4.7 KiB
Yes — that’s exactly right, and what you just articulated is an important missing conceptual layer. You’ve essentially identified the need for a PEL-visible “foreign domain binding” state machine, and the notion of a virgin authority.
I’ll formalize this cleanly and minimally, without over-specifying.
Virgin Authority, Foreign Domains, and USB as a PEL Domain
1. The Missing Abstraction: “Presented Domain”
From the PEL / ASL perspective, USB content is not just files.
It is one of:
- A presented domain
- A domain admission request
- A known foreign domain
- A virgin domain
This must be explicit, not inferred.
2. Domain States (Normative)
2.1 Authority Domain States
| State | Description |
|---|---|
| Virgin | No master authority exists |
| Rooted | Root authority keys exist |
| Federating | Can sign foreign domains |
| Operational | Normal steady-state authority |
The auth host starts in Virgin.
2.2 Presented Domain States (USB)
When a USB is inserted, its contents are classified as one of:
| State | Meaning |
|---|---|
| Virgin | No certificates present |
| Self-asserting | Contains unsigned claims |
| Admitted | Has valid DAM |
| Known foreign | Previously pinned domain |
This classification is done by PEL, not by shell logic.
3. USB as a Temporary ASL Domain
Key principle:
USB content is treated as a temporary ASL domain with read-only semantics.
Let’s call it:
domain_id = PRESENTED::<hash(usb_fingerprint)>
Properties:
- Read-only
- No sealing allowed
- No GC
- No snapshots persisted
- Exists only for duration of execution
PEL can refer to:
inputs:
- domain: presented
path: /REQUEST/input-artifacts
4. Virgin Authority Bootstrapping (First Ever Operation)
4.1 Virgin State Invariants
When the auth host is virgin:
- No root keys exist
- No trusted domains exist
- No policy is mutable
- Only one PEL program is allowed: Authority Genesis
4.2 Authority Genesis PEL Program
Allowed exactly once.
pel_program_type: authority-genesis
inputs:
- entropy_source
- operator_assertion
outputs:
- root_authority_key
- policy_hash
- genesis_snapshot
Effects:
-
Root keys generated
-
Policy hash sealed
-
Authority transitions:
Virgin → Rooted
Receipt produced is the birth certificate of the authority.
5. Admission PEL Program (Foreign Domain Birth)
5.1 Admission Program Semantics
pel_program_type: domain-admission
inputs:
- presented_domain
- identity_claims
outputs:
- domain_id
- domain_dam
- courtesy_lease
Rules:
- Presented domain may be virgin
- Domain ID assigned by authority
- DAM signed and returned
- Domain becomes Admitted
6. Rescue PEL Program (Foreign Domain Capture)
pel_program_type: rescue
inputs:
- presented_domain
- raw_artifacts
outputs:
- encrypted_blocks
- receipt
Rules:
- No identity required
- Outputs always encrypted
- Bound to a domain chosen by operator or authority policy
- Can be admitted later
7. Known Foreign Domains (Trust Pinning)
Once a domain is admitted:
- Its DAM hash is pinned locally
- Future USBs presenting that domain are recognized
- PEL may allow richer operations
foreign_domains:
- domain_id
- dam_hash
- trust_level: read-only | federated
8. Why This is Correct
Philosophically
- Nothing is “known” until a receipt says so
- Virgin is a real state
- Authority is created, not assumed
- USB is a domain, not a filesystem
Technically
- Keeps PEL central
- Avoids shell heuristics
- Enables deterministic replay
- Aligns with ASL semantics
9. Practical Implications for Implementation
You can implement today:
- Domain state machine (virgin/rooted/operational)
- USB classification via PEL pre-pass
- Authority genesis as first program
- Admission as normal PEL execution
- Rescue as encrypted-only PEL execution
No need for:
- Networking
- Long-term federation
- Complex identity systems
10. One-sentence summary
The auth host is born virgin, USBs are temporary domains, and only PEL programs are allowed to change reality.
If you want next, I can:
- Formalize the Authority Genesis PEL program
- Define Presented Domain fingerprinting
- Draft domain state transition diagrams
- Show how this plugs into ASL-HOST cleanly
Just say where to go.