Skip to content

Commit

Permalink
Refactor section 6.1.1.1, define FID part names
Browse files Browse the repository at this point in the history
  • Loading branch information
@bitfl0wer
bitfl0wer committed Jan 9, 2025
1 parent 4f6241b commit d509863
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 40 deletions.
1 change: 1 addition & 0 deletions .vscode/ltex.dictionary.en-US.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,4 @@ TypeSpec
Protobuf
gzipped
RawR
OID
89 changes: 49 additions & 40 deletions docs/Protocol Specifications/core.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ of the specification document: **v0.1.0-alpha.1**
- [6. Cryptography and ID-Certs](#6-cryptography-and-id-certs)
- [6.1 Home server signed certificates for public client identity keys (ID-Cert)](#61-home-server-signed-certificates-for-public-client-identity-keys-id-cert)
- [6.1.1 Structure of an ID-Cert](#611-structure-of-an-id-cert)
- [6.1.1.1 Identity Descriptors (IDDs)](#6111-identity-descriptors-idds)
- [6.1.1.1 polyproto Distinguished Name (`pDN`)](#6111-polyproto-distinguished-name-pdn)
- [6.1.1.2 Extensions and constraints](#6112-extensions-and-constraints)
- [6.1.1.3 Session IDs](#6113-session-ids)
- [6.1.2 Necessity of ID-Certs](#612-necessity-of-id-certs)
Expand Down Expand Up @@ -385,11 +385,19 @@ excluding the new session. The `NEW_SESSION` event's stored data can be accessed
## 5. Federation IDs (FIDs)

Every client requires an associated actor identity. Actors are distinguished by a unique federation
ID (FID). FIDs consist of their identifier, which is unique per instance, and the instance's root domain.
ID (FID). FIDs consist of a local name, which is unique per instance, and the instance's root domain.
This combination ensures global uniqueness.

FIDs used in public contexts are formatted as `[email protected]`, and are case-insensitive.

FIDs consist of the following parts:

| Part | Name | Description |
| ------------------------------ | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| `actor` | "Local Name" or "Common Name" | Must be unique on each instance. |
| `@` | "Separator" | Separates local name from domain name |
| `optionalsubdomain.domain.tld` | "Domain Name" | Includes top-level domain, second-level domain and other subdomains. Address which the actors' home server can be reached at. |

The following regular expression can be used to validate actor IDs: `\b([a-z0-9._%+-]+)@([a-z0-9-]+(\.[a-z0-9-]+)*)`.

!!! info
Expand Down Expand Up @@ -429,8 +437,8 @@ client.
An ID-CSR includes the following information, according to the X.509 standard:

- The public identity key of the client.
- An identity descriptor (IDD), describing the actor the certificate is issued to. The IDD must be
formatted according to [Section 6.1.1.1](#6111-identity-descriptors-idds).
- A polyproto Distinguished Name (`pDN`), describing the actor the certificate is issued to. The `pDN`
must be formatted according to [Section 6.1.1.1](#6111-polyproto-distinguished-name-pdn).
- The signature algorithm used to sign the certificate.
- The signature of the certificate, generated by using the entities' private identity key.

Expand All @@ -457,47 +465,48 @@ ID-Certs encompass a subset of the structure of an X.509 certificate.

ID-Certs have the following structure:

| Field Description | Special requirements, if any | X.509 equivalent |
| -------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
| Correctly formatted Name attribute, according to [#6.1.1.1](#6111-identity-descriptors-idds) | [Identity descriptor](#6111-identity-descriptors-idds) | Issuer Name |
| A unique identifier for the certificate, used by the CA to identify this certificate. | Must be unique across all certificates issued by a home server. | Serial Number |
| The algorithm used to sign the certificate. | | Certificate Signature Algorithm & Signature Algorithm ID |
| The signature of the certificate, generated by using the home servers' private identity key. | | Certificate Signature |
| The expiry date of the certificate. | Time must not be after expiry date of the home server's root certificate | Validity period: Not After |
| Certificate validity period starting date | Time must not be before the home server's root certificate was generated | Validity period: Not Before |
| X.509 Version Number (v3) | polyproto only uses Version 3 X.509 certificates. | Version Number |
| The public identity key of the client. | | Subject Public Key Info: Subject Public Key |
| The public key algorithm used to generate the client's public identity key. | | Subject Public Key Info: Public Key Algorithm |
| The session ID of the client. | No two valid certificates for one session ID can exist. Session IDs have to be unique per user. | Subject Unique Identifier |
| Extensions | [Extensions and Constraints](#6112-extensions-and-constraints) | Extensions |

