# CCITT X.509 (3)
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ccittx509_3.html
#
# Note:
# The protocol description also states that Xa and Ya should be fresh
# this can not be verified using scyther
#

usertype Timestamp;

protocol ccitt509-3(I,R)
{
    role I
    {
        fresh Ta: Timestamp;
        var Tb: Timestamp;
        fresh Na,Xa,Ya: Nonce;
        var Xb,Nb,Yb: Nonce;
        send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
        recv_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
        send_3(I,R, I, {Nb}sk(I));
        claim_I1(I,Nisynch);
        claim_I2(I,Secret,Ya);
        claim_I3(I,Secret,Yb);
    }    
    
    role R
    {
        var Ta: Timestamp;
        fresh Tb: Timestamp;
        var Na,Xa,Ya: Nonce;
        fresh Xb,Yb,Nb: Nonce;

        recv_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
        send_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
        recv_3(I,R, I, {Nb}sk(I));
        claim_R1(R,Nisynch);
        claim_R2(R,Secret,Ya);
        claim_R3(R,Secret,Yb);
        # There should also be Fresh Xa and Fresh Ya claims here
    }
}