Format overview
DiME, the open and trust-based data format building secure Application-based Public-Key Infrastructures (APKIs) in a breeze.
Last updated
DiME, the open and trust-based data format building secure Application-based Public-Key Infrastructures (APKIs) in a breeze.
Last updated
The data format has been designed with inspiration from other modern data formats in use today. Major principles during design have been human readability and ease of use, this to support developers during implementation and making troubleshooting easier.
DiME works with envelopes that contains items and are protected by signatures on diffrent levels, and possibly by diffrent keys. Items may contain additional data like encrypted payloads or application-specific instructions.
A combination of plain text, JSON and Base64 encoding makes up a typical DiME item:
Although it may look cryptic, there is many details revealed just by a quick glance. First the header ‘Di’, stating this is a DiME envelope. Then, in this case, it is followed by ’MSG’, indicating there is an attached message item. The following Base64 encoded string can be quickly decoded to reveal easy to read JSON claims.
The decoded JSON claims contain information that is used to verify and process a DiME item. The claim ‘aud’ indicates the receiver (audience), whereas ‘exp’ (expires at) and ‘iat’ (issued at) specifies when the massage was created and when it will expire. All claims are human readable, including any dates.
The DiME data format specifies a series of components known as items. These include:
Envelope (Di)
Key (KEY)
Identity (ID)
Identity Issuing Request (IIR)
Data (DAT)
Message (MSG)
Tag (TAG)
The core element of Dime is the Envelope. Although a DiME item, it is more of a wrapping component. Envelopes come in two flavors, anonymous and signed. An anonymous envelope is just a simple way to string together several other Dime items in one easy to manage package. Whereas the signed envelope adds additional integrity protection for all included items inside the Dime envelope.
This item carries a cryptographic key, which could be a public key pair, a single public key, or a secret key. It includes metadata (claims) for the key. When carrying a public-key pair it forms the bases of an Application-based Public-Key Infrastructure.
The Identity item is the core of the authentication mechanisms built into Dime. This is in many ways similar to a X.509 certificate, as it contains information about the subject (holder), a public key, an optional trust chain, and at least one signature to both prove trust and protect the integrity of the information.
The Identity Issuing Request item serves the same purpose as a Certificate Signing Request (CSR) when using X.509 certificates. An entity that wishes to be included in a Dime-based trust chain creates an IIR and a trusted issuer then issue a new identity item and return it to the requesting entity. The returned identity item is then used by the requesting entity to authenticate withing the network.
The Data item is a simple carrier of binary data. Unlike Message there is no target audience and no support for End-To-End Encryption. This may be used to package data into a Dime envelope for integrity protection and trust and then distributed to multiple receivers.
The message item is used to transmit information inside a DiME-based network. Apart from integrity protection, messages support confidentiality-protected communication using End-To-End Encryption (E2EE), where only the issuer (sender) and the audience (receiver) can read the content.
Tag items makes it easy to quickly sign one or more DiME items without modifying the signed items. The tags can then be included in a DiME envelope or transmitted separately as proof of verification, reception, or processing.