe2RFaBD_9p3gDpEJgXjQyHyj
cHn6gu8iOP0WMwUiAgNQCJLJLXxw_zYpIjwIlDUoYA5eaLzkA"}
],
"PayloadDigest":"oEuqftV2yGBBO-zcHdLaZlE24EedCob55acnhS
mU_3hmwB5GGwKkAaEc3arbl8LlFvw8qcOx4DEmbn2e0l_ETQ"}
],
"EnvelopedConnectionDevice":[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0
aW9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI
CJDcmVhdGVkIjogIjIwMjQtMTAtMTRUMTM6MTA6NTZaIn0",
"dig":"S512"},
"e7QQQ29ubmVjdGlvbkRldmljZXu0BVJvbGVzW4AJdGhyZXNob2xkXbQJ
U2lnbmF0dXJle7QDVWRmgCJNQk43LTJWUkotVjc3Ry1CTzJaLVNSVDItUEtZSy1GS
ExQtBBQdWJsaWNQYXJhbWV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAFRWQ0ND
i0BlB1YmxpY4g5mHAKd6yWYjepjbjcF5AE3_mVB3NCLhPL_g_UIwgI5j9GvARZLzs
drWAngOGTv7M6R_WM2IrWl3GAfX19tApFbmNyeXB0aW9ue7QDVWRmgCJNQjVILVlZ
QVEtTUtLVC01SkNNLUZXUkwtSElKMi02TjdPtBBQdWJsaWNQYXJhbWV0ZXJze7QNU
HVibGljS2V5RUNESHu0A2NydoAEWDQ0OLQGUHVibGljiDk0NPeEx6n3ELUk1MYr0r
3nSo-qxXfvvn35g2S5sxZqo8uMquHzzA1PWaVNF5bharNF__kWmerQxYB9fX20ClB
yb2ZpbGVVZGaAIk1CUUMtN09IQS1STkJBLUZSREwtUjRHSS1ZUUhBLURMMza0DkF1
dGhlbnRpY2F0aW9ue7QDVWRmgCJNRE81LVhOSk8tTENRVy1HWlNLLVEySUotTjNCT
i1DQkM3tBBQdWJsaWNQYXJhbWV0ZXJze7QNUHVibGljS2V5RUNESHu0A2NydoAEWD
Q0OLQGUHVibGljiDm19yhGsf6aheh_emnE_7WuxeemcRzfthcRC6al8_P4xL99PLF
uFqMWLVumvl1lCOs-oJVVYw8WaIB9fX19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MD2L-6M7C-Z3Z3-Q3AL-JFYI-ZIUC-BKUR",
"signature":"yYwmrYVkddU86Hm99yKb4QlqVqr1Rw4vAdaztF
l8FRG3tCO77sMc5vMLcSJTkdK-FOGOrQRk11iAGZ5ZEgLMFJn-QRpSmcbBLeel6lD
SUJQRkjVUavbCxej4RKJoMOJbzuBmZdvsreHynZdbk7p7fzIA"}
],
"PayloadDigest":"CsqBGYf0fzZ8YE4nzhUuuvfL0lGsaAkNFKCUhf
1YsIwCxuDQY_zZjVcOEgFsVeUggfmm_spXiahBMaDM7zz2fA"}
],
"EnvelopedActivationAccount":[{
"enc":"A256CBC",
"kid":"EBQM-YIA4-PNBW-ECVY-NBBW-CT2Z-WUX2",
"Salt":"kugd4f-D2t7K2ESGjW7J9A",
"recipients":[{
"kid":"MCDZ-EA37-PPLA-V5BR-36TP-NKDB-44WU",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"fH2svl6_uVYsor6k0kzRFZEfAXWOAedsri-XL
9YRzAQsN_l_M9DzmRWxbvDsLC0fztCVsvfTsN-A"}},
"wmk":"JNEdtBna70N_7MINkiCfkRdXRfqGXo3d6QXoPyoRkUqp
N3bSxdYJKA"}
],
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0
aW9uQWNjb3VudCIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKI
CAiQ3JlYXRlZCI6ICIyMDI0LTEwLTE0VDEzOjEwOjU2WiJ9",
"dig":"S512"},
"-fy3XJD_nkzc5E0amfUxXyd9iv9ucViLMp8hOhrMSEBDOCwPybwnY-hS
wNA6-DwlMZ1q8tfpTmjJizv6Mkf4PRkYE4qOJJTDbxtS6lNMvBJhBvcKgMDoeAnVf
Y7x9BomZLlERwo6BMH9WavqiMshfLEC9RJ4BSfjfMcp5-P_5qZ_fRAutzAOB_vsEA
97F0SmzjM7Mjdk0M0iVtR2F4UH-FEEgQFdAmoYwSFV3bXCWRkYRD0y-B_4kWqBXvL
1-SM2",
{
"signatures":[{
"alg":"ED448",
"kid":"MD2L-6M7C-Z3Z3-Q3AL-JFYI-ZIUC-BKUR",
"signature":"arywkmG5iJUxfP4MHIMgcmXyDk8nWzsh6RUz8Q
CiGo60E2JqqRtaZscxTlYaEsEMR0Ugs-AH8cKAD7f__RB4DxiUuWORY11txAmfpIR
2NwLnIsQ0S65x5dauAJ5mFY0QTDucNfXGDaCU8V4UlDIn-QcA"}
],
"WitnessValue":"4KPjB1dl0OVeugi6FxuDd2l76-tOdwQ-3KVVWqo
Ai0g",
"PayloadDigest":"XFmB2PVKxowqhjsTobBlWcqL6lxrrmrTPbmgC2
acKwBiF-8IQFVAep1nSCYX-FXTibvVJYhov1JbEVNriE0pBQ"}
],
"EnvelopedActivationCommon":[{
"enc":"A256CBC",
"kid":"EBQJ-A3RO-PE4X-7LMM-QSPW-EMFA-HGDX",
"Salt":"RImEmW_A-Z5v3zqz_aYesQ",
"recipients":[{
"kid":"MB5H-YYAQ-MKKT-5JCM-FWRL-HIJ2-6N7O",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"dDyHxC6UbAhRoN3dYsK8Sq-UAqA_wwA01zolu
b1zuhKOAY_TB7RNhjcNYK7_DIGoitWQVVOKM0SA"}},
"wmk":"Hx1gKmlhsjVZdRqKAgkmnOPwrI2HpEuK7zVEmiGeGj-p
K3ay4x28Nw"}
],
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3RpdmF0
aW9uQ29tbW9uIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogI
