# ASL/OFFLINE-ROOT-TRUST/1 -- Offline Root Trust

Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2025-01-17
Tags: [trust, roots, offline, authority]

**Document ID:** `ASL/OFFLINE-ROOT-TRUST/1`
**Layer:** L2 -- Trust anchors (no encoding)

**Depends on (normative):**

* `ASL/DAM/1`

**Informative references:**

* `ASL/OCS/1` -- offline certificate system

---

## 0. Conventions

The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.

ASL/OFFLINE-ROOT-TRUST/1 defines the **offline root trust model** for domains. It does not define encodings.

---

## 1. Purpose

Offline roots define domain legitimacy. They are offline, auditable, and deterministic. They do not provide availability guarantees.

---

## 2. Root Set Definition

A domain MUST trust a fixed, explicit set of offline root public keys:

```text
OfflineRootSet {
    version     : u32
    root_keys[] : PublicKey
    threshold   : u8
    reserved0   : u32
}
```

The root set is snapshot-pinned and rarely changed.
`reserved0` MUST be 0.

---

## 3. Recommended Root Count

Recommended size: **1 to 3** root keys.

* 1 root: personal or small domains
* 2 roots: separation of duties
* 3 roots: high-value domains

---

## 4. Threshold Rules

* Default threshold is 1.
* If threshold > 1, it MUST be fixed and explicit.
* Verification MUST be order-independent.
* Threshold MUST be <= number of `root_keys[]`.

---

## 5. What Roots May Sign

Offline roots MAY sign only:

* AuthorityCertificate artifacts
* Root rotation artifacts
* Policy ratification artifacts (optional)

Roots MUST NOT sign artifacts, PERs, snapshots, or TGK edges.

---

## 6. Root Set Validation (Normative)

An OfflineRootSet is valid iff:

1. `root_keys[]` contains unique entries (no duplicates).
2. `threshold` is between 1 and `len(root_keys[])`.
3. `version` is supported.
4. `reserved0` is 0.

---

## 7. Root Rotation

Root rotation is a constitutional change:

1. Define new root set
2. Old roots sign rotation artifact
3. New snapshots reference the new root set
4. Old snapshots remain valid

---

## 8. Validation Algorithm

To validate authority:

1. Load snapshot
2. Resolve DAM
3. Resolve AuthorityCertificate artifacts
4. Verify certificates against offline root set
5. Check threshold

No timestamps or online checks are required.

---

## 9. Summary

ASL/OFFLINE-ROOT-TRUST/1 defines a small, explicit offline root set that anchors authority and preserves deterministic replay.