niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Certificates.md

372 lines
5.6 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
This is the right moment to pin this down.
What follows is a **complete, staged, minimal certificate story** that fits *exactly* with what youve built so far — no PKI bloat, no premature abstraction, and no magical trust.
Ill walk it in **time order**, because *when* certificates exist matters more than *what* they are.
---
# Certificate Lifecycle in ASL (Walkthrough)
## 0. First principle (anchor this)
> **Certificates do not create authority.
> They record it.**
Authority already exists because:
* someone controls a machine
* someone controls a domain
* someone makes a decision
Certificates make that **legible and replayable**.
---
## 1. Phase 0 — Before Any Certificates Exist (Virgin State)
This is where your system starts.
### What exists
* ASL-HOST
* ASL-STORE
* Domains
* Logs
* Snapshots
* Artifacts
* PERs
### What does NOT exist
* No CA
* No identities
* No signatures
* No trust
Everything works anyway.
Artifacts are still immutable.
Receipts still exist.
Snapshots still reconstruct CURRENT.
This is important: **certificates are optional metadata**, not a dependency.
---
## 2. Phase 1 — Birth of an Authority (Offline Auth Host)
At some point, you decide:
> “This domain should be able to make statements that others may trust.”
This happens on the **offline auth host**.
---
### 2.1 Create the Root Authority (once)
This produces the **Root Authority Certificate**.
#### Root CA (ASL-ROOT)
* Self-signed
* Offline forever
* Never rotates casually
* Stored only on auth host
Conceptually:
```
ASL-ROOT
public_key
policy: may sign domain authorities
```
This is **not** a TLS CA.
It is a *semantic authority*.
---
### Where it is stored
* On disk (auth host):
```
/var/lib/asl/auth/root/
root.key (private, offline)
root.crt (artifact)
```
* As an ASL artifact:
```
artifact: root.crt
domain: auth-host
```
The **private key is never an artifact**.
---
## 3. Phase 2 — Domain Authority Certificates
Now the root creates **Domain Authorities**.
This is the most important certificate type.
---
### 3.1 Domain Authority (DA)
A **Domain Authority Certificate** binds:
```
(domain_id) → public_key → policy
```
Example:
```
alice.personal
```
Gets a DA certificate:
```
DA(alice.personal)
signed_by: ASL-ROOT
key: alice-domain-key
policy:
- may seal snapshots
- may publish artifacts
```
---
### Where DA certs live
* Stored as artifacts
* Stored **inside the domain they govern**
* Also optionally copied to Common
Example:
```
/var/lib/asl/domains/alice.personal/auth/domain.crt
```
This makes replay self-contained.
---
## 4. Phase 3 — Operational Keys (Actors)
Now we separate **authority** from **action**.
---
### 4.1 Operator / Host Certificates
These are **delegation certs**.
They answer:
> “Which machine / user is allowed to act for this domain?”
Examples:
* Rescue image
* Laptop
* CI node
* VM
They are **short-lived** and **revocable**.
```
OperatorCert
subject: host-id
acts-for: domain_id
signed_by: domain authority
scope:
- may write artifacts
- may append log
```
---
### Storage
* Stored in domain auth area
* Referenced by PERs
```
/var/lib/asl/domains/alice.personal/auth/operators/
```
---
## 5. Phase 4 — Signing Receipts and Snapshots
Now certificates begin to **matter operationally**.
---
### 5.1 What gets signed
1. **Snapshot seals**
2. **PERs (execution receipts)**
3. **Policy artifacts**
Never raw data blocks.
---
### 5.2 PER Signature Model
A PER includes:
```
PER:
inputs
program
outputs
snapshot_range
signer:
operator_cert_id
signature
```
This allows later verification:
* Who ran this?
* Under which authority?
* Against which snapshot?
---
## 6. Phase 5 — Federation and Trust
Now certificates cross domains.
---
### 6.1 Trust is explicit
A domain never trusts another domain implicitly.
Instead it stores a **Trust Artifact**:
```
"I trust domain X snapshots ≥ S
signed by DA(X)
under policy P"
```
This artifact can be:
* private
* group-shared
* published to Common
---
### 6.2 Commons role
Common may store:
* Root cert(s)
* Domain Authority certs
* Trust policies
But Common **does not enforce trust**.
It only witnesses it.
---
## 7. Certificate Types (Complete List)
Here is the full minimal set:
### 1. Root Authority Certificate
* Signs domain authorities
* Offline
* Rare
### 2. Domain Authority Certificate
* One per domain
* Signs snapshots, operators
* Long-lived
### 3. Operator / Host Certificate
* Acts-for a domain
* Short-lived
* Used in PERs
### 4. Trust Policy Artifact (not a cert, but signed)
* “I trust X for Y”
* Domain-local meaning
Thats it.
No user certs.
No TLS certs.
No global CA hierarchy.
---
## 8. What Happens During Rescue (Concrete)
Lets ground this.
### Rescue day
* Rescue domain exists
* No certs yet
* Everything works
### Later, you decide it matters
1. Create personal domain authority
2. Sign rescue snapshots retroactively
3. Publish selected artifacts
History remains valid — it just gains **witnesses**.
---
## 9. Why This Is Robust
* No cert = still works
* Lost cert = data still exists
* Revoked cert = history still readable
* Multiple roots = allowed
This avoids:
* “all-or-nothing PKI”
* bricked data
* forced trust
---
## 10. One sentence to remember
> **Certificates dont make things true.
> They make them accountable.**
---
If you want next, I can:
* Specify exact cert encoding (X.509-like vs custom)
* Show how certs are imported via USB
* Define revocation without CRLs
* Show how auth-host stays simple
Youre converging on a very clean trust model.
Reference in a new issue Copy permalink