CJDcmVhdGVkIjogIjIwMjQtMTAtMTRUMTM6MTA6NTZaIn0",
"dig":"S512"},
"4dJQ5E39vl5VRFBsQ5u30C_8Yg8V3J1wS_8-sZIU2ElTVOr_5WbK0_oi
gYUdnlTE40tAzb_W7sOrVm5BnIFuU8q55kDOXtBPlCaDZHZ1WKhJKfmePQMdUpEnx
uIEVajUrO2iw0Cft5Y63KZnlzQeJTBj3hF-pVYHZGgxz2fNiu-_wBclnP5P_O0lzC
972FZp5B2UHqsDTFgngY4qgMfQJvbR1HybThFFjeicjJF06umMGSi4caQwpevNAoY
OsbTbXHlCtrZo1RFhE0Rfn-44M50Dm-QVaqB5EhGCv06i1UKGnc2QXje3WBTxvnKz
z-z23SD_uRTVWhab4ln4wMSXu_75Fz0u_FMa6yowlKjOzs7XnbNlQ21HotQZN22Qs
Q5pdIge9Qk399Yu4rWbO9OfsJD4gEDIIGr1lTMEncub3XflJcMqQjdX8a9Lt_yvgb
UmYvkcTLSy8CF2bH06KdAU1NpW-XrI6GgYfp3WYOEBnIApF8H-NNoJ5LuMG6KMStB
zfk5cbTmLBi1kwPXgEgwi_FYNIdbfoYu3qylAWNMRxt6X-xfQr7rTIEMiKwhyYWfc
6UcrmGmcKZTwDyYsrMxrOm8LhG1fwVTrt4by_sooUSDW5OLy0_AhLHqknFg1VGvT_
xkYQEpnYw0hxEMfIyPsGFQpOAenCbWHjR0-jz2jI4ulI7rNEu6JEBcmR4FQcu3pLo
covG5UrQHddkfZ51ATcVUkMw44GskHWF7uyD1OaAWIj95ttGdRWNdZ0X8GKLlYWv5
tZEzMeK9Cxy38K_ilpjKTxuwYWNR29xa5tuz77TEpLddeXAbUt5Y081yC3D6JlAxp
kv4p7uCRfD_UjXA-N0HmG8SG2iUE7XD3g60FsNQOMaslgKEx0iDFlIOYY4Q3Mj6eN
Rq_B8U_iEKAyiCdJB1qPVhZtAd1TsDtiV_1XSKismRhtiEkqSOB570fyw1s3Gz6lG
zWHm7Q_sy5yGKRL1BoLZR6jrzakzMlifGNAbuXh8VuHeeAen7a5pAOOwwJJ1DpohX
b-b0djyRmYCp_1wZ6CD2XWQHXi7zRRrULCfdqedAR5SvUB288AG0asmNkWCi5jtAj
Q812ZmwRHLAW98HpSZC8Etgwp_aQBBwnEp8q_cvosmvEI3EZGeoCd0MgGX2iG670G
_B1nNBtDCqrmvE5mfg8PkeCSaFZWPYY2Uv8raIPyzrz0PBtQxVrsnUrErrYVNOZOq
NiJLgpNLbNGtz6ZGBrln2GSi7XRzzM3BhZLUB3_bOKrq_VhKQXwCu6VT4amEJ3ak7
w5zLJ0LsvMshwYhZjmHRYFDZ2qqHMQDbPiMCYcFGn6mAybuzGr68CFVF-pFRXckyv
h0FtFiKjewwABEGIaAF6qeuzEDWVD6bn6pMa5eiZgEQ4iiyrcZWmNVS0D7E5R2yZu
TEIRFOtx-tWivth4JGFh64rzIvnOoHwxukk3JoQnmjkTKIMLms7Ao_FY1Ow9Ofbf1
ELoLJrZ24Z7z9wyuo1ROTeJA9PJ0eDJnLKjuLdVszT6zttKSDVn9jIaXcm2jeJcly
Nce49EN7c3tw0bT-akFM9-CDBVa0T3rU0N7YfnKiXYpS01JyzBqPVxnA754EX1EIT
jp0VMB60k0UG_5dsSV_PMlAfBJP0G0gDhogjB9gEyabXbVEbOA0Bq9_-6cJEIjsnZ
_pyxBggy4qy-w9ktb0IB-X7rB2mfrkp4OH_nggzoH-O59-e_pBO2q1nuJ8NoCuZWW
169w1GQMMJsjOvpN-VgLHy9eFA6-GukqhAZsB-FFHOqU8HRiDIrw92PD4O1si782c
BIdxTaqYZaFnyEFk5PnFMTrvdfPj3wakmJ6apYITX6CWVP0M8X6-D2JPkNaXHn5oo
FS811yVIZOJKK7_DSCVyVlAyNwhURlJwYWgwr_0-aYhR5TMME-zw66QEb0_dnmy8O
_qNyHCsyAdk4ZhwPdJAWjKF_hXeTA_BzQC4ilzYwhcMOKYsx4VDgrsDqN2SKCIGry
6-FJbTQR22iMPbMHMrYJQ2mh5GEx1dWJUWOIrNAvhwJiKF_RrD_dDrWt975sT6gMn
w-GPWDuqWR1TX5gNWZr_gfeF1jM2UuDt4SvhgdQI2dqaf-eT5FOTSqMvgR5gghVRu
X8Lm_19s6evcO89H0sxaSWjxBIgfdhJZeAoNcrUSdR4LvtDLehSbD2t9SQH6UfFs-
nEYIWmAt9c_ADthMibgI_FiiSziQcvf83MzH_HoTNinmcdpgcIrssBVTyhOFpsT_s
9pcoe4L2WTRNKMy2rp6Y_cklVPweYlE183tw1hrBpcbdwMQ5W-_GNXHqWYFBrjyVY
LP-OOfnvV3_n6cZ306QbpT1OT5tyrQlMOqk2J9ruFVunGxeL7C24H7ftpf6c_Upvs
pbMQhptT9OITgvSngcjfAubu2vAj3asYA_UNsfOGn2wRkCQrE3fTY43S2Rjqwvv4Y
BfubcriYgf_yaexaoE1w5XzjCBcYdQP9SVfOFGGGKvATLT24xLF-OYfiYSjwYRiFV
64oEy79I9eXgaa-fQdtvKIyJlW_KHA0LVcKdGAbpuYZYm_V8Djq3tlvwwj31H2TQ4
nkGJrejs9BQR77KDaoOoYOlEWal7wg6TIrSj_MV4wE_3DyOY1nymrVaEVwYQYGpxM
CiIPHnoA8sbrXXA9tpweicUw695kXTUvrnVb1sayODAzqOELzm-h0XC4xGHyjxB9X
KQeUOfr_z0py2wTBEAZnlOZfL0ne7CrPkaIYfHHjJohZMlZOg38Hutg2KUF1yTx3H
hKgzxTwo-mMgRfeytQWA1tSntBJYNvWykRnnMUR8yorv7CUv4y8p3xg9Cb8tCG4Df
JYD3rTXf_wmyryflgJ3-2yNriJlX_Mi-nHgyRrObzeitRyQVSbUMxoendfMKJQJh_
rC4AxjgOpDj27Og8ba4Pyph6P6xXIteOdIRTwP_J6Ln2-SwZl3C55LOhnwYB5YIo5
A_PH2RuUpZ2gf1X0gBbT41slwy78xy4TeBtpOa2FBW9z0-UCtPI_U1NGqNaB_c5zs
sArER5yRo9QrUv25y1GW43YHJu0TcNARWHWkDmT-b-oJSvouVaZGbz623JoAX2OnB
zqsFzBf9fK8kbyymh1eLJmgKn8l8pf2-jgtr-UnjHwGChbiOj93VlQ-S5PDsb3j3p
bfY5jBl2oU7VTze74T4pSbv62PQVjTg2JwIYHI-cK6x8IZJHJeCbH5i_P6kpnHTQv
