<- Go to Data Types Go to ToC

1. Definition 2. Functional Requirements 3. Syntax 4. Semantics

1 Definition

A structured set of metadata and cryptographic parameters that ensures the identity, secure transmission, integrity, and (optionally) encryption and timestamps of Data exchanged between AIF components (AIWs or AIMs)

2 Functional Requirements

2.1 Structure of the Security Object

The root Security object SHALL contain:

  • Header
  • Security (container for Identity, Transmission, Integrity, Encryption, Timestamps)

The root object SHALL reject any property not defined (additionalProperties = false).

2.2 Identity – Functional Requirements

The Identity object SHALL:

  • Require:
    • Issuer (URI)
  • May Include:
    • CredentialType
    • CredentialRef
    • Source

Issuer

  • A URI identifying the authority or registry that issued the credential.

CredentialType

A string identifying the authentication credential type.
Allowed values:

  • x509
  • did
  • psk
  • custom

CredentialRef

Optional reference to credential material (certificate, DID Document, PSK reference, etc.).

Source

Describes the originator involved in the secured communication.
Each element of the Source array SHALL be one of:

  • An object containing:
    • AIMInstance → reference to AIMInstance.json
  • An object containing:
    • ProcessID → string

This aligns with the schema’s oneOf structure.

The Identity object SHALL disallow unknown properties (additionalProperties = false).

2.3 Transmission – Functional Requirements

The Transmission object SHALL:

  • Require:
    • Protocol
  • Define Protocol enum:
    • HTTPS
    • MQTT
    • CoAP
    • WebSocket
    • Custom
  • May include:
    • Version (string)
    • ChannelId (string)

This differs from the original web page (which used lowercase protocol, etc.); this aligned version uses the schema’s capitalised property names.

2.4 Integrity – Functional Requirements

The Integrity object SHALL:

  • Require:
    • Hash
  • May include:
    • Signature

Hash – Required

The Hash object SHALL:

  • Require fields:
    • Algorithm
    • Value

Algorithm enum:

  • SHA-256
  • SHA-384
  • SHA-512
  • BLAKE3
  • Custom

Value pattern:

A hex string matching:

^[A-Fa-f0-9]{16,}$

This ensures integrity protection by hashing.

Signature – Optional (but recommended)

If present, the Signature object SHALL require:

  • Algorithm
  • Value

Signature Algorithm enum:

Optional:

  • PublicKeyId

2.5 Encryption – Functional Requirements (Optional)

The Encryption object MAY include:

  • Algorithm (enum):
    • AES-256-GCM
    • ChaCha20-Poly1305
    • RSA-OAEP
    • Custom
  • KeyId — identifier of encryption key
  • IV — initialization vector
  • AAD — Additional Authenticated Data
  • CiphertextRef — reference to where encrypted data is stored

All fields are optional.
This aligns with the schema.

2.6 Timestamps – Functional Requirements (Optional)

The Timestamps object MAY contain:

  • SignedAt: an OSD/V1.5 Time object
  • EncryptedAt: an OSD/V1.5 Time object

3 Syntax

https://schemas.mpai.community/AIF/V3.0/data/Security.json

4 Semantics

Label Descxription
Header Versioned Security header: AIF-SEC-Vx.y.
SecurityData Container for Identity, Transmission, Integrity, Encryption, Timestamps.
Identity.Source Origin of the communication: AIMInstance or ProcessID.
Identity.Issuer Credential authority URI.
Identity.CredentialType Type of authentication credential (x509, did, psk, custom).
Identity.CredentialRef Optional pointer to credential material.
Transmission.Protocol Communication protocol used (HTTPS, MQTT, etc.).
Transmission.Version Optional protocol version.
Transmission.ChannelId Optional communication channel label.
Integrity.Hash Required cryptographic hash of data.
Integrity.Signature Optional digital signature proving authenticity.
Encryption Optional encryption metadata for protected payloads.
Timestamps.SignedAt / EncryptedAt Time metadata (OSD Time) for signing/encryption.

<- Go to Data Types    Go to ToC