niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/tier1/asl-dam-1.md
Carl Niklas Rydberg 95e030d562 Refine federation replay and authority specs
2026-01-17 08:58:56 +01:00

3.5 KiB
Raw Blame History

ASL/DAM/1 -- Domain Authority Manifest

Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [authority, trust, policy, domains]

Document ID: ASL/DAM/1 Layer: L2 -- Authority semantics (no encoding)

Depends on (normative):

  • ASL/POLICY-HASH/1

Informative references:

  • ASL/OCS/1 -- offline certificate system
  • ASL/OFFLINE-ROOT-TRUST/1 -- offline root policy
  • PER/SIGNATURE/1 -- PER signature verification

0. Conventions

The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.

ASL/DAM/1 defines the logical structure and semantics of the Domain Authority Manifest. It does not define an encoding.

1. Purpose

The Domain Authority Manifest (DAM) defines who may assert authority on behalf of a domain. It binds domain identity to principals, roles, and a policy hash.

2. Core Concepts

  • Principal: a cryptographic public key
  • Role: capability granted to a principal
  • Policy hash: canonical hash binding policy constraints to a domain
  • Authority scope: explicit actions this DAM authorizes within the domain

3. Roles (Minimal Set)

Role Capability
produce Create internal artifacts
execute Emit PERs
publish Publish artifacts/snapshots
federate Export published state
audit Verify only, no mutations

Roles are capabilities, not identities.

4. Logical Schema

DomainAuthorityManifest {
    domain_id    : DomainID
    version      : u32
    root_key     : PublicKey
    principals[] : PrincipalEntry
    policy_hash  : Hash
    scope[]      : AuthorityScope
}

PrincipalEntry {
    principal_id : Hash
    public_key   : PublicKey
    roles[]      : Role
}

The DAM is immutable once published. Rotation is performed by publishing a new DAM.

4.1 Authority Scope

The optional scope[] constrains what this DAM authorizes. If omitted, scope is assumed to include all roles defined in this document.

AuthorityScope = {
  "produce",
  "execute",
  "publish",
  "federate",
  "audit"
}

5. Admission and Pinning (Normative)

Before a DAM is trusted, a receiving domain MUST:

  1. Admit the domain (see ASL/DAP/1).
  2. Pin the DAM artifact to a snapshot.
  3. Pin the DAM's policy_hash for that snapshot lineage.

6. Validation Rules (Normative)

A node MUST reject any action unless:

  1. The DAM artifact is visible in the relevant snapshot.
  2. The DAM hash matches the snapshot reference (if recorded).
  3. The action is signed by a principal listed in the DAM.
  4. The principal has the required role.
  5. The DAM root_key is certified by the offline root trust chain.
  6. The action is within the DAM's declared scope[] (if present).

7. Policy Binding

The DAM policy_hash binds the domain to a specific policy document. If policy changes, a new DAM MUST be published and referenced by new snapshots.

8. Idempotency and Rotation

  • Replaying the same snapshot + DAM MUST yield identical authority decisions.
  • Rotation is done by publishing a new DAM and referencing it in new snapshots.
  • Old snapshots remain valid with the DAM they reference.

9. Non-Goals

  • Encoding format
  • Key rotation workflow
  • Live revocation

10. Summary

ASL/DAM/1 defines the minimal authority document for a domain, binding principals and roles to a policy hash under an offline root trust chain.