116 lines
2.5 KiB
Markdown
116 lines
2.5 KiB
Markdown
|
# ASL/OCS/1 -- Offline Certificate System
|
||
|
|
|
||
|
|
Status: Draft
|
||
|
|
Owner: Architecture
|
||
|
|
Version: 0.1.0
|
||
|
|
SoT: No
|
||
|
|
Last Updated: 2025-01-17
|
||
|
|
Tags: [certificates, authority, offline]
|
||
|
|
|
||
|
|
**Document ID:** `ASL/OCS/1`
|
||
|
|
**Layer:** L2 -- Certificate semantics (no encoding)
|
||
|
|
|
||
|
|
**Depends on (normative):**
|
||
|
|
|
||
|
|
* `ASL/OFFLINE-ROOT-TRUST/1`
|
||
|
|
* `ASL/DAM/1`
|
||
|
|
* `ASL/POLICY-HASH/1`
|
||
|
|
|
||
|
|
**Informative references:**
|
||
|
|
|
||
|
|
* `PER/SIGNATURE/1` -- PER signature validation
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 0. Conventions
|
||
|
|
|
||
|
|
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.
|
||
|
|
|
||
|
|
ASL/OCS/1 defines certificate semantics as immutable artifacts. It does not define encodings.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 1. Purpose
|
||
|
|
|
||
|
|
The Offline Certificate System (OCS) anchors domain authority in offline root keys and allows deterministic, offline verification of authority.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 2. Core Principle
|
||
|
|
|
||
|
|
Certificates are **immutable ASL artifacts**, not live credentials.
|
||
|
|
|
||
|
|
They are:
|
||
|
|
|
||
|
|
* Signed once
|
||
|
|
* Snapshot-pinned
|
||
|
|
* Replayable
|
||
|
|
* Verified offline
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 3. Authority Certificate Artifact
|
||
|
|
|
||
|
|
### 3.1 Logical Structure
|
||
|
|
|
||
|
|
```text
|
||
|
|
AuthorityCertificate {
|
||
|
|
subject_type : enum { domain_root, principal }
|
||
|
|
subject_id : Hash
|
||
|
|
subject_pubkey : PublicKey
|
||
|
|
domain_id : DomainID
|
||
|
|
roles[] : Role
|
||
|
|
policy_hash : Hash
|
||
|
|
issued_by : PublicKey
|
||
|
|
version : u32
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
### 3.2 Semantics
|
||
|
|
|
||
|
|
* `domain_root`: certifies a domain root key for DAM issuance.
|
||
|
|
* `principal`: certifies a principal key for roles under a policy hash.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 4. Offline Signing Workflow
|
||
|
|
|
||
|
|
1. Online domain prepares an AuthorityRequest.
|
||
|
|
2. Offline root signs an AuthorityCertificate.
|
||
|
|
3. Certificate artifact is imported and snapshot-pinned.
|
||
|
|
|
||
|
|
No online checks are required after import.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 5. DAM Validation Chain
|
||
|
|
|
||
|
|
A DAM is valid iff:
|
||
|
|
|
||
|
|
1. DAM root key is certified by a `domain_root` certificate.
|
||
|
|
2. Certificate `policy_hash` matches DAM `policy_hash`.
|
||
|
|
3. Certificate signature validates against the offline root set.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 6. Revocation Model
|
||
|
|
|
||
|
|
There is no live revocation. Revocation is performed by publishing a new DAM and new certificates, and referencing them in new snapshots.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 7. Federation Verification
|
||
|
|
|
||
|
|
When receiving state from another domain:
|
||
|
|
|
||
|
|
1. Load snapshot
|
||
|
|
2. Resolve DAM and AuthorityCertificate artifacts
|
||
|
|
3. Verify against configured offline root set
|
||
|
|
4. Apply policy hash compatibility rules
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 8. Summary
|
||
|
|
|
||
|
|
ASL/OCS/1 defines immutable authority certificates signed by offline roots and bound to policy hashes, enabling deterministic, offline trust validation.
|