ItuEAlSliGVUyJ7Wm-0fzd8qgCybwQtv5nyKdyiA8-EkXKAUIIIMhabKADtsYOzdz
8DfB9TNKLzc-ueidtRARFQAYMaWKDO-KrUnye9J9kgsRQaoJhUaaGLymDqX-CE3kp
sSigbr53uV0e_lNPjswH2ddI56ELo1ZFbX_75XlNyk7poMSZ2f_q62SMpCTYkH-Hc
0XS8vzP1NHITyJXi8Xl5xdyI8-IWCQLPpvdWiyDx111VFN3aSncIiWXOw5sWutK6j
novXDbm078TVL4zQAOvGZ5zbjhExatWXIhxdH1RB28KyLtJ7SgDsN8qPB9ZJXhY80
b7aKnFxb1v2Rxy1JNvwnFyaOuEUQjAN5jbDYf40E1VlQcakk6x_WOEs7FINBej16n
oztqAQ7mmyxDVMICWsveRMEx07eC0gYHzRA044SeiBBlp-mYdyD3gSwKsM-F2dYZ0
y7GLUR-sPhrNJg0ScBAT1j3_MUESm1k36VwGwSp85_8OerTCu2f7dojp_xqCB0ZSV
L0_zpPAyYrGlfKobYBDdhgJU_LD73jTVeaXZi0zgEAAlYsp0Rn7NMwOBejBaVC5Iq
IgYuW3_UlXs7YtRFMxydXJrcZnFQx6HMhP8GMr_f119jjnnaNi01I7SvWbHU2Zs4U
sSAjcM53PD-pytSDCMDNfB_qXZWLt_cv2EM2C997Dz5HG9rz3dyrOJ1XM4LiCAgOT
aDjYS9OzgKrpAchO0w-AwSKJ_7Peg2J90_MPu0o0J8Azowo6Fe_BgHdCtuDK0UMl5
J88GXkSU3g9AoHQSdXOmr6yHbDVDyrQXiEjrdfzwoJEvfUi8XVSS27p_ic8s1gAvL
bJh2ev43TpknOaHikquURA0aLZT7B2OZSD2XtLzaNUSbu3DkPphvGvGR9mVfPv-n8
OrbpX_RgCZtCLju4no1SwY9RFhqiYBRPRJFfi77B2cIOiaeSaDMphDo4jA2yFypeE
UKOd-JdLlTX1YzwZmgu3TgpxR_Em6UffHM0z8x8lQbYmuGKW71ZcvYqSOeh6fK60C
sPUZsn-G6Lxd2qGX_Zc1htZ_E_3NAUMdF82VzMyj90SCLQ1EaKwRQaHaF9rgKHjsM
wbFMUoCUL5N5WCxKRkDr2QLtfJ2ezMQ3GrpDiw2xHq-xZEzTUnq-dzuO428ovJypv
vxglUgthfOO8NE5a15gTP19HARTuT2WZQxiSyRGucoItLZhxUM6WxHB_aGVDcDm5a
xzdVNbYaesqdE61cHswDOnY4smxtO8Zy6uT12WPw46S0LWoDv0ba_hyMEMpJTNKd6
i9DAG305R0P3NYVFvyJKOok1e8-nlpQE7G_R2exVdgUkNJYLvl0M7pGE70faXVm3k
0UqUojmO0P6RpsrKcLmBm_0J5vbLdeRexxcSh0Trj-xDhjL62hG0gWe6IoCc5GYIw
qComX7pLJ-G5h8MI4oB7npCK55_2DvrvyXBFtPiYuxi9mfQOXevhDYKukAk7U12g9
pwnJSRvF8rV7hNw-OC7rPAT55z5xXx05rgrUuCswfhZ_4Gh5_aWjzqKAeB2KpJ5c5
81R6IWs_y0wM471AUZSYOEo-ytCH6_qgwdPimUH98Lo5e3h7XQnHweu2A-g_nbOM3
-voNfCcBxU_-rPYysyORvOJ5GcyIle3W2FSnBDwxS7AUVTkvJrybl6Q2MWlMA74z5
a5C5jcGZbKJwbmhqLKWc2H-IA0CFjiqirECKMnl65A6vNpLdLoTYv-47b8Gm_qKB9
odY-mSOolGtSTdF7r89FJwLjviTthnbvaebfEX9I1vNlmOBdiPNebl0euWDMlbiMR
c0if_wPITYrNQaJA7elgzIwizC07ZLHu3dF-vK4pqFN0fITlCvcV2qOA85Gn0dfrZ
Hcp84lK-IDJWMMITyqntz-SgxMpkj8qMePH-lcPK3QHfnSwxxCbvojgzz7OlvXFSg
6WWZdNJ-LBVdhNif798Cwym2_boiVSyapNqZPCvHGvQu0byG64-sgRbYteSuASEdF
FFeQqwuQj3xdiTAP5AIvoA1kOillzVmkHZ3cfi9SciZI8jBsK9GfZJ311HF1p9S5A
f3fXxzh-ZWqFnGxrE0UnBfQkaSb4rzPID6bZtZfpG-q_ha4diOOz4CDbVU96DEsTx
EgMyfONK5pG6yA372QCFGtSJlhyqxgkAx2tULOSU7pD6-nksRYxkhzfluw8F25eSm
gygudKA5Fze6JY-5MqGiYG0VyUVc0w_Iekp6dRPO4bI5M5Y7J_DvrfpD9t7R_rK05
emm7IeZk4zfyTlVfx0aqqSXIgeEBJHosKraZPknWz7mDL60vVGCLIFrrjhoOCPyI1
6Lod2lJFJo9-S9a0fChR7W6kRTepLb11zCu5xTsfmSFknmHJMtTSS_pUp6GhVFzY9
-ol1qKFEuali1A4nrlu2ysIPOe5u-a-yOLNayvpUpn9Bcj6gLZ2_g0xbu2gePOJEF
s7EMuc77t2AQY_pyx4rMAcb2Rquh4hlrtlnO3OvfQZn0xvd9_7vpQ7Wpz_5ElM_96
Y8jNaNkAPigRWAjpYMpb2fSdVCam9JmLhfyH8WfEskQHEzyPIG6-cbSWoW8evmOjT
4xXpcmBGZzbUG3zUnEbwUwhxiTmUhKLEel08lnoXScYqOMMnlrg7XI-4tQQVC2r-N
UcsmmJkbShDqIzJ-IvSxAU4IAXnan6RNv1IyLLThwFIWR-GEIfOHByabtzStNmUR9
vzYq-WBtyWHnGWEwMLH_0ODz97Tz6tbmbiWERo8RZ1et2FAoZunF3OJKNt-VFnJK_
OPIjQQQIm4UpjwQetvj0B-tmGHfSN2m-4D34gpYQqVqyLpeoeLpImBMNOYdpiYRRm
Tu87pJwc9nNxO7Pt-MHDvgrjvwz5CakFewzKE6ZgEpY6KxmR8yoERyORq-rikRlFA
7GK_EuARv_Y1TJTm54qVAD3LM7wIRdvxLSVgsPNe0OP44Y2ag8V74SAEWOTLosz5K
IGkvuJBa9cBBzi_7Xk2PkIOjIt6PBsRuXcYPxzKv_vyeXvPheJW1nOv0NQdh3naO4
H8sWo8KN8AJqulC5z0oTCWa4WwST0NGCpzwXxSZ0S0G3Rn4v8IDD-o7J4aZ2Yw-6E
KgAqOBRQd964oCvB7NX9bmJBRKTvPmhXRZTJ3fM599dpNcd4gS90c3gOUjD15fqfb
2ozBRl7jWf7MOPT0R4C6L0TZP9WU-l47La0ybmHdDktGQMd3WGP5rXZqVch9oxJmB
qW14NCAUHuUutynNu4zjzJsMHJl_LQrPQs90625Srl90NsL560fm4ArdQ_hmBKG1b
