2.3 KiB
ENC-ASL-AUTH-HOST/1 - Authority Host Layout
Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2026-01-17 Tags: [ops, authority, layout]
Document ID: ENC-ASL-AUTH-HOST/1
Layer: O2E - Authority host layout profile
Depends on (normative):
ASL/AUTH-HOST/1ENC-ASL-HOST/1
Informative references:
ASL/DAM/1PEL/1-CORE
0. Conventions
The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.
1. Purpose and Scope
ENC-ASL-AUTH-HOST/1 extends ENC-ASL-HOST/1 with authority-specific layout requirements for offline admission and signing workflows.
2. Authority Root Layout
/asl-auth-host/
├── host/
├── domains/
├── env-claims/
├── sops-bundles/
└── tools/
This layout may be mounted as a single root or mapped into /asl-host with
additional authority directories.
3. Domains
Domain layout MUST follow ENC-ASL-HOST/1 under:
/asl-auth-host/domains/<domain-id>/
4. Environment Claims
/asl-auth-host/env-claims/
Each claim MUST be stored as an immutable artifact, named by snapshot or content hash.
5. SOPS Bundles
/asl-auth-host/sops-bundles/
Bundles contain DAMs, receipts, and policy artifacts for offline transfer.
6. Tools
/asl-auth-host/tools/
Authority binaries and scripts SHOULD be versioned and treated as immutable.
7. Naming Conventions (Informative)
The following naming conventions are recommended for interop:
7.1 Store Blocks
<block-id>.bin
<block-id>.meta
7.2 Index Segments
segment-<n>.idx
bloom-<n>.bf
7.3 Log Files
log-<seq>.aol
7.4 Snapshots
snapshot-<id>.meta
snapshot-<id>.blocks
7.5 Certificates
root.pub
root.priv.enc
dam-signer.pub
dam-signer.priv.enc
7.6 Policies
policy-<hash>.json
7.7 DAM Artifacts
dam-<seq>.json.sig
7.8 Environment Claims
<snapshot-id>.claim
Environment claims SHOULD include:
- OS image hash
- Boot environment info
- Installed tool hashes
- Store checksum at snapshot
7.9 SOPS Bundles
Bundles SHOULD include checksums for integrity validation.
8. Versioning
Backward-incompatible layout changes MUST bump the major version.