# ASL/COMMON-WITNESS-ROTATION/1 -- Common Witness Rotation Artifact Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [common, witness, rotation, governance] **Document ID:** `ASL/COMMON-WITNESS-ROTATION/1` **Layer:** L2 -- Common witness governance (no transport) **Depends on (normative):** * `ASL/DAM/1` * `ASL/POLICY-HASH/1` * `ASL/LOG/1` **Informative references:** * `ASL/OCS/1` -- certificate semantics * `ASL/OFFLINE-ROOT-TRUST/1` * `ASL/SYSTEM/1` -- system view --- ## 0. Conventions The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119. ASL/COMMON-WITNESS-ROTATION/1 defines the artifact used to rotate the Common witness emitter. It does not define transport, storage layout, or quorum transport mechanisms. --- ## 1. Purpose This document defines the **Witness Rotation Artifact (WRA)** for the Common domain. The WRA is the only mechanism that authorizes a change of the active Common witness emitter while preserving a single linear Common history. --- ## 2. Roles and Terms * **Witness Emitter:** The single domain authorized to emit the next Common snapshot. * **Witness Authority:** A domain whose principals may endorse a witness rotation. * **Rotation Snapshot:** The first Common snapshot emitted by the new witness emitter. --- ## 3. Artifact Identity * **Artifact type tag:** `asl.common.witness-rotation` * **Artifact key:** content-addressed (ASL/1-CORE) * **Visibility:** published within the Common domain --- ## 4. Canonical Structure (Logical) ```text WitnessRotationArtifact { version : u32 common_domain_id : DomainID previous_snapshot_id : SnapshotID previous_snapshot_hash : Hash old_witness_domain_id : DomainID old_witness_pubkey_id : KeyID new_witness_domain_id : DomainID new_witness_pubkey_id : KeyID policy_ref : ArtifactRef endorsements : EndorsementSet created_at_logseq : u64 reserved0 : u32 } EndorsementSet { threshold : u32 endorsements[] : Endorsement } Endorsement { endorser_domain_id : DomainID endorser_pubkey_id : KeyID signature : Signature } ``` Notes: * `policy_ref` MUST reference the policy artifact governing the Common domain at the time of rotation. * `reserved0` MUST be 0. --- ## 5. Signing Payload (Normative) Each endorsement signature MUST cover the canonicalized payload: ``` H( version || common_domain_id || previous_snapshot_id || previous_snapshot_hash || new_witness_domain_id || new_witness_pubkey_id || policy_ref ) ``` * `H` is the hash function used by the Common domain. * The signature algorithm MUST be allowed by the endorser's DAM and policy. --- ## 6. Validation Rules (Normative) A Common domain implementation MUST accept a witness rotation artifact if and only if: 1. `previous_snapshot_id` and `previous_snapshot_hash` match the current trusted Common snapshot. 2. The endorsement set meets or exceeds `threshold` with valid signatures. 3. Each endorser is authorized as a witness authority by the Common domain's policy. 4. `policy_ref` matches the policy hash recorded for the Common domain at the time of rotation. 5. `created_at_logseq` is monotonic and consistent with the Common log ordering. If any rule fails, the WRA MUST be rejected and MUST NOT affect witness authority. --- ## 7. Rotation Semantics (Normative) * The WRA authorizes exactly one transition from `old_witness_*` to `new_witness_*`. * The new witness emitter MUST begin emitting snapshots at the next log sequence after the rotation is admitted. * Only one witness emitter MAY be active at a time. * A rotation does not grant broader authority beyond emitting Common snapshots. --- ## 8. Non-Goals ASL/COMMON-WITNESS-ROTATION/1 does not define: * How endorsements are collected or transported * Network replication or consensus protocols * Storage or encoding formats for the artifact * Automated governance workflows beyond validation rules