ASL/COMMON-WITNESS-ROTATION/1 -- Common Witness Rotation Artifact

Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [common, witness, rotation, governance]

Document ID: ASL/COMMON-WITNESS-ROTATION/1 Layer: L2 -- Common witness governance (no transport)

Depends on (normative):

ASL/DAM/1
ASL/POLICY-HASH/1
ASL/LOG/1

Informative references:

ASL/OCS/1 -- certificate semantics
ASL/OFFLINE-ROOT-TRUST/1
ASL/SYSTEM/1 -- system view

0. Conventions

The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.

ASL/COMMON-WITNESS-ROTATION/1 defines the artifact used to rotate the Common witness emitter. It does not define transport, storage layout, or quorum transport mechanisms.

1. Purpose

This document defines the Witness Rotation Artifact (WRA) for the Common domain. The WRA is the only mechanism that authorizes a change of the active Common witness emitter while preserving a single linear Common history.

2. Roles and Terms

Witness Emitter: The single domain authorized to emit the next Common snapshot.
Witness Authority: A domain whose principals may endorse a witness rotation.
Rotation Snapshot: The first Common snapshot emitted by the new witness emitter.

3. Artifact Identity

Artifact type tag: asl.common.witness-rotation
Artifact key: content-addressed (ASL/1-CORE)
Visibility: published within the Common domain

4. Canonical Structure (Logical)

WitnessRotationArtifact {
    version                 : u32
    common_domain_id         : DomainID
    previous_snapshot_id     : SnapshotID
    previous_snapshot_hash   : Hash
    old_witness_domain_id    : DomainID
    old_witness_pubkey_id    : KeyID
    new_witness_domain_id    : DomainID
    new_witness_pubkey_id    : KeyID
    policy_ref               : ArtifactRef
    endorsements             : EndorsementSet
    created_at_logseq        : u64
    reserved0                : u32
}

EndorsementSet {
    threshold                : u32
    endorsements[]           : Endorsement
}

Endorsement {
    endorser_domain_id       : DomainID
    endorser_pubkey_id       : KeyID
    signature                : Signature
}

Notes:

policy_ref MUST reference the policy artifact governing the Common domain at the time of rotation.
reserved0 MUST be 0.

5. Signing Payload (Normative)

Each endorsement signature MUST cover the canonicalized payload:

H(
  version
  || common_domain_id
  || previous_snapshot_id
  || previous_snapshot_hash
  || new_witness_domain_id
  || new_witness_pubkey_id
  || policy_ref
)

H is the hash function used by the Common domain.
The signature algorithm MUST be allowed by the endorser's DAM and policy.

6. Validation Rules (Normative)

A Common domain implementation MUST accept a witness rotation artifact if and only if:

previous_snapshot_id and previous_snapshot_hash match the current trusted Common snapshot.
The endorsement set meets or exceeds threshold with valid signatures.
Each endorser is authorized as a witness authority by the Common domain's policy.
policy_ref matches the policy hash recorded for the Common domain at the time of rotation.
created_at_logseq is monotonic and consistent with the Common log ordering.

If any rule fails, the WRA MUST be rejected and MUST NOT affect witness authority.

7. Rotation Semantics (Normative)

The WRA authorizes exactly one transition from old_witness_* to new_witness_*.
The new witness emitter MUST begin emitting snapshots at the next log sequence after the rotation is admitted.
Only one witness emitter MAY be active at a time.
A rotation does not grant broader authority beyond emitting Common snapshots.

8. Non-Goals

ASL/COMMON-WITNESS-ROTATION/1 does not define:

How endorsements are collected or transported
Network replication or consensus protocols
Storage or encoding formats for the artifact
Automated governance workflows beyond validation rules

4.1 KiB Raw Blame History