amduat-api/tier1/asl-auth-1.md

# ASL/AUTH/1 -- Authority, Certificates, and Trust Pins

Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2025-01-17
Tags: [authority, certificates, trust, policy]

**Document ID:** `ASL/AUTH/1`
**Layer:** L2 -- Authority and trust semantics (no transport)

**Depends on (normative):**

* `ASL/DAM/1`
* `ASL/OCS/1`
* `ASL/POLICY-HASH/1`
* `ASL/LOG/1`

**Informative references:**

* `ASL/OFFLINE-ROOT-TRUST/1`
* `ASL/DOMAIN-MODEL/1`
* `PER/SIGNATURE/1`

---

## 0. Conventions

The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.

ASL/AUTH/1 defines authority, certificates, and trust pin semantics. It does not define encodings or transport.

---

## 1. Purpose

ASL/AUTH/1 defines how domains establish authority, how certificates record authority, and how foreign domains are pinned for trust.

---

## 2. First Principle (Normative)

Certificates do not create authority. They record it.

Authority exists because a domain controls its roots and DAM. Certificates make authority verifiable and replayable.

---

## 3. Certificate Lifecycle (Normative)

### 3.1 Virgin State

Before any certificates exist:

* Domains and logs exist.
* Artifacts and PERs exist.
* No authority is asserted or trusted.

### 3.2 Root Authority

A root authority certificate:

* Is self-signed.
* Is created offline.
* Is stored as an artifact (public component only).
* MUST NOT be used for runtime signing.

### 3.3 Domain Authority

A domain authority certificate binds:

* Domain identity
* Root public keys
* Policy hash

Domain authority certificates MUST be created offline and referenced by the domain DAM.

---

## 4. Trust Pins (Normative)

A trust pin is a local policy binding for a foreign domain.

Rules:

* Pins MUST include domain ID, policy hash, and root key fingerprint(s).
* Pins MUST be explicit and local; they do not imply reciprocity.
* Admission MUST verify pin compatibility before including foreign state.

---

## 5. PER Signing (Informative)

PER signatures MAY be required by policy. If required:

* The signing key MUST be authorized by the DAM.
* The signature MUST bind snapshot and logseq.
* Validation MUST follow `PER/SIGNATURE/1`.

---

## 6. Foreign Domain Trust (Normative)

Foreign domains are trusted only if:

1. The domain is admitted under ASL/DAP/1.
2. Its policy hash is compatible with local policy.
3. A trust pin exists matching the admitted domain.

---

## 7. Non-Goals

ASL/AUTH/1 does not define:

* Transport or replication protocols
* Certificate encodings
* Operational workflows for key custody
* Witness rotation procedures
Reorganize notes into tier1/ops docs 2026-01-17 10:33:23 +01:00			`# ASL/AUTH/1 -- Authority, Certificates, and Trust Pins`

			`Status: Draft`
			`Owner: Architecture`
			`Version: 0.1.0`
			`SoT: No`
			`Last Updated: 2025-01-17`
			`Tags: [authority, certificates, trust, policy]`

			Document ID: `ASL/AUTH/1`
			`Layer: L2 -- Authority and trust semantics (no transport)`

			`Depends on (normative):`

			* `ASL/DAM/1`
			* `ASL/OCS/1`
			* `ASL/POLICY-HASH/1`
			* `ASL/LOG/1`

			`Informative references:`

			* `ASL/OFFLINE-ROOT-TRUST/1`
			* `ASL/DOMAIN-MODEL/1`
			* `PER/SIGNATURE/1`

			`---`

			`## 0. Conventions`

			`The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.`

			`ASL/AUTH/1 defines authority, certificates, and trust pin semantics. It does not define encodings or transport.`

			`---`

			`## 1. Purpose`

			`ASL/AUTH/1 defines how domains establish authority, how certificates record authority, and how foreign domains are pinned for trust.`

			`---`

			`## 2. First Principle (Normative)`

			`Certificates do not create authority. They record it.`

			`Authority exists because a domain controls its roots and DAM. Certificates make authority verifiable and replayable.`

			`---`

			`## 3. Certificate Lifecycle (Normative)`

			`### 3.1 Virgin State`

			`Before any certificates exist:`

			`* Domains and logs exist.`
			`* Artifacts and PERs exist.`
			`* No authority is asserted or trusted.`

			`### 3.2 Root Authority`

			`A root authority certificate:`

			`* Is self-signed.`
			`* Is created offline.`
			`* Is stored as an artifact (public component only).`
			`* MUST NOT be used for runtime signing.`

			`### 3.3 Domain Authority`

			`A domain authority certificate binds:`

			`* Domain identity`
			`* Root public keys`
			`* Policy hash`

			`Domain authority certificates MUST be created offline and referenced by the domain DAM.`

			`---`

			`## 4. Trust Pins (Normative)`

			`A trust pin is a local policy binding for a foreign domain.`

			`Rules:`

			`* Pins MUST include domain ID, policy hash, and root key fingerprint(s).`
			`* Pins MUST be explicit and local; they do not imply reciprocity.`
			`* Admission MUST verify pin compatibility before including foreign state.`

			`---`

			`## 5. PER Signing (Informative)`

			`PER signatures MAY be required by policy. If required:`

			`* The signing key MUST be authorized by the DAM.`
			`* The signature MUST bind snapshot and logseq.`
			* Validation MUST follow `PER/SIGNATURE/1`.

			`---`

			`## 6. Foreign Domain Trust (Normative)`

			`Foreign domains are trusted only if:`

			`1. The domain is admitted under ASL/DAP/1.`
			`2. Its policy hash is compatible with local policy.`
			`3. A trust pin exists matching the admitted domain.`

			`---`

			`## 7. Non-Goals`

			`ASL/AUTH/1 does not define:`

			`* Transport or replication protocols`
			`* Certificate encodings`
			`* Operational workflows for key custody`
			`* Witness rotation procedures`