HPPR Ring2 Authentication

© R.A.Sol

Ring2 is group-based authentication. Signer authorization is based on membership in the target group.

Request Envelope

Ring2 request form:

🖧: S.<hash>.H3
Seal-By: <member-vkey>
Seal-Sig: <signature>
🖧: P.<hash>.H3
Group: <target-group>
App: 🖧<COMMAND>
Location: <repo-name>/<session-id>
TAI: <tai>
🖧: B.<hash>.H3
Data-Length: <len>

<args>

Rules:

• Group is the target group, not repo
• Location is <repo>/<session-id>
• Seal-By must resolve to group membership
• non-members evaluate under Ring1 guest ACL fallback

Group Setup

Setup path:

//<group>/admin/setup/|/seal/<repo-vkey>

Setup packet is signed by repo-vkey.

Headers:

• Ring2-Name (must equal <group>)
• Ring2-Expire (optional)
• ACL-Rule (optional, repeatable)

Each ACL-Rule coordinate must start with //<group>/.

Pre-ACL Default

Before ACL rules, apply:

• r.. //<group>/admin/members/|

This grants read access to membership config.

Membership Config

Membership packets live at:

//<group>/admin/members/|/seal/<vkey>

Multiple packets may exist under different signers and versions.

Supported headers:

• Member: <vkey> [<tags>...]
• Member-Delegate: [<group>]|[<vkey>[/<tai>/<hash>]] [<mods>...]

Member

Adds one member key plus optional tags.

Member-Delegate

Delegates membership from another config source. Pipe separator | is required.

Defaults:

• omitted group means current group
• omitted vkey means signer of current packet

Pinned form:

• <vkey>/<tai>/<hash> pins to exact member packet version

Modifier:

• dynamic follows unpinned delegates

Tag modifiers:

• *: inherit all tags
• +tag: inherit tag if present
• tag: grant tag
• !tag: deny tag

Traversal is depth-first with max depth 8.

🖧MEMBERS

Returns expanded member list with tags.

Payload is a // URC.

Shorthand:

• //<group> expands to //<group>/admin/members/|/seal/<repo-vkey>

Response:

• LF-separated lines: <vkey> [<tags>...]
• sorted by vkey

Errors

Common Ring2 failures:

• HELLO_REQUIRED
• UNAUTHORIZED invalid signature
• UNAUTHORIZED not a member
• NOT_FOUND ring2 setup
• INVALID config
• INVALID session
• UNAUTHORIZED ring2