A Mesh profile is a digital document that contains a set of credentials and associated information. The use of Mesh profiles is similar to that of X.509/PKIX certificates and SAML assertions but with some important differences.
One of the most important differences is that unlike PKIX which is designed to describe the trust relationships within an organization that are defined by the organization itself, Mesh profiles describe trust relationships that are defined by individual people for their own use.
In the PKIX hierarchy, the flow of trust is (conceptually) top down flowing from the ultimate source of authority in the organization down to individual employees and assets owned by the organization.
The Mesh trust model is also hierarchical and top down but puts each individual in charge of their own personal security hierarchy.
- Profiles are not Certificates
- Like PKIX certificates and SAML assertions, Mesh profiles are a machine readable assertion that is signed with a public key signature.
- Mesh profiles are dynamic, not static
- A Mesh profile describes one particular aspect of the configuration of an individual's personal security environment. This means that unlike certificates, Mesh profiles change over time.
- Mesh profiles do not have predetermined expiry
- A Mesh profile value changes when a new value is published
Types of Profile
Profiles are used to describe the different types of information in the Mesh:
- Device Profile
- Descriptions of devices and contain the public device credentials issued to them. this information is stored in device profiles.
- Application Profile
- Application profiles contain descriptions of the configuration of a particular application such as email or SSH.
- Personal Profile
- Personal profiles enumerate the set of device profiles and application profiles that a user has connected to their personal security environment.
In addition to the three profile types, there are two types of sub-profile. Sub-profiles are logically part of the main profile but are signed separately so as to allow them to be distributed independently.
- The master profile contains the core parts of a personal profile that are unchanging over time. This makes it possible for users to store the master profile portion of their personal profile in a form that minimizes the risk of compromise and thus serve as the basis for disaster recovery.