2.1 KiB
ASL/OFFLINE-ROOT-TRUST/1 -- Offline Root Trust
Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [trust, roots, offline, authority]
Document ID: ASL/OFFLINE-ROOT-TRUST/1
Layer: L2 -- Trust anchors (no encoding)
Depends on (normative):
ASL/DAM/1
Informative references:
ASL/OCS/1-- offline certificate system
0. Conventions
The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.
ASL/OFFLINE-ROOT-TRUST/1 defines the offline root trust model for domains. It does not define encodings.
1. Purpose
Offline roots define domain legitimacy. They are offline, auditable, and deterministic. They do not provide availability guarantees.
2. Root Set Definition
A domain MUST trust a fixed, explicit set of offline root public keys:
OfflineRootSet {
version : u32
root_keys[] : PublicKey
threshold : u8
}
The root set is snapshot-pinned and rarely changed.
3. Recommended Root Count
Recommended size: 1 to 3 root keys.
- 1 root: personal or small domains
- 2 roots: separation of duties
- 3 roots: high-value domains
4. Threshold Rules
- Default threshold is 1.
- If threshold > 1, it MUST be fixed and explicit.
- Verification MUST be order-independent.
5. What Roots May Sign
Offline roots MAY sign only:
- AuthorityCertificate artifacts
- Root rotation artifacts
- Policy ratification artifacts (optional)
Roots MUST NOT sign artifacts, PERs, snapshots, or TGK edges.
6. Root Rotation
Root rotation is a constitutional change:
- Define new root set
- Old roots sign rotation artifact
- New snapshots reference the new root set
- Old snapshots remain valid
7. Validation Algorithm
To validate authority:
- Load snapshot
- Resolve DAM
- Resolve AuthorityCertificate artifacts
- Verify certificates against offline root set
- Check threshold
No timestamps or online checks are required.
8. Summary
ASL/OFFLINE-ROOT-TRUST/1 defines a small, explicit offline root set that anchors authority and preserves deterministic replay.