2026-01-17 08:52:02 +01:00
|
|
|
# ASL/OFFLINE-ROOT-TRUST/1 -- Offline Root Trust
|
|
|
|
|
|
|
|
|
|
Status: Draft
|
|
|
|
|
Owner: Architecture
|
|
|
|
|
Version: 0.1.0
|
|
|
|
|
SoT: No
|
|
|
|
|
Last Updated: 2025-01-17
|
|
|
|
|
Tags: [trust, roots, offline, authority]
|
|
|
|
|
|
|
|
|
|
**Document ID:** `ASL/OFFLINE-ROOT-TRUST/1`
|
|
|
|
|
**Layer:** L2 -- Trust anchors (no encoding)
|
|
|
|
|
|
|
|
|
|
**Depends on (normative):**
|
|
|
|
|
|
|
|
|
|
* `ASL/DAM/1`
|
|
|
|
|
|
|
|
|
|
**Informative references:**
|
|
|
|
|
|
|
|
|
|
* `ASL/OCS/1` -- offline certificate system
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 0. Conventions
|
|
|
|
|
|
|
|
|
|
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.
|
|
|
|
|
|
|
|
|
|
ASL/OFFLINE-ROOT-TRUST/1 defines the **offline root trust model** for domains. It does not define encodings.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 1. Purpose
|
|
|
|
|
|
|
|
|
|
Offline roots define domain legitimacy. They are offline, auditable, and deterministic. They do not provide availability guarantees.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 2. Root Set Definition
|
|
|
|
|
|
|
|
|
|
A domain MUST trust a fixed, explicit set of offline root public keys:
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
OfflineRootSet {
|
|
|
|
|
version : u32
|
|
|
|
|
root_keys[] : PublicKey
|
|
|
|
|
threshold : u8
|
2026-01-17 09:01:19 +01:00
|
|
|
reserved0 : u32
|
2026-01-17 08:52:02 +01:00
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The root set is snapshot-pinned and rarely changed.
|
2026-01-17 09:01:19 +01:00
|
|
|
`reserved0` MUST be 0.
|
2026-01-17 08:52:02 +01:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 3. Recommended Root Count
|
|
|
|
|
|
|
|
|
|
Recommended size: **1 to 3** root keys.
|
|
|
|
|
|
|
|
|
|
* 1 root: personal or small domains
|
|
|
|
|
* 2 roots: separation of duties
|
|
|
|
|
* 3 roots: high-value domains
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 4. Threshold Rules
|
|
|
|
|
|
|
|
|
|
* Default threshold is 1.
|
|
|
|
|
* If threshold > 1, it MUST be fixed and explicit.
|
|
|
|
|
* Verification MUST be order-independent.
|
2026-01-17 09:01:19 +01:00
|
|
|
* Threshold MUST be <= number of `root_keys[]`.
|
2026-01-17 08:52:02 +01:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 5. What Roots May Sign
|
|
|
|
|
|
|
|
|
|
Offline roots MAY sign only:
|
|
|
|
|
|
|
|
|
|
* AuthorityCertificate artifacts
|
|
|
|
|
* Root rotation artifacts
|
|
|
|
|
* Policy ratification artifacts (optional)
|
|
|
|
|
|
|
|
|
|
Roots MUST NOT sign artifacts, PERs, snapshots, or TGK edges.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-17 09:01:19 +01:00
|
|
|
## 6. Root Set Validation (Normative)
|
|
|
|
|
|
|
|
|
|
An OfflineRootSet is valid iff:
|
|
|
|
|
|
|
|
|
|
1. `root_keys[]` contains unique entries (no duplicates).
|
|
|
|
|
2. `threshold` is between 1 and `len(root_keys[])`.
|
|
|
|
|
3. `version` is supported.
|
|
|
|
|
4. `reserved0` is 0.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 7. Root Rotation
|
2026-01-17 08:52:02 +01:00
|
|
|
|
|
|
|
|
Root rotation is a constitutional change:
|
|
|
|
|
|
|
|
|
|
1. Define new root set
|
|
|
|
|
2. Old roots sign rotation artifact
|
|
|
|
|
3. New snapshots reference the new root set
|
|
|
|
|
4. Old snapshots remain valid
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-17 09:01:19 +01:00
|
|
|
## 8. Validation Algorithm
|
2026-01-17 08:52:02 +01:00
|
|
|
|
|
|
|
|
To validate authority:
|
|
|
|
|
|
|
|
|
|
1. Load snapshot
|
|
|
|
|
2. Resolve DAM
|
|
|
|
|
3. Resolve AuthorityCertificate artifacts
|
|
|
|
|
4. Verify certificates against offline root set
|
|
|
|
|
5. Check threshold
|
|
|
|
|
|
|
|
|
|
No timestamps or online checks are required.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-17 09:01:19 +01:00
|
|
|
## 9. Summary
|
2026-01-17 08:52:02 +01:00
|
|
|
|
|
|
|
|
ASL/OFFLINE-ROOT-TRUST/1 defines a small, explicit offline root set that anchors authority and preserves deterministic replay.
|
