# ASL/AUTH/1 -- Authority, Certificates, and Trust Pins

Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2025-01-17
Tags: [authority, certificates, trust, policy]

**Document ID:** `ASL/AUTH/1`
**Layer:** L2 -- Authority and trust semantics (no transport)

**Depends on (normative):**

* `ASL/DAM/1`
* `ASL/OCS/1`
* `ASL/POLICY-HASH/1`
* `ASL/LOG/1`

**Informative references:**

* `ASL/OFFLINE-ROOT-TRUST/1`
* `ASL/DOMAIN-MODEL/1`
* `PER/SIGNATURE/1`

---

## 0. Conventions

The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.

ASL/AUTH/1 defines authority, certificates, and trust pin semantics. It does not define encodings or transport.

---

## 1. Purpose

ASL/AUTH/1 defines how domains establish authority, how certificates record authority, and how foreign domains are pinned for trust.

---

## 2. First Principle (Normative)

Certificates do not create authority. They record it.

Authority exists because a domain controls its roots and DAM. Certificates make authority verifiable and replayable.

---

## 3. Certificate Lifecycle (Normative)

### 3.1 Virgin State

Before any certificates exist:

* Domains and logs exist.
* Artifacts and PERs exist.
* No authority is asserted or trusted.

### 3.2 Root Authority

A root authority certificate:

* Is self-signed.
* Is created offline.
* Is stored as an artifact (public component only).
* MUST NOT be used for runtime signing.

### 3.3 Domain Authority

A domain authority certificate binds:

* Domain identity
* Root public keys
* Policy hash

Domain authority certificates MUST be created offline and referenced by the domain DAM.

---

## 4. Trust Pins (Normative)

A trust pin is a local policy binding for a foreign domain.

Rules:

* Pins MUST include domain ID, policy hash, and root key fingerprint(s).
* Pins MUST be explicit and local; they do not imply reciprocity.
* Admission MUST verify pin compatibility before including foreign state.

---

## 5. PER Signing (Informative)

PER signatures MAY be required by policy. If required:

* The signing key MUST be authorized by the DAM.
* The signature MUST bind snapshot and logseq.
* Validation MUST follow `PER/SIGNATURE/1`.

---

## 6. Foreign Domain Trust (Normative)

Foreign domains are trusted only if:

1. The domain is admitted under ASL/DAP/1.
2. Its policy hash is compatible with local policy.
3. A trust pin exists matching the admitted domain.

---

## 7. Non-Goals

ASL/AUTH/1 does not define:

* Transport or replication protocols
* Certificate encodings
* Operational workflows for key custody
* Witness rotation procedures