111 lines
2.1 KiB
Markdown
111 lines
2.1 KiB
Markdown
|
# ASL/OFFLINE-ROOT-TRUST/1 -- Offline Root Trust
|
||
|
|
|
||
|
|
Status: Draft
|
||
|
|
Owner: Architecture
|
||
|
|
Version: 0.1.0
|
||
|
|
SoT: No
|
||
|
|
Last Updated: 2025-01-17
|
||
|
|
Tags: [trust, roots, offline, authority]
|
||
|
|
|
||
|
|
**Document ID:** `ASL/OFFLINE-ROOT-TRUST/1`
|
||
|
|
**Layer:** L2 -- Trust anchors (no encoding)
|
||
|
|
|
||
|
|
**Depends on (normative):**
|
||
|
|
|
||
|
|
* `ASL/DAM/1`
|
||
|
|
|
||
|
|
**Informative references:**
|
||
|
|
|
||
|
|
* `ASL/OCS/1` -- offline certificate system
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 0. Conventions
|
||
|
|
|
||
|
|
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.
|
||
|
|
|
||
|
|
ASL/OFFLINE-ROOT-TRUST/1 defines the **offline root trust model** for domains. It does not define encodings.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 1. Purpose
|
||
|
|
|
||
|
|
Offline roots define domain legitimacy. They are offline, auditable, and deterministic. They do not provide availability guarantees.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 2. Root Set Definition
|
||
|
|
|
||
|
|
A domain MUST trust a fixed, explicit set of offline root public keys:
|
||
|
|
|
||
|
|
```text
|
||
|
|
OfflineRootSet {
|
||
|
|
version : u32
|
||
|
|
root_keys[] : PublicKey
|
||
|
|
threshold : u8
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
The root set is snapshot-pinned and rarely changed.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 3. Recommended Root Count
|
||
|
|
|
||
|
|
Recommended size: **1 to 3** root keys.
|
||
|
|
|
||
|
|
* 1 root: personal or small domains
|
||
|
|
* 2 roots: separation of duties
|
||
|
|
* 3 roots: high-value domains
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 4. Threshold Rules
|
||
|
|
|
||
|
|
* Default threshold is 1.
|
||
|
|
* If threshold > 1, it MUST be fixed and explicit.
|
||
|
|
* Verification MUST be order-independent.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 5. What Roots May Sign
|
||
|
|
|
||
|
|
Offline roots MAY sign only:
|
||
|
|
|
||
|
|
* AuthorityCertificate artifacts
|
||
|
|
* Root rotation artifacts
|
||
|
|
* Policy ratification artifacts (optional)
|
||
|
|
|
||
|
|
Roots MUST NOT sign artifacts, PERs, snapshots, or TGK edges.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 6. Root Rotation
|
||
|
|
|
||
|
|
Root rotation is a constitutional change:
|
||
|
|
|
||
|
|
1. Define new root set
|
||
|
|
2. Old roots sign rotation artifact
|
||
|
|
3. New snapshots reference the new root set
|
||
|
|
4. Old snapshots remain valid
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 7. Validation Algorithm
|
||
|
|
|
||
|
|
To validate authority:
|
||
|
|
|
||
|
|
1. Load snapshot
|
||
|
|
2. Resolve DAM
|
||
|
|
3. Resolve AuthorityCertificate artifacts
|
||
|
|
4. Verify certificates against offline root set
|
||
|
|
5. Check threshold
|
||
|
|
|
||
|
|
No timestamps or online checks are required.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 8. Summary
|
||
|
|
|
||
|
|
ASL/OFFLINE-ROOT-TRUST/1 defines a small, explicit offline root set that anchors authority and preserves deterministic replay.
|