MPAI-AIF V3.0 Data Types – Security

<- Go to Data Types Go to ToC

1. Definition

2. Functional Requirements

3. Syntax

4. Semantics

1 Definition

2 Functional Requirements

2.1 General

The Security data type SHALL provide security‑related metadata associated with a Data Exchange between AIF components.

The Security object SHALL:

• Bind security information to a Data Exchange
• Support identity, transmission description, integrity protection, and optional security evidence
• Be extensible only through explicitly defined properties

The root Security object SHALL reject any property not defined in the schema
(additionalProperties = false).

2.2 Required Structure

The Security object SHALL include the following mandatory properties:

• Header
• Identity
• Transmission
• Integrity

All other properties are optional and SHALL be interpreted only if present.

2.3 Header – Functional Requirements

The Header SHALL:

• Be a string identifying the Security object version
• Match the pattern ^AIF-SEC-Vx.y

2.4 Identity – Functional Requirements

The Identity object SHALL describe the identity context of the entity involved in the secured Data Exchange.

The Identity object SHALL:

• Require:
  • Issuer
• MAY include:
  • Source
  • CredentialType
  • CredentialRef

The Identity object SHALL reject undefined properties
(additionalProperties = false).

2.4.1 Issuer

Issuer SHALL be a URI identifying the authority or system that issued the identity credential.

2.4.2 Source

Source MAY describe the originator of the secured communication.

Each element of Source SHALL be one of:

• A reference to AIMInstance.json, or
• A URI identifying an entity or process

2.4.3 CredentialType

CredentialType SHALL identify the type of identity credential and SHALL use values defined in SecurityTaxonomy.json#/Identity.

2.4.4 CredentialRef

CredentialRef MAY be a URI referencing credential material associated with the identity.

2.5 Transmission – Functional Requirements

The Transmission object SHALL describe the transport context used for the Data Exchange.

The Transmission object SHALL:

• Require:
  • Protocol
• Define Protocol as one of:
  • HTTPS
  • MQTT
  • CoAP
  • WebSocket
  • Custom
• MAY include:
  • Version
  • ChannelId

The Transmission object SHALL reject undefined properties.

2.6 Integrity – Functional Requirements

The Integrity object SHALL provide verifiable evidence that the Data Exchange has not been modified.

The Integrity object SHALL:

• Require:
  • Hash
• MAY include:
  • Signature

The Integrity object SHALL reject undefined properties.

2.6.1 Hash (Required)

The Hash object SHALL:

• Require:
  • Algorithm
  • Value
• Use Algorithm values defined in
  SecurityAlgorithmTaxonomy.json#/Hash
• Require Value to be a hexadecimal string of length ≥ 64 characters

2.6.2 Signature (Optional)

If present, the Signature object SHALL:

• Require:
  • Algorithm
  • Value
• MAY include:
  • PublicKeyId

The Signature Algorithm SHALL use values defined in
SecurityAlgorithmTaxonomy.json#/Signature.

2.7 Encryption – Functional Requirements (Optional)

The Encryption object MAY describe confidentiality protection applied to the Data Exchange.

If present, Encryption MAY include:

• Algorithm (from SecurityAlgorithmTaxonomy.json#/AEAD)
• KeyId
• IV
• AAD
• CiphertextRef

The Encryption object SHALL reject undefined properties.

2.8 Authentication – Functional Requirements (Optional)

The Authentication object MAY provide evidence authenticating the sender.

If present, Authentication MAY include:

• Token
• Format
• Trace

Format SHALL reference SecurityTaxonomy.json#/Authentication.

2.9 Authorization – Functional Requirements (Optional)

The Authorization object MAY provide evidence of authorization decisions.

If present, Authorization MAY include:

• SignedDecision
• Format
• Trace

Format SHALL reference SecurityTaxonomy.json#/Authorization.

2.10 Freshness – Functional Requirements (Optional)

The Freshness object MAY provide replay‑protection evidence.