L-FXiRe3BgEBIOceKFWrJ6yN0G7I2gI-FL97HhvztcwKcG6wn-zayINBS3saBlc30
41AXATNbT_V0jej42o6pycL3pWj4V8IRTfN--qp_Jd0992CWwl2H6ckRl5Zav5kyw
FDKBbNQ3oSIQj2a6fX5hFBRV10BjXHqAviKjq0Kxlspj3oTuPs84mxxWwuNc7COt6
5eAsbk4misCQ8I1tb3ekPBp5IrD3O4ptKWeDHGTdBYtXyISTp_FOyrkzX3XlWeQrp
LIwMKxZhzzgthYrASEB8sFpCpzGGsDGyvFBttWqB3TP-Xp0pmpkCgvqLMdx0s6-PI
DRs1PsPLlCqkbjgng2vXYbDB-RxR37-_KgRNAS4cDUcb2Xyn8OwbPSBfk1q_I8ItC
L8TfOxFbTkdrCSk6m8ebofSpFK_FatCvqnCFeuadlm9RSVyQO4sK8nSxXTud5yLGZ
8SVZ78_FMtDjyw94TTjQ_Hgji2Qm1tAtt4apLG6F5s_a3CVqBrdh8jrw4hWvKPyq0
UuSwloda-J4snVGdi-QeurTC_HFrG9W5D2l7upl6yUzF6jZil6t-o0xugWKS9iW_g
I3hfsNjHjEiKx0NWHylcn7Ej15o6mVClxAp9QkQKUhIz4UIrLw6UcouanBK8XPHWo
1Mk1ZhF0OheMsD15wz33_V7Eo_clnb_ErF_XZJZvr2ynHoHEor6LYK58qi4ahbTJP
ccNWZ62QktVEvKadmJcXl2Nr1bLuItezecosy0BHwCjzi82VAgDchZ8xWT4ns6eST
PrjBcC2623Vqhb3u8_kpqNKFq9_gO7gfcj4JZNo5wd5ChImzKlECVcHusIi4cI349
J9tBOnUe-xIcvA12vaOO8MN938C71I6cPB4T3hWvIqECI9b8AmATPmJCKRRW5wT_W
OASRkVZhP70I6clsYhem5sAmVtztm4GJaTYRM8gHNPgHeUuarvxAtuX-y3_JJiJop
DiFCIUBsAXQmSzrFB2i2wnIXy0M9v1Vk3Qxsj3Nf9I4r3PGTHS3XzvR5hRxzwf6FX
IxZlj90EStdlTNG8PGuP7NLFEBT2gMwtXjxCkazqyZeEtLwUDvDke61ryMZOqlao5
tMwsBSzFmm2GXvZCNPBRpBWCNZJx9hlaAVKbI400h-B9iP8NZjb_nZkE76rfRSv-q
HoRD3MBTV0Uq-v87TuMvVIk05FC3DpFSduXBXbrG37ckSmMc-dugY80ifvdZm84xK
FgJOMnpOmVenn6iW27xISV2Tfd5bfCyNz4BYPEHpeVgSTlw3SZI1CWGeTI6T33q-C
xu3hUpFMXmbsn3PTschEVNeh3InrZ6GC-6qZfxZdHGmQKyghucfB5ldiJ8YiHdClp
gRD4VXoJOUEWnITC7vZuamR-1Q9IVvri5DjVeZ6MLvQMTZZLObl6HyjwrW4w7GH83
wHLm5Fb-4ym6YbH9Aadm5R7nUFZjoECBvBJn3h2uLKkLGaXzgTJYYhK2bnt7AAC6J
hDr1WySiRCPVrFe0-ON6FGYWVAez8G5IAaebG8lkDtxT188UO-6GzjV7Vh5sBIcQm
aEsQv5jEkFl3U-MG15hcvXCebdbzpX1CGpMjYifDThac-VsX19YkOyhtFAssdQYvl
y_C-13DaRW-PK7j4hkdjD0irQvu1LeAUDdSz9kmjF8AaaBsy6xStIFdrw1Ck5gD2t
23ZdeqSBGvGJnTIzvyeK3HCv8oKuJRQY6kcC1APzAUkjvgNbx70z7n08BSosb3Z1B
e1mo2X8KU9fbUj-BJpyR6vITcc1VWwmvV7T6IM36sIhjrU-3IrP8d2bZZg5T1buRv
2V9nnGbLKF6b36BpKnQbt_bQsha5WzuQMmxX5nlrgMcAVO4CotMPTpvG7J-_7ddK2
vwK6EYekWGtEKmYQhw_kc7QAAERfH8bM5veixZqUAY6YxC5ibxyNEnbx1u2NwNdKX
pZ3G5St2ZM1UovcF_I8e4MuzsZHJ4Kuxrg4RLXvMUQQn7WfAZL3uLZ_Ln27JGeMXN
kH4sy8osYHRbzTPY1OtEJAmCelSk4JkydMyuwn48JrKCaIT_9LKvdY56bHrobSmvw
V5L8fGCsSWVGWqNn3rhwBiNgIw",
{
"signatures":[{
"alg":"ED448",
"kid":"MD2L-6M7C-Z3Z3-Q3AL-JFYI-ZIUC-BKUR",
"signature":"gHExk7IRqx_fSpaKOp_X1HLy88WStnwZWO17k9
MekufjE7eaooRRDluULSK0DIvXbbfKC3hVlsgATCTqb5l68NkFhluvJ2z2MS7M2-h
aRhY3Foa_5fMQdWC7--nkWF11jCh9eD_pXgaOIx0t17vVTT4A"}
],
"WitnessValue":"rlT1c19N3iBlMXIAMd6bcobgDnH2Uv1m-C7VV90
Gnyk",
"PayloadDigest":"LudFo4aZ5eOUbOhCRQ119Oe_5JJRye2FSlSkOM
WSC4tJUmYeuYDyxAQxf82re75Zgps7wMnww5QwjCto-9WdRQ"}
],
"ApplicationEntries":[{
"ApplicationEntrySsh":{
"EnvelopedActivation":[{
"enc":"A256CBC",
"kid":"EBQH-IPF2-DRYU-N2VS-VMAI-MRHF-IZKT",
"Salt":"eJdGrdqLp8RcPEEEXCgkmg",
"recipients":[{
"kid":"MB5H-YYAQ-MKKT-5JCM-FWRL-HIJ2-6N7O",
"epk":{
"PublicKeyECDH":{
"crv":"X448",
"Public":"TFp8dAMe5wkLifcl5S3OgP3e8JPEBUx
WRg1geI9NbXygTZWWTssJNlrE358qdw0RxjA-agAsScWA"}},
"wmk":"G7hWogNaI5S4osEN_QLNA5k8VEPRuoDSM3NF3t
lBqtw8g7OypHpYQw"}
],
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJBY3
RpdmF0aW9uQXBwbGljYXRpb25Tc2giLAogICJjdHkiOiAiYXBwbGljYXRpb24vbW1
tL29iamVjdCIsCiAgIkNyZWF0ZWQiOiAiMjAyNC0xMC0xNFQxMzoxMDo1NloifQ"},
"GHk2FJEAip3mtk9ruFfCQ79sa63GkE9nWZ6WqngeJ4_kXRR7d0
4ZME3CZGfwTmveMT5qEw4WKWwj2r0nKHm9dFJpwp0BSY8-6kozVbzAM2gPW9CrLYI
KoRBT_dxjst8KzusT8gNADy5Bw4-l-AB7ucnmzZiQkFDxM-zOi6KoTepieRUAtxXn
OTUfkpGGnOAx8nAQfyYxQ5ShLHxXMdJs28am4vj7XMC9t7L10c9ioZGfVTFLfCxEl
