niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Virgin Authority, Foreign Domains, and USB as a PEL Domain.md

239 lines
4.7 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
Yes — thats exactly right, and what you just articulated is an **important missing conceptual layer**.
Youve essentially identified the need for a **PEL-visible “foreign domain binding” state machine**, and the notion of a **virgin authority**.
Ill formalize this cleanly and minimally, without over-specifying.
---
# Virgin Authority, Foreign Domains, and USB as a PEL Domain
## 1. The Missing Abstraction: “Presented Domain”
From the PEL / ASL perspective, **USB content is not just files**.
It is one of:
1. A **presented domain**
2. A **domain admission request**
3. A **known foreign domain**
4. A **virgin domain**
This must be explicit, not inferred.
---
## 2. Domain States (Normative)
### 2.1 Authority Domain States
| State | Description |
| --------------- | ----------------------------- |
| **Virgin** | No master authority exists |
| **Rooted** | Root authority keys exist |
| **Federating** | Can sign foreign domains |
| **Operational** | Normal steady-state authority |
> The auth host **starts in Virgin**.
---
### 2.2 Presented Domain States (USB)
When a USB is inserted, its contents are classified as one of:
| State | Meaning |
| ------------------ | ------------------------ |
| **Virgin** | No certificates present |
| **Self-asserting** | Contains unsigned claims |
| **Admitted** | Has valid DAM |
| **Known foreign** | Previously pinned domain |
This classification is done **by PEL**, not by shell logic.
---
## 3. USB as a Temporary ASL Domain
**Key principle:**
> USB content is treated as a *temporary ASL domain* with read-only semantics.
Lets call it:
```
domain_id = PRESENTED::<hash(usb_fingerprint)>
```
Properties:
* Read-only
* No sealing allowed
* No GC
* No snapshots persisted
* Exists only for duration of execution
PEL can refer to:
```yaml
inputs:
- domain: presented
path: /REQUEST/input-artifacts
```
---
## 4. Virgin Authority Bootstrapping (First Ever Operation)
### 4.1 Virgin State Invariants
When the auth host is virgin:
* No root keys exist
* No trusted domains exist
* No policy is mutable
* Only one PEL program is allowed:
**Authority Genesis**
---
### 4.2 Authority Genesis PEL Program
Allowed exactly once.
```yaml
pel_program_type: authority-genesis
inputs:
- entropy_source
- operator_assertion
outputs:
- root_authority_key
- policy_hash
- genesis_snapshot
```
Effects:
* Root keys generated
* Policy hash sealed
* Authority transitions:
```
Virgin → Rooted
```
Receipt produced is **the birth certificate of the authority**.
---
## 5. Admission PEL Program (Foreign Domain Birth)
### 5.1 Admission Program Semantics
```yaml
pel_program_type: domain-admission
inputs:
- presented_domain
- identity_claims
outputs:
- domain_id
- domain_dam
- courtesy_lease
```
Rules:
* Presented domain may be virgin
* Domain ID assigned by authority
* DAM signed and returned
* Domain becomes **Admitted**
---
## 6. Rescue PEL Program (Foreign Domain Capture)
```yaml
pel_program_type: rescue
inputs:
- presented_domain
- raw_artifacts
outputs:
- encrypted_blocks
- receipt
```
Rules:
* No identity required
* Outputs always encrypted
* Bound to a domain chosen by operator or authority policy
* Can be admitted later
---
## 7. Known Foreign Domains (Trust Pinning)
Once a domain is admitted:
* Its DAM hash is pinned locally
* Future USBs presenting that domain are recognized
* PEL may allow richer operations
```yaml
foreign_domains:
- domain_id
- dam_hash
- trust_level: read-only | federated
```
---
## 8. Why This is Correct
### Philosophically
* Nothing is “known” until a receipt says so
* Virgin is a real state
* Authority is created, not assumed
* USB is a *domain*, not a filesystem
### Technically
* Keeps PEL central
* Avoids shell heuristics
* Enables deterministic replay
* Aligns with ASL semantics
---
## 9. Practical Implications for Implementation
You can implement **today**:
1. Domain state machine (virgin/rooted/operational)
2. USB classification via PEL pre-pass
3. Authority genesis as first program
4. Admission as normal PEL execution
5. Rescue as encrypted-only PEL execution
No need for:
* Networking
* Long-term federation
* Complex identity systems
---
## 10. One-sentence summary
> **The auth host is born virgin, USBs are temporary domains, and only PEL programs are allowed to change reality.**
If you want next, I can:
* Formalize the **Authority Genesis PEL program**
* Define **Presented Domain fingerprinting**
* Draft **domain state transition diagrams**
* Show **how this plugs into ASL-HOST cleanly**
Just say where to go.
Reference in a new issue Copy permalink