##### 6.1.1.1 Identity Descriptors (IDDs)

polyproto Identity Descriptors are a subset of the X.509 certificate's distinguished name. [Distinguished
Names (`DNs`)](https://ldap.com/ldap-dns-and-rdns/), according to the LDAP Data Interchange Format (LDIF).
| Field Description | Special requirements, if any | X.509 equivalent |
| --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
| Correctly formatted Name attribute, according to [#6.1.1.1](#6111-polyproto-distinguished-name-pdn) | [polyproto Distinguished Name](#6111-polyproto-distinguished-name-pdn) | Issuer Name |
| A unique identifier for the certificate, used by the CA to identify this certificate. | Must be unique across all certificates issued by a home server. | Serial Number |
| The algorithm used to sign the certificate. | | Certificate Signature Algorithm & Signature Algorithm ID |
| The signature of the certificate, generated by using the home servers' private identity key. | | Certificate Signature |
| The expiry date of the certificate. | Time must not be after expiry date of the home server's root certificate | Validity period: Not After |
| Certificate validity period starting date | Time must not be before the home server's root certificate was generated | Validity period: Not Before |
| X.509 Version Number (v3) | polyproto only uses Version 3 X.509 certificates. | Version Number |
| The public identity key of the client. | | Subject Public Key Info: Subject Public Key |
| The public key algorithm used to generate the client's public identity key. | | Subject Public Key Info: Public Key Algorithm |
| The session ID of the client. | No two valid certificates for one session ID can exist. Session IDs have to be unique per user. | Subject Unique Identifier |
| Extensions | [Extensions and Constraints](#6112-extensions-and-constraints) | Extensions |

##### 6.1.1.1 polyproto Distinguished Name (`pDN`)

polyproto Distinguished Names (`pDNs`) are a subset of an X.509 certificate's [distinguished
Names (`DNs`)](https://ldap.com/ldap-dns-and-rdns/), defined by the LDAP Data Interchange Format (LDIF).
The `DN` is a sequence of [relative distinguished names (`RDNs`)](https://ldap.com/ldap-dns-and-rdns/).

The identity descriptor must be unique for each certificate issued by a home server. The `DN` of an ID-Cert
must meet all of the following requirements:

- Identity descriptor (IDD) must have "common name" attribute. If the ID-Cert is for an actor, the
common name must be the local name of the actor. In the case of an actor with an FID of
`[email protected]`, the "common name" would be `xenia`. If the ID-Cert is a self-signed home server
certificate, the "common name" attribute must not be present.
- Must have at least one domain component, specifying the home servers' FQDN
(fully qualified domain name).
- If the ID-Cert or ID-CSR is for an actor, the IDD must include the `UID` (OID 0.9.2342.19200300.100.1.1)
**and** `uniqueIdentifier` (OID 0.9.2342.19200300.100.1.44) fields.
- `UID` is the federation ID of the actor, e.g. `actor@fqdn-of-home server.example.com`.
- `uniqueIdentifier` is a Session ID.
The identity descriptor must be unique for each certificate issued by a home server. A `pDN`
must meet all the following requirements:

- If the `pDN` describes an actor, it must have a "common name" attribute. The
common name must be the [local name](#5-federation-ids-fids) of the actor. In the case of an actor
with an FID of `[email protected]`, the local name would be `xenia`. If the `pDN` describes a
home server, the "common name" attribute must not be present.
- Must have at least one domain component `dc`, specifying the domain name under which the home
server can be reached. This includes the home servers' top- and second-level domain, as well as
all other subdomains, if present. If the home server does not have a sub- or top-level domain, the
`dc` fields for these components should be omitted.
- If the `pDN` describes an actor, the `pDN` must include the `UID`
([OID](https://en.wikipedia.org/wiki/Object_identifier) 0.9.2342.19200300.100.1.1) **and**
`uniqueIdentifier` ([OID](https://en.wikipedia.org/wiki/Object_identifier) 0.9.2342.19200300.100.1.44)
fields.
- `UID` field must be equal to the federation ID of the actor, e.g. `actor@domainname-of-home server.example.com`.
- `uniqueIdentifier` field must be a [Session ID](#6113-session-ids).
- Can have other attributes, if the additional attributes do not conflict with the above
requirements. Additional attributes might be ignored by other home servers and other clients, unless
specified otherwise in a polyproto extension. Additional attributes, which are not part of a polyproto
specified otherwise in a polyproto extension. Additional attributes not part of a polyproto
extension must be non-critical X.509 extensions.

If the home server does not have a subdomain or top level domain, the `dc` fields for these
components should be omitted.

##### 6.1.1.2 Extensions and constraints

The following constraints must be met by ID-Certs:
Expand Down Expand Up @@ -1406,7 +1415,7 @@ archive (.tar.gz) named `[email protected]`, where

- `export[numbers]` is the word `export` with 20 random digits appended to it
- `user` is the actors' name
- `subdomain.example.com` is the FQDN of the server the actor is registered on.
- `subdomain.example.com` is the domain name of the server the actor is registered on.

This file archive contains a file `messages.p2mb` which is a JSON file containing [message batches](#721-message-batches)
of all messages sent by the user. If the server where the data export was requested from has
Expand Down

0 comments on commit d509863

Please sign in to comment.