LjvUVff2xX9tnLwRYRaCthdX39m3ld1fBkV1ARkGF5yqQPTtrUuVggLaOwTr4EG9W
UZAi2gSgNUrP8vBnkt5oEbZlO7de8h_X0DQRAENjnaz8xLM6Ns44k3YoMzF8ItbhK
KwPUIM63rAatd8qTNXfKw-sguZnWKZnENeqlKvu6DayHUMFTEESUQBoYdSFv6QiHd
jFqCQ19sHw2mnhRKqKhKCaViwWPk__dYjh8YlU4Ws8Ip-XGzfhOHh61VVzZdZ-aUO
Uo-Mwomod1muK4FIgNmnijrbrE7lQJgkAbiUKtlm16Zj4h4fKNnqg59ujtupv6dxS
1hYEhDKZCMNtUwunz3kgX91S2wNL5B8sfHOs4h95OKJi9UNyvzOHGtrFZyyXu1cbf
O8XvxSpp2EwqgJOUZL0nwFwK8UQ_1HPk6n6J_MbZ-zanADPMGjpdOUUxPYw5QO16V
QQ-XinI0hrfv7YHlwwc8578Wg-Kf2sfpdZ3h2QUd3G-FSCgHyCt9Uqdpd1JAPrNOM
eTplzJ-MDMhi6wTdUvY1O3GhZPJWfLtUtZthcQkrmF5yrIkmSdwQzziRR2FibF9Vn
YfjlHL7AEBwfEoFV3QBTTMxEZQYd5-CCHMUIB32Qq25uihYPJxdswF7_7k6cxX0E0
FvtjCbiewiPwXyZNL25w20tnFVZOYdG90CTQ_yaj7YqocH27tSDv9pMuY0f5G1Iln
6gEyiZHsOSeE_p6J5KboO5uLfGOHMOaCLkNaYtFoB3e7mDnkATCRWZMnf06uQfgwt
imUhI2JN0XZt7cJ8Jp4wWfzJLbtFH6FMlx8MA1HQrr30smK_gteZkewYvq6Uiuy5A
DQi6lOqPt2HMxpoLKUK26jSGx9Vz46vjMz-R1XNO4MIVXwnMSxZVK4auHUoNMFbWC
amTLdH-h18dNqO1b3NIjjC7QW5JImu14g_r3eYY7gr7zRihm6AumYRuPyZXF58n1v
NeHXfjKUAa-rCfuh5q-vOpc9UvGnPW6ouV7jvDiZURV84prtnK_UltoBV9KvvCrhB
GoSJvFh-RbfIKW2vaS9AlxBrpe9YbBe07ZZNM2YPkTiljkJ7-_7VDg7rRpRLssnRS
Y6XHwIEAh7ZsG4weOk9SoZwX_DEJK2svpuGexyelMHHiFU2DDDg1D0zWJQDk2SzFy
gqA6SO-P6DzZe4N5u9bFcIrM_hRJY7BDV0ww4SkvvYV680C3LI_918m0CnxwaJDPq
HDa4fhYAQsXEZeHMXF5B8PMqnfeypU1gl3npN3u2phl1jUwBlqFZhwS6X3EnEGQbN
IJsUhvwjohFWO1elxX2WjRtyOLSrRHl4FFu3S1ZkBvEl5TN5Ho6zu32EQLlI07cw1
0Gl-dA7TpI7lPMvkcW1pEEBWd59iLixBnPSrq1KkrJb-Vyl-Bo05W2v5Qzna_af_l
J9FHwWatugiKb18QyFrhL6Kjo8tZScGjadDUdlwUC_d_r6YJMQY2yX0YBkuei14UX
Zholy8JpUbLfa0gNs-WdFQCoinq4CAFdxfNikKlSVXPnF_sUEtKZiDG3SQ8jBOC-K
6YrT3caFRK2K0_wyhHC7HzooZSk89DR9pG0g1Kx3LE_E-6H38fyPOD-Y38JfmMa7w
KjYhYNuYF1LfgD5dGk29Azq8KIHII8il7V82PvFKJt9RodreotvpGkEk56PxN27UX
fIQVY8XgnsEbWWkmICPF__BEzDVK_6L3EJzyHMNGQMb9jwmVnklorDvv2KlxOMbCj
pXlRg47-KcKxmqv8Kz_TMYs2HZVaHunrLsJRqIKTABXROVKl26sJXoV410cvMtb7f
Z0a8_Nif8Hogvg30JaXg7-y88gbq87ZeYF5pLqjHQXO-RNrFZZWXZKOwhl9pk2Hx1
eu0D1xj87HqPF3RUspLtTf6GSGOhrGURhEsd-Vu9EqkPI_A0FRhYRIAlkIO3LJTlJ
1lWxC3fcWSdFNI9rHdl4oLzvfHMayRmCpkPRd9cFT7qvZ2ZNFsY84V5bWph1xPvWy
sgSDXASnfAoaIY02bhuvCe6qaYtltPKxnYQFxisIaiBS1RNqR6gtVsvD0qJPBG1oT
I-6Pk2yNLILS9U5-Z5hPAR8crXPlz__sOO-aDN-aWndm8IS7H-rODbLk_wg1QfLLS
HCVjNml7qe21YaYfEgaRoe5lh4NuzXskRKpW5Sk1Yz7sghjv2MSgSj0NgpWkQTfYt
mUic1RC8isRCKOpB8hj8jgVEiQYoeBmM76fYIBdX_9hehXtEclGwK5_qii-pQ5tqR
zEqRrd3ULZ4O0aeJeEoNXG74Hzytj9TpfkvU1R5ZHgtnkS97WIe9ACaDBHpvmcYxc
ou-IAmt6MP5HhbK45FtMteC8WqZQGrhdmCGW0_m7N0R81MJDirmcI9nP9ZRPAWooK
mdhuiUX8B4XO52r7PpP46PAB9gWo2rh16VapCslRPbYXWxsiOT99RYn_YVBTJaUvK
mWbELtOWCHY0rQKAO3W-yUlzLZAwX_fDa9P8R2tFdwuzdJ8OkyVWueNjn1kA2_UKQ
oVTNe5jt7J7JszsKqHJ2UcCi5Oi03u05JX8NKgNajg9VqNpQUrySPmrFg6WY7hHXa
lgz0icVrKEOtGpJQJtf2neengXBNnO8RedkmiEjETolHc_2h8su_eB45-DBYCXr7O
qIRw8mMExFvyowMe_MeH7u8kpZX3t8bPD9M46xcOq2RF657j2Yr-0AKm2SRFLFMT5
n1J0l0Hk2va0TLVv3csLGHzl14BNXIbUhEWVe-Bns3RZflOM74JXS_jqYz419hEP_
MV3njzmVsTxfSVzMOizoLGyf8dfetSvpSyOXi5AVx8sege_Pp3TLx2AlxpofpVILM
9a6JCetP4vMdImjrvuIgcRPlaO1NjXZ_lPPlQYKYEN8FLVtPCQJsuM5kPZLGdp9sm
Aeg-2AFf_oAZ_YxLTitkrfmVPb2so14gWi9i6-ptznY2ffH9UAFRpcAzDz13bRTMe
43slJvh3X0hqI0XxwSh1jq3pZe7YgOv8z2zsrMoXEN_UrE0xFlDal5cm1G2fI7K5Q
6nx6y84XKlE93BMZ7rJeUXi9Vu3x"
],
"Identifier":"MBR3-LM6K-JRW2-JWYF-JK3C-SIA4-HG77"}}
]},
"MessageId":"MDDD-KNM4-KUZH-QVC4-KWLI-5NBW-T54I"}}
The device periodically polls for completion of the connection request using the Complete transaction.
