niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/tier1/asl-common-witness-rotation-1.md
Carl Niklas Rydberg fabace7616 Reorganize notes into tier1/ops docs
2026-01-17 10:33:23 +01:00

146 lines
4.1 KiB
Markdown
Raw Blame History

# ASL/COMMON-WITNESS-ROTATION/1 -- Common Witness Rotation Artifact
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2025-01-17
Tags: [common, witness, rotation, governance]
**Document ID:** `ASL/COMMON-WITNESS-ROTATION/1`
**Layer:** L2 -- Common witness governance (no transport)
**Depends on (normative):**
* `ASL/DAM/1`
* `ASL/POLICY-HASH/1`
* `ASL/LOG/1`
**Informative references:**
* `ASL/OCS/1` -- certificate semantics
* `ASL/OFFLINE-ROOT-TRUST/1`
* `ASL/SYSTEM/1` -- system view
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.
ASL/COMMON-WITNESS-ROTATION/1 defines the artifact used to rotate the Common witness emitter. It does not define transport, storage layout, or quorum transport mechanisms.
---
## 1. Purpose
This document defines the **Witness Rotation Artifact (WRA)** for the Common domain. The WRA is the only mechanism that authorizes a change of the active Common witness emitter while preserving a single linear Common history.
---
## 2. Roles and Terms
* **Witness Emitter:** The single domain authorized to emit the next Common snapshot.
* **Witness Authority:** A domain whose principals may endorse a witness rotation.
* **Rotation Snapshot:** The first Common snapshot emitted by the new witness emitter.
---
## 3. Artifact Identity
* **Artifact type tag:** `asl.common.witness-rotation`
* **Artifact key:** content-addressed (ASL/1-CORE)
* **Visibility:** published within the Common domain
---
## 4. Canonical Structure (Logical)
```text
WitnessRotationArtifact {
version : u32
common_domain_id : DomainID
previous_snapshot_id : SnapshotID
previous_snapshot_hash : Hash
old_witness_domain_id : DomainID
old_witness_pubkey_id : KeyID
new_witness_domain_id : DomainID
new_witness_pubkey_id : KeyID
policy_ref : ArtifactRef
endorsements : EndorsementSet
created_at_logseq : u64
reserved0 : u32
}
EndorsementSet {
threshold : u32
endorsements[] : Endorsement
}
Endorsement {
endorser_domain_id : DomainID
endorser_pubkey_id : KeyID
signature : Signature
}
```
Notes:
* `policy_ref` MUST reference the policy artifact governing the Common domain at the time of rotation.
* `reserved0` MUST be 0.
---
## 5. Signing Payload (Normative)
Each endorsement signature MUST cover the canonicalized payload:
```
H(
version
|| common_domain_id
|| previous_snapshot_id
|| previous_snapshot_hash
|| new_witness_domain_id
|| new_witness_pubkey_id
|| policy_ref
)
```
* `H` is the hash function used by the Common domain.
* The signature algorithm MUST be allowed by the endorser's DAM and policy.
---
## 6. Validation Rules (Normative)
A Common domain implementation MUST accept a witness rotation artifact if and only if:
1. `previous_snapshot_id` and `previous_snapshot_hash` match the current trusted Common snapshot.
2. The endorsement set meets or exceeds `threshold` with valid signatures.
3. Each endorser is authorized as a witness authority by the Common domain's policy.
4. `policy_ref` matches the policy hash recorded for the Common domain at the time of rotation.
5. `created_at_logseq` is monotonic and consistent with the Common log ordering.
If any rule fails, the WRA MUST be rejected and MUST NOT affect witness authority.
---
## 7. Rotation Semantics (Normative)
* The WRA authorizes exactly one transition from `old_witness_*` to `new_witness_*`.
* The new witness emitter MUST begin emitting snapshots at the next log sequence after the rotation is admitted.
* Only one witness emitter MAY be active at a time.
* A rotation does not grant broader authority beyond emitting Common snapshots.
---
## 8. Non-Goals
ASL/COMMON-WITNESS-ROTATION/1 does not define:
* How endorsements are collected or transported
* Network replication or consensus protocols
* Storage or encoding formats for the artifact
* Automated governance workflows beyond validation rules
Reference in a new issue View git blame Copy permalink