Glossary
Canonical names and succinct definitions for terms used across polyproto specifications. Each entry links to its full treatment in the relevant spec.
Actor
A participant in the polyproto network that holds an identity, signs messages, and registers with home servers and service providers. Actors can be human or automated.
Cache validity information
A signed bundle (cacheValidNotBefore, cacheValidNotAfter, cacheSignature, and optionally
invalidatedAt) attached to an ID-Cert response that lets any caching intermediary verify the cert
is genuine and up-to-date without contacting the home server directly.
See: #6.4.1 Verifying that a newly retrieved ID-Cert is not out of date
Challenge nonce
A cryptographically random, single-use string issued by the home server at the start of the sensitive action flow. The client binds it to an OIDC ID token to prove fresh interactive authentication.
See: #4.3.1 Challenge issuance
Challenge string
A short-lived, server-issued string (32–256 UTF-8 characters) that an actor signs with their private identity key to prove key possession to a server.
FID (Federation ID)
A globally unique actor identifier in the format localpart@domain.tld. The localpart is unique per
instance; together they uniquely identify any actor across the federated network.
Foreign server
Any polyproto server that is not an actor's home server. Foreign servers can host services that actors register with, but do not manage actor identity or key certification.
See: #4.2.1 Authenticating on a foreign server
FSAT (Foreign Server Access Token)
An opaque, proprietary access token string issued by a foreign server, identifying an authenticated actor session on that server.
See: #4.2 Authentication
Gateway
The WebSocket server component of a polyproto server, used for real-time, bidirectional communication between actor clients and the server.
Home server
The polyproto server where an actor's identity is anchored. The home server signs actor ID-Certs, manages SCIM-provisioned accounts, and acts as the OIDC Relying Party for its actors.
HSAT (Home Server Access Token)
An OIDC access token issued by the home server's IdP, used to authenticate an actor session on that home server.
See: #4.2 Authentication
ID-Cert
An X.509 v3 certificate, signed by a home server's private key, attesting to the public identity key of an actor or home server. ID-Certs form the basis of message signing and verification in polyproto.
See: #6.1 Home server signed certificates for public entity identity keys (ID-Cert)
ID-CSR
A PKCS #10 Certificate Signing Request, with polyproto-specific requirements, that an actor submits to their home server in exchange for a new ID-Cert.
See: #6.1 Home server signed certificates for public entity identity keys (ID-Cert)
Identity migration
The process of transparently transferring ownership of an actor's identity and messages from one account (or home server) to another, consisting of setting up a redirect and optionally re-signing data.
IdP (Identity Provider)
The OIDC Identity Provider responsible for authenticating actors and provisioning their accounts on a home server via SCIM.
See: #3.8 OpenID Connect (OIDC)
Key trial
The challenge-response mechanism used during foreign server authentication, where a server issues a challenge and the actor responds with a signature proving possession of their private identity key.
See: #4.2.1 Authenticating on a foreign server
Localpart
The part of a FID before the @ separator (e.g. alice in alice@example.com). Must be unique per
instance and ≤ 160 characters.
Message migration
The process of moving messages from one service provider to another in a tamper-resistant way, using re-signing to transfer message ownership.
See: #7 Migrations
p2 extension
A formal extension to the polyproto protocol that defines additional opcodes, routes, or services. p2 extensions interact with the core protocol through namespaces and can be officially endorsed by the polyproto maintainers.
See: #8 Protocol extensions (p2 extensions)
pDN (polyproto Distinguished Name)
A constrained subset of an X.509 Distinguished Name used in ID-Cert issuer and subject fields, specifying the actor's FID and session ID (for actor certs) or the server's domain (for home server certs).
See: #6.1.1.1 polyproto Distinguished Name (pDN)
Persona
A sub-identity of an actor, identified by a Persona ID (PID) scoped to that actor. Personas allow an actor to present different identities in different contexts.
See: #10 Personas
PID (Persona ID)
A short identifier (≤ 20 characters) scoped to an actor, used to identify one of their personas. The
PID root is always reserved for the actor's root identity.
See: #10.1 Persona Identifiers (PID)
Primary service provider
The single server an actor designates as their canonical provider for a given p2 extension service. Changing the primary service provider is a sensitive action.
See: #9.1.1 Changing a primary service provider
RawR (Resource Addressing with Relative Roots)
A resource addressing scheme where resources are identified by a stable, server-independent identifier, allowing resources to remain addressable after account migration.
See: #7.3.1 Resource Addressing with Relative Roots
Redirect
An optional step in identity migration where an actor's old home server responds to requests for the old actor with an HTTP 307/308 pointing to the new actor, confirmed by both parties via key trials.
See: #7.1.1 Redirects
Re-signing
The process of replacing the signature on an existing message with a new signature from a different key, without altering message content, to transfer ownership or reduce the number of live keys.
Sensitive action flow
The protocol flow that gates high-risk home server actions (e.g. generating or revoking an ID-Cert) behind a fresh OIDC ID token bound to a home server-issued challenge nonce.
Sentient actor
An actor that is human or otherwise sentient. Sentient actors must authenticate via OIDC and receive UI-level notices about new sessions.
See: #3.8 OpenID Connect (OIDC)
Service provider
A server hosting a polyproto service (defined by a p2 extension) that actors can register with, independently of their home server.
See: #9 Services
Session
A single authenticated client connection, identified by a session ID and associated with exactly one ID-Cert and one active access token.
See: #6.1.1.3 Session IDs
Session ID
An ASN.1 IA5String (1–32 characters) chosen by the actor, embedded in an ID-Cert, uniquely identifying one session per actor.
See: #6.1.1.3 Session IDs