niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Virgin Authority, Foreign Domains, and USB as a PEL Domain.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

239 lines
4.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Yes — thats exactly right, and what you just articulated is an **important missing conceptual layer**.
Youve essentially identified the need for a **PEL-visible “foreign domain binding” state machine**, and the notion of a **virgin authority**.
Ill formalize this cleanly and minimally, without over-specifying.
---
# Virgin Authority, Foreign Domains, and USB as a PEL Domain
## 1. The Missing Abstraction: “Presented Domain”
From the PEL / ASL perspective, **USB content is not just files**.
It is one of:
1. A **presented domain**
2. A **domain admission request**
3. A **known foreign domain**
4. A **virgin domain**
This must be explicit, not inferred.
---
## 2. Domain States (Normative)
### 2.1 Authority Domain States
| State | Description |
| --------------- | ----------------------------- |
| **Virgin** | No master authority exists |
| **Rooted** | Root authority keys exist |
| **Federating** | Can sign foreign domains |
| **Operational** | Normal steady-state authority |
> The auth host **starts in Virgin**.
---
### 2.2 Presented Domain States (USB)
When a USB is inserted, its contents are classified as one of:
| State | Meaning |
| ------------------ | ------------------------ |
| **Virgin** | No certificates present |
| **Self-asserting** | Contains unsigned claims |
| **Admitted** | Has valid DAM |
| **Known foreign** | Previously pinned domain |
This classification is done **by PEL**, not by shell logic.
---
## 3. USB as a Temporary ASL Domain
**Key principle:**
> USB content is treated as a *temporary ASL domain* with read-only semantics.
Lets call it:
```
domain_id = PRESENTED::<hash(usb_fingerprint)>
```
Properties:
* Read-only
* No sealing allowed
* No GC
* No snapshots persisted
* Exists only for duration of execution
PEL can refer to:
```yaml
inputs:
- domain: presented
path: /REQUEST/input-artifacts
```
---
## 4. Virgin Authority Bootstrapping (First Ever Operation)
### 4.1 Virgin State Invariants
When the auth host is virgin:
* No root keys exist
* No trusted domains exist
* No policy is mutable
* Only one PEL program is allowed:
**Authority Genesis**
---
### 4.2 Authority Genesis PEL Program
Allowed exactly once.
```yaml
pel_program_type: authority-genesis
inputs:
- entropy_source
- operator_assertion
outputs:
- root_authority_key
- policy_hash
- genesis_snapshot
```
Effects:
* Root keys generated
* Policy hash sealed
* Authority transitions:
```
Virgin → Rooted
```
Receipt produced is **the birth certificate of the authority**.
---
## 5. Admission PEL Program (Foreign Domain Birth)
### 5.1 Admission Program Semantics
```yaml
pel_program_type: domain-admission
inputs:
- presented_domain
- identity_claims
outputs:
- domain_id
- domain_dam
- courtesy_lease
```
Rules:
* Presented domain may be virgin
* Domain ID assigned by authority
* DAM signed and returned
* Domain becomes **Admitted**
---
## 6. Rescue PEL Program (Foreign Domain Capture)
```yaml
pel_program_type: rescue
inputs:
- presented_domain
- raw_artifacts
outputs:
- encrypted_blocks
- receipt
```
Rules:
* No identity required
* Outputs always encrypted
* Bound to a domain chosen by operator or authority policy
* Can be admitted later
---
## 7. Known Foreign Domains (Trust Pinning)
Once a domain is admitted:
* Its DAM hash is pinned locally
* Future USBs presenting that domain are recognized
* PEL may allow richer operations
```yaml
foreign_domains:
- domain_id
- dam_hash
- trust_level: read-only | federated
```
---
## 8. Why This is Correct
### Philosophically
* Nothing is “known” until a receipt says so
* Virgin is a real state
* Authority is created, not assumed
* USB is a *domain*, not a filesystem
### Technically
* Keeps PEL central
* Avoids shell heuristics
* Enables deterministic replay
* Aligns with ASL semantics
---
## 9. Practical Implications for Implementation
You can implement **today**:
1. Domain state machine (virgin/rooted/operational)
2. USB classification via PEL pre-pass
3. Authority genesis as first program
4. Admission as normal PEL execution
5. Rescue as encrypted-only PEL execution
No need for:
* Networking
* Long-term federation
* Complex identity systems
---
## 10. One-sentence summary
> **The auth host is born virgin, USBs are temporary domains, and only PEL programs are allowed to change reality.**
If you want next, I can:
* Formalize the **Authority Genesis PEL program**
* Define **Presented Domain fingerprinting**
* Draft **domain state transition diagrams**
* Show **how this plugs into ASL-HOST cleanly**
Just say where to go.
Reference in a new issue View git blame Copy permalink