If present, Freshness MAY include:

• Nonce
• Sequence
• Timestamp
• Format
• Trace

Format SHALL reference SecurityTaxonomy.json#/Freshness.

2.11 Attestation – Functional Requirements (Optional)

The Attestation object MAY provide evidence about the execution environment.

If present, Attestation MAY include:

• Evidence
• Format
• Trace

Format SHALL reference SecurityTaxonomy.json#/Attestation.

2.12 AuditChainHash – Functional Requirements (Optional)

AuditChainHash MAY provide a hash linking this Security object to a tamper‑evident audit chain.

2.13 Timestamps – Functional Requirements (Optional)

The Timestamps object MAY include:

• SignedAt
• EncryptedAt

Each timestamp SHALL be an OSD Time object.

2.14 Rights – Functional Requirements (Optional)

The Rights property MAY specify usage rights associated with the secured Data Exchange.

2.15 DataExchangeMetadata – Functional Requirements (Optional)

DataExchangeMetadata MAY reference the Data Exchange Metadata object protected by this Security object.

3 Syntax

https://mpai.community/schemas/AIF/V1.0/Security.json

4 Semantics

Label	Description
Header	Identifies the version of the Security object (AIF‑SEC‑Vx.y).
Header	Security Header – Standard “AIF-SECVx.y”
Identity	Describes the identity context associated with the secured Data Exchange.
– Source	Identifies the AIMInstance or entity involved in the secured communication.
– Issuer	URI identifying the authority that issued the identity credential.
– CredentialType	Type of identity credential, drawn from the Security Evidence Taxonomy.
– CredentialRef	URI referencing the credential material.
Transmission	Describes the transport context of the secured Data Exchange.
– Protocol	Transport protocol used (HTTPS, MQTT, CoAP, WebSocket, Custom).
– Version	Version identifier of the transport protocol.
– ChannelId	UUID identifying the communication channel.
Integrity	Contains evidence proving that the Data Exchange has not been altered.
– Hash	Hash‑based integrity evidence.
– – Algorithm	Hash algorithm used, from the Security Algorithm Taxonomy.
– – Value	Hexadecimal hash value computed over protected data.
– Signature	Signature‑based integrity evidence.
– – Algorithm	Signature algorithm used, from the Security Algorithm Taxonomy.
– – Value	Base64‑encoded digital signature.
– – PublicKeyId	URI identifying the public key used for verification.
Encryption	Contains information required to decrypt protected data.
– Algorithm	AEAD encryption algorithm used.
– KeyId	Identifier of the encryption key.
– IV	Initialization vector.
– AAD	Additional authenticated data.
– CiphertextRef	URI referencing encrypted payload.
Authentication	Contains evidence authenticating the sender.
– Token	Authentication token.
– Format	Authentication evidence type from the Security Evidence Taxonomy.
– Trace	Provenance information for authentication evidence.
Authorization	Contains evidence of authorization decisions.
– SignedDecision	Signed authorization assertion.
– Format	Authorization evidence type from the Security Evidence Taxonomy.
– Trace	Provenance information for authorization evidence.
Freshness	Contains replay‑protection information.
– Nonce	One‑time value for replay prevention.
– Sequence	Monotonic sequence number.
– Timestamp	Time associated with freshness evidence.
– Format	Freshness mechanism type from the Security Evidence Taxonomy.
– Trace	Provenance information for freshness evidence.
Attestation	Contains evidence about the execution environment.
– Evidence	Attestation token.
– Format	Attestation mechanism type from the Security Evidence Taxonomy.
– Trace	Provenance information for attestation evidence.
AuditChainHash	Hash value linking to a tamper‑evident audit chain.
Timestamps	Contains timestamps for security operations.
– SignedAt	Time when signature was created.
– EncryptedAt	Time when encryption was applied.
Rights	Rights associated with the secured Data Exchange.
DataExchangeMetadata	Reference to the protected Data Exchange Metadata object.
Trace	Provenance information for the Security object.
DescrMetadata	Human‑readable descriptive metadata.

<- Go to Data Types    Go to ToC