To provide a final check on the process, the command line tool presents the UDF of the account profile to which the device has connected if successful:
Alice3> meshman device complete Device UDF = MBQD-CODE-XMWJ-QHE3-2KHZ-UKKF-TVVF Account = alice@example.com Account UDF = MBQC-7OHA-RNBA-FRDL-R4GI-YQHA-DL36 Alice3> meshman account sync
The completion request specifies the witness value for the transaction whose completion is being queried:
{
"CompleteRequest":{
"AccountAddress":"alice@example.com",
"ResponseID":"MDDD-KNM4-KUZH-QVC4-KWLI-5NBW-T54I"}}
The Service responds to the complete request by checking to see if an entry has been added to the local spool. If so, this contains the RespondConnection message created by the administration device.
The preconfigured device connection interaction is used to connect devices that lack affordances such as a display or a keyboard. It is also known as the static QR code interaction because a static QR code printed on the device itself is used to connect it to a user's account.
Future: Note that this interaction is likely to be changed substantially in future revisions of the specification and the Claim/PollClaim mechanism removed and replaced with a messaging based approach.
The interaction has five phases:
The device to be onboarded is preconfigured with a ProfileDevice and private key information and a DeviceDescription posted to a publication service. This process is typically performed during manufacture. An EARL providing the ability to locate and decrypt the description is printed on the device itself as a QR code.
The administration device acquiring the onboarding device scans the QR code on the device and uses this information to obtain the device description by means of a Claim operation described above as described in the Device Description.
This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device MAY advise the device that a connection request is being made by additional means described in the device description (e.g. WiFi, Bluetooth).
When connected to a network, the preconfigured device periodically attempts to poll the connection sources specified to find out if there is a pending request. If a connection request is posted, the device decrypts it to allow it to complete the connection process.
This phase is performed in the same manner as the Dynamic QR Code (PIN) Authenticated interaction except that the administration device requires notice that of the pending connection request.
The main differences between this connection interaction and the witness/PIN connection interactions are that the device is preconfigured with the device profile at the time of manufacture and the onboarding device MAY be acquiring network configuration information during the connection process.
The manufacturer preconfigures the device
Maker> meshman device preconfig Device UDF: MBQK-36BF-K7RS-UDWD-PVC3-CVMR-BJCP File: EBH3-DT6M-G2WA-EF7E-DA42-DN55-7E.medk
This results in the creation of a primary secret which is used to compute a ProfileDevice and corresponding connection records signed by the manufacturer's administrator key.
The data is combined to create a DevicePreconfiguration record that is provisioned to the firmware of the device being preconfigured.
{
"DevicePreconfigurationPrivate":{
"EnvelopedConnectionDevice":[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW
9uRGV2aWNlIiwKICAiY3R5IjogImFwcGxpY2F0aW9uL21tbS9vYmplY3QiLAogICJ
DcmVhdGVkIjogIjIwMjQtMTAtMTRUMTM6MTA6NThaIn0",
"dig":"S512"},
"ewogICJDb25uZWN0aW9uRGV2aWNlIjogewogICAgIlNpZ25hdHVyZSI6IH
sKICAgICAgIlVkZiI6ICJNRFY1LUVJQ0ktSk5GVi0zNUs3LUlQREctNkNWNy1OU1Y
1IiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tl
eUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIkVkNDQ4IiwKICAgICAgICAgICJQd
WJsaWMiOiAiQVVPMUIyR1RLNGZjSk9rUFlNN0RJa3VDT2s0SWNJbHFzTGZuQVlnQS
1BQ0dhZmNvUFZCdQogIEJDSGYzR2JDMEx2bHBiS2cwNmliREh5QSJ9fX0sCiAgICA
iRW5jcnlwdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQkZGLUVTUDMtVk5YWS1EWUhM
LTVNSkktVjRLNy1WN1dOIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgI
CAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLA
ogICAgICAgICAgIlB1YmxpYyI6ICJMd2oxNlE3QmNraWU3ZU9jMG85NXJYbGZ6enh
rSDFFTGVCMGxlLURJdklxemVpeHlocjZhCiAgTjRTSV94Vzh6eGwxSGVSclRKN1lh
Uy1BIn19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQ
