niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/tier1/asl-ocs-1.md
Carl Niklas Rydberg a5537e13d3 Add federation and trust/policy tier1 specs
2026-01-17 08:52:02 +01:00

2.5 KiB
Raw Blame History

ASL/OCS/1 -- Offline Certificate System

Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [certificates, authority, offline]

Document ID: ASL/OCS/1 Layer: L2 -- Certificate semantics (no encoding)

Depends on (normative):

  • ASL/OFFLINE-ROOT-TRUST/1
  • ASL/DAM/1
  • ASL/POLICY-HASH/1

Informative references:

  • PER/SIGNATURE/1 -- PER signature validation

0. Conventions

The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.

ASL/OCS/1 defines certificate semantics as immutable artifacts. It does not define encodings.

1. Purpose

The Offline Certificate System (OCS) anchors domain authority in offline root keys and allows deterministic, offline verification of authority.

2. Core Principle

Certificates are immutable ASL artifacts, not live credentials.

They are:

  • Signed once
  • Snapshot-pinned
  • Replayable
  • Verified offline

3. Authority Certificate Artifact

3.1 Logical Structure

AuthorityCertificate {
    subject_type   : enum { domain_root, principal }
    subject_id     : Hash
    subject_pubkey : PublicKey
    domain_id      : DomainID
    roles[]        : Role
    policy_hash    : Hash
    issued_by      : PublicKey
    version        : u32
}

3.2 Semantics

  • domain_root: certifies a domain root key for DAM issuance.
  • principal: certifies a principal key for roles under a policy hash.

4. Offline Signing Workflow

  1. Online domain prepares an AuthorityRequest.
  2. Offline root signs an AuthorityCertificate.
  3. Certificate artifact is imported and snapshot-pinned.

No online checks are required after import.

5. DAM Validation Chain

A DAM is valid iff:

  1. DAM root key is certified by a domain_root certificate.
  2. Certificate policy_hash matches DAM policy_hash.
  3. Certificate signature validates against the offline root set.

6. Revocation Model

There is no live revocation. Revocation is performed by publishing a new DAM and new certificates, and referencing them in new snapshots.

7. Federation Verification

When receiving state from another domain:

  1. Load snapshot
  2. Resolve DAM and AuthorityCertificate artifacts
  3. Verify against configured offline root set
  4. Apply policy hash compatibility rules

8. Summary

ASL/OCS/1 defines immutable authority certificates signed by offline roots and bound to policy hashes, enabling deterministic, offline trust validation.