kZGLUVTUDMtVk5YWS1EWUhMLTVNSkktVjRLNy1WN1dOIiwKICAgICAgIlB1YmxpY1
BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICA
gICAiY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJMd2oxNlE3QmNr
aWU3ZU9jMG85NXJYbGZ6enhrSDFFTGVCMGxlLURJdklxemVpeHlocjZhCiAgTjRTS
V94Vzh6eGwxSGVSclRKN1lhUy1BIn19fX19",
{
"signatures":[{
"alg":"ED448",
"kid":"MD66-B7Q7-HWEB-UAF6-PWNM-YVBH-HXE7",
"signature":"T5q8Ygyj3aM5tDzUmjoFMAVdGasi0PF1SZlgFYCl
3kCT5_NZrd5iuGcJetwaq0bINEJHDjUppQuAdbpe8eZPlJBtTo8EBksurd04sqf1U
NIokTq5HA-eXh45bjPkOGjwZmBBO46LlyQDG_kq-6roUw0A"}
],
"PayloadDigest":"CQupHrY2ASmhF8QOcXCnjid4nC6wlVlUk9cxmIUc
MGC1_YLhJwc7wpE-EfoDCcmkTtRCPmwq1tmdX88VClLkSw"}
],
"EnvelopedConnectionService":[{
"ContentMetaData":"ewogICJNZXNzYWdlVHlwZSI6ICJDb25uZWN0aW
9uU2VydmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICA
iQ3JlYXRlZCI6ICIyMDI0LTEwLTE0VDEzOjEwOjU4WiJ9",
"dig":"S512"},
"ewogICJDb25uZWN0aW9uU2VydmljZSI6IHsKICAgICJBdXRoZW50aWNhdG
lvbiI6IHsKICAgICAgIlVkZiI6ICJNQkZGLUVTUDMtVk5YWS1EWUhMLTVNSkktVjR
LNy1WN1dOIiwKICAgICAgIlB1YmxpY1BhcmFtZXRlcnMiOiB7CiAgICAgICAgIlB1
YmxpY0tleUVDREgiOiB7CiAgICAgICAgICAiY3J2IjogIlg0NDgiLAogICAgICAgI
CAgIlB1YmxpYyI6ICJMd2oxNlE3QmNraWU3ZU9jMG85NXJYbGZ6enhrSDFFTGVCMG
xlLURJdklxemVpeHlocjZhCiAgTjRTSV94Vzh6eGwxSGVSclRKN1lhUy1BIn19fX1
9",
{
"signatures":[{
"alg":"ED448",
"kid":"MD66-B7Q7-HWEB-UAF6-PWNM-YVBH-HXE7",
"signature":"4FkfmdMX6sWMQ5zskF7V_1UsoBTBKVVQtYigF41m
MGOx1_yTQtpDs1lnqxmBt6yAtjfUvv1NsG2AdYx425rJ5-lryqyud6m-MNoTCUeWW
wuO0jGMpaw2PyjFUFh62_k5fGDzZVgqx-larLbwVf6vFQsA"}
],
"PayloadDigest":"z4aP8rSa_WxiufLZcZmhBbJd-3OCz70GX4gIkH0y
U4LCO8QdoX-4iAbwfwylksQDTtNbKmVfxQam4MCT-2oKZw"}
],
"PrivateKey":{
"PrivateKeyUDF":{
"PrivateValue":"ZAAQ-AUKH-YPXV-5NTI-ZVIK-4Q2D-EFAP-UR7Y-5XX
N-EDXE-HX3O-LYFS-BJOU-CMQE",
"KeyType":"MeshProfileDevice",
"RootSignAlgorithms":["ED448"
]}},
"ConnectUri":"mcd://maker@example.com/EBH3-DT6M-G2WA-EF7E-DA42-
DN55-7E",
"EnvelopedProfileDevice":[{
"EnvelopeId":"MBQK-36BF-K7RS-UDWD-PVC3-CVMR-BJCP",
"ContentMetaData":"ewogICJVbmlxdWVJZCI6ICJNQlFLLTM2QkYtSz
dSUy1VRFdELVBWQzMtQ1ZNUi1CSkNQIiwKICAiTWVzc2FnZVR5cGUiOiAiUHJvZml
sZURldmljZSIsCiAgImN0eSI6ICJhcHBsaWNhdGlvbi9tbW0vb2JqZWN0IiwKICAi
Q3JlYXRlZCI6ICIyMDI0LTEwLTE0VDEzOjEwOjU4WiJ9",
"dig":"S512"},
"ewogICJQcm9maWxlRGV2aWNlIjogewogICAgIkVuY3J5cHRpb24iOiB7Ci
AgICAgICJVZGYiOiAiTUJGRi1FU1AzLVZOWFktRFlITC01TUpJLVY0SzctVjdXTiI
sCiAgICAgICJQdWJsaWNQYXJhbWV0ZXJzIjogewogICAgICAgICJQdWJsaWNLZXlF
Q0RIIjogewogICAgICAgICAgImNydiI6ICJYNDQ4IiwKICAgICAgICAgICJQdWJsa
WMiOiAiTHdqMTZRN0Jja2llN2VPYzBvOTVyWGxmenp4a0gxRUxlQjBsZS1ESXZJcX
plaXh5aHI2YQogIE40U0lfeFc4enhsMUhlUnJUSjdZYVMtQSJ9fX0sCiAgICAiU2l
nbmF0dXJlIjogewogICAgICAiVWRmIjogIk1EVjUtRUlDSS1KTkZWLTM1SzctSVBE
Ry02Q1Y3LU5TVjUiLAogICAgICAiUHVibGljUGFyYW1ldGVycyI6IHsKICAgICAgI
CAiUHVibGljS2V5RUNESCI6IHsKICAgICAgICAgICJjcnYiOiAiRWQ0NDgiLAogIC
AgICAgICAgIlB1YmxpYyI6ICJBVU8xQjJHVEs0ZmNKT2tQWU03RElrdUNPazRJY0l
scXNMZm5BWWdBLUFDR2FmY29QVkJ1CiAgQkNIZjNHYkMwTHZscGJLZzA2aWJESHlB
In19fSwKICAgICJBdXRoZW50aWNhdGlvbiI6IHsKICAgICAgIlVkZiI6ICJNQVZHL
VlXWVYtMlVXNy1MU1QzLUFQQkctUkw3SC1ONTMzIiwKICAgICAgIlB1YmxpY1Bhcm
FtZXRlcnMiOiB7CiAgICAgICAgIlB1YmxpY0tleUVDREgiOiB7CiAgICAgICAgICA
iY3J2IjogIlg0NDgiLAogICAgICAgICAgIlB1YmxpYyI6ICJyRlZGUi1jTDZjdWNU
U3JmRm4xNDZYVE9kMWgzSkdBM0hrQ0VlYkNzaUEzT3dWQXBkN2ZsCiAgZ0Z4Zlh0d
lkzVXRpNmlRd1RTdmVFWmtBIn19fSwKICAgICJSb290VWRmcyI6IFsiWU5lVGVBYk
l4NVdSdEN4Q3llbnBqYWJKVlJuOERUbGF1SFBUZFFUYnRJOEFHblY1bk8KICBWM1l
PWENlRFlRZTk5VnFIcWZwYi10MFZxSjI5blZKRW1yUEpNIl19fQ",
{
"signatures":[{
"alg":"ED448",
"kid":"MDLZ-G6AG-ZDDZ-LENU-FRBM-T2PJ-RWTM",
"SignatureKey":{
"PublicKeyECDH":{
"crv":"Ed448",
"Public":"WPX0CBEOzgJWHVJqiyTAr4MrieFJQYzdutZML5-
MnHsfF7KfRmGxsUR9eppBIKTFhzLaRhd06XmA"}},
"signature":"s1AVL-omThJqK3LTFXtg58xvRBZoeansc39u4rqT
iKRHKrCQx-11PG9b0Vq-VC_MRWxbCwZenawAo4fBnNnpNvtbNGUaALlFVvLK5nPZV
O6nY6gA_i3ID9ZrUTxYJz0lbj-ZTIt6NZOGxTJX4yxJiC8A"}
],
"PayloadDigest":"OrZNsRzLz7olETFljSpKbdG1bNjj5MBr-ireuPK6
Sn9-ARWs4E3Xk2_HvrHA7cySavkX6anRBSGzQ5uYty0_Ow"}
]}}
An EARL is created specifying the means by which an administration device can acquire the information required to complete a connection to the device:
QR = {Connect.ConnectEARL}
The preconfigured ProfileDevice is encrypted under the encryption key and published to the location key derived from the EARL.
The administration device scans the QR code and obtains the Device Description using the Claim operation as shown in section $$$$. The administration device creates the ActivationDevice and CatalogedDevice records and populates the service as before.
Alice> meshman account connect ^
mcd://maker@example.com/EBH3-DT6M-G2WA-EF7E-DA42-DN55-7E /web
Every Mesh Portal Service transaction consists of exactly one request followed by exactly one response. Mesh Service transactions MAY cause modification of the data stored in the Mesh Service or the Mesh itself but do not cause changes to the connection state. The protocol itself is thus idempotent. There is no set sequence in which operations are required to be performed. It is not necessary to perform a Hello transaction prior to any other transaction.
A Mesh Portal Service request consists of a payload object that inherits from the MeshRequest class. When using the HTTP binding, the request MUST specify the portal DNS address in the HTTP Host field.
Base class for all request messages.
[No fields]
Base class for all request messages made by a user.
The fully qualified account name (including DNS address) to which the request is directed.
The identifier of the capability under which access is claimed.
Device profile of the device making the request.
A Mesh Portal Service response consists of a payload object that inherits from the MeshResponse class. When using the HTTP binding, the response SHOULD report the Status response code in the HTTP response message. However the response code returned in the payload object MUST always be considered authoritative.
Base class for all response messages. Contains only the status code and status description fields.
[No fields]
The Mesh Service protocol makes use of JSON objects defined in the JOSE Signatgure and Encryption specifications and in the DARE Data At Rest Encryption extensions to JOSE.
The following common structures are used in the protocol messages:
Describes a Key/Value structure used to make queries for records matching one or more selection criteria.
The data retrieval key.
The data value to match.
Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.
The container to be searched.
Only return objects with an index value that is equal to or higher than the value specified.
Only return objects with an index value that is equal to or lower than the value specified.
Only data published on or after the specified time instant is requested.
Only data published before the specified time instant is requested. This excludes data published at the specified time instant.
Specifies a page key returned in a previous search operation in which the number of responses exceeded the specified bounds.
When a page key is specified, all the other search parameters except for MaxEntries and MaxBytes are ignored and the service returns the next set of data responding to the earlier query.
Specifies constraints on the data to be sent.
Maximum number of entries to send.
Specifies an offset to be applied to the payload data before it is sent. This allows large payloads to be transferred incrementally.
Maximum number of payload bytes to send.
Return the entry header
Return the entry payload
Return the entry trailer
Describes the account creation policy including constraints on account names, whether there is an open account creation policy, etc.
Specifies the minimum length of an account name.
Specifies the maximum length of an account name.
A list of characters that the service does not accept in account names. The list of characters MAY not be exhaustive but SHOULD include any illegal characters in the proposed account name.
In a status response, the apex digest value of the store whose status is reported.
The entries to be uploaded.
If false, the store update does not contain the last index entry in the store.
If the value Partial is true, this value MUST specify the index value of the last entry in the store.
Report service and version information.
The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.
The PostConstraints field MAY be used to advise senders of a maximum size of payload that MAY be sent in an initial Post request.
Contains a proposed callsign binding to the account.
Specifies the default data constraints for updates.
Specifies the default data constraints for message senders.
Specifies the account creation policy
The enveloped master profile of the service.
If the request specifies a callsign binding, returns a proposed binding for the requested callsign.
Request binding of an account to the service. This method is called during account creation and binding.
The operation is called Bind rather than Create because the account is created by the user, not the service.
Request binding of an account to a service address.
The service account to bind to.
The signed assertion describing the account.
Contains one or more bindings of a callsign to the account.
Reports the success or failure of a Create transaction.
Text explaining the status of the creation request.
A URL to which the user is directed to complete the account creation request.
The enveloped assignment describing how the client should discover the host and encrypt data to it.
Request deletion of a service account.
Request creation of a new portal account. The request specifies the requested account identifier and the Mesh profile to be associated with the account.
[No fields]
Reports the success or failure of a Delete transaction.
[No fields]
Request information necessary to begin making a connection request.
The connection request generated by the client
List of named access rights.
The connection request generated by the client
The user profile that provides the root of trust for this Mesh
The signed assertion describing the result of the connect request
The enveloped assignment describing how the client should discover the host and encrypt data to it.
The account profile providing the root of trust for this account.
The catalog device entry
The enveloped assignment describing how the client should discover the host and encrypt data to it.
A series of access tokens for the requested services.
Request objects from the specified container with the specified search criteria.
Request objects from the specified container(s).
A client MAY request only objects matching specified search criteria be returned and MAY request that only specific fields or parts of the payload be returned.
The maximum number of results to be returned.
Specifies constraints to be applied to a search result. These allow a client to limit the number of records returned, the quantity of data returned, the earliest and latest data returned, etc.
Specifies the data constraints to be applied to the responses.
Return the set of objects requested.
Services SHOULD NOT return a response that is disproportionately large relative to the speed of the network connection without a clear indication from the client that it is relevant. A service MAY limit the number of objects returned. A service MAY limit the scope of each response.
The updated data
The catalog device entry. This is only returned if the
Attempt an atomic transaction on the containers and spools associated with an account.
Upload entries to a container. This request is only valid if it is issued by the owner of the account
The data to be updated
The account(s) to which the request is directed.
The messages to be sent to other accounts
Messages to be appended to the user's inbound spool. this is typically used to post notifications to the user to mark messages as having been read or responded to.
Messages to be appended to the user's local spool. This is used to allow connecting devices to collect activation messages before they have connected to the mesh.
Response to an upload request.
The responses to the entries.
If the upload request contains redacted entries, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.
The index value of the entry in the request.
The index value assigned to the entry in the container.
Specifies the result of attempting to add the entry to a catalog or spool. Valid values for a message are 'Accept', 'Reject'. Valid values for an entry are 'Accept', 'Reject' and 'Conflict'.
If the entry was redacted, specifies constraints that apply to the redacted entries as a group. Thus the total payloads of all the messages must not exceed the specified value.
Request objects from the specified container with the specified search criteria.
Request download from a public store (which may be encrypted).
[No fields]
Request to post to a spool from an external party. The request and response messages are extensions of the corresponding messages for the Upload transaction. It is expected that additional fields will be added as the need arises.
The account(s) to which the request is directed.
The messages to be sent to the addresses specified in Accounts.
[No fields]
Claim a publication
The claim message
The encrypted device profile
Check party making claim
The envelope identifier formed from the PublicationId.
Account to which the claim is directed
The claim message
The key identifier
Lagrange coefficient multiplier to be applied to the private key
The data to sign
Contribution to the R offset.
[No fields]
[No fields]
[No fields]
Perform a set of cryptographic operations
The service account the capability is bound to
[No fields]
The security considerations for use and implementation of Mesh services and applications are described in the Mesh Security Considerations guide [draft-hallambaker-mesh-security].
All the IANA considerations for the Mesh documents are specified in this document
A list of people who have contributed to the design of the Mesh is presented in [draft-hallambaker-mesh-architecture].