niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Certificates.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

5.6 KiB
Raw Blame History

This is the right moment to pin this down. What follows is a complete, staged, minimal certificate story that fits exactly with what youve built so far — no PKI bloat, no premature abstraction, and no magical trust.

Ill walk it in time order, because when certificates exist matters more than what they are.

Certificate Lifecycle in ASL (Walkthrough)

0. First principle (anchor this)

Certificates do not create authority. They record it.

Authority already exists because:

  • someone controls a machine
  • someone controls a domain
  • someone makes a decision

Certificates make that legible and replayable.

1. Phase 0 — Before Any Certificates Exist (Virgin State)

This is where your system starts.

What exists

  • ASL-HOST
  • ASL-STORE
  • Domains
  • Logs
  • Snapshots
  • Artifacts
  • PERs

What does NOT exist

  • No CA
  • No identities
  • No signatures
  • No trust

Everything works anyway.

Artifacts are still immutable. Receipts still exist. Snapshots still reconstruct CURRENT.

This is important: certificates are optional metadata, not a dependency.

2. Phase 1 — Birth of an Authority (Offline Auth Host)

At some point, you decide:

“This domain should be able to make statements that others may trust.”

This happens on the offline auth host.

2.1 Create the Root Authority (once)

This produces the Root Authority Certificate.

Root CA (ASL-ROOT)

  • Self-signed
  • Offline forever
  • Never rotates casually
  • Stored only on auth host

Conceptually:

ASL-ROOT
  public_key
  policy: may sign domain authorities

This is not a TLS CA. It is a semantic authority.

Where it is stored

  • On disk (auth host):

    /var/lib/asl/auth/root/
  root.key   (private, offline)
  root.crt   (artifact)

  • As an ASL artifact:

    artifact: root.crt
domain: auth-host

The private key is never an artifact.

3. Phase 2 — Domain Authority Certificates

Now the root creates Domain Authorities.

This is the most important certificate type.

3.1 Domain Authority (DA)

A Domain Authority Certificate binds:

(domain_id) → public_key → policy

Example:

alice.personal

Gets a DA certificate:

DA(alice.personal)
  signed_by: ASL-ROOT
  key: alice-domain-key
  policy:
    - may seal snapshots
    - may publish artifacts

Where DA certs live

  • Stored as artifacts
  • Stored inside the domain they govern
  • Also optionally copied to Common

Example:

/var/lib/asl/domains/alice.personal/auth/domain.crt

This makes replay self-contained.

4. Phase 3 — Operational Keys (Actors)

Now we separate authority from action.

4.1 Operator / Host Certificates

These are delegation certs.

They answer:

“Which machine / user is allowed to act for this domain?”

Examples:

  • Rescue image
  • Laptop
  • CI node
  • VM

They are short-lived and revocable.

OperatorCert
  subject: host-id
  acts-for: domain_id
  signed_by: domain authority
  scope:
    - may write artifacts
    - may append log

Storage

  • Stored in domain auth area
  • Referenced by PERs
/var/lib/asl/domains/alice.personal/auth/operators/

5. Phase 4 — Signing Receipts and Snapshots

Now certificates begin to matter operationally.

5.1 What gets signed

  1. Snapshot seals
  2. PERs (execution receipts)
  3. Policy artifacts

Never raw data blocks.

5.2 PER Signature Model

A PER includes:

PER:
  inputs
  program
  outputs
  snapshot_range
  signer:
    operator_cert_id
  signature

This allows later verification:

  • Who ran this?
  • Under which authority?
  • Against which snapshot?

6. Phase 5 — Federation and Trust

Now certificates cross domains.

6.1 Trust is explicit

A domain never trusts another domain implicitly.

Instead it stores a Trust Artifact:

"I trust domain X snapshots ≥ S
 signed by DA(X)
 under policy P"

This artifact can be:

  • private
  • group-shared
  • published to Common

6.2 Commons role

Common may store:

  • Root cert(s)
  • Domain Authority certs
  • Trust policies

But Common does not enforce trust.

It only witnesses it.

7. Certificate Types (Complete List)

Here is the full minimal set:

1. Root Authority Certificate

  • Signs domain authorities
  • Offline
  • Rare

2. Domain Authority Certificate

  • One per domain
  • Signs snapshots, operators
  • Long-lived

3. Operator / Host Certificate

  • Acts-for a domain
  • Short-lived
  • Used in PERs

4. Trust Policy Artifact (not a cert, but signed)

  • “I trust X for Y”
  • Domain-local meaning

Thats it.

No user certs. No TLS certs. No global CA hierarchy.

8. What Happens During Rescue (Concrete)

Lets ground this.

Rescue day

  • Rescue domain exists
  • No certs yet
  • Everything works

Later, you decide it matters

  1. Create personal domain authority
  2. Sign rescue snapshots retroactively
  3. Publish selected artifacts

History remains valid — it just gains witnesses.

9. Why This Is Robust

  • No cert = still works
  • Lost cert = data still exists
  • Revoked cert = history still readable
  • Multiple roots = allowed

This avoids:

  • “all-or-nothing PKI”
  • bricked data
  • forced trust

10. One sentence to remember

Certificates dont make things true. They make them accountable.

If you want next, I can:

  • Specify exact cert encoding (X.509-like vs custom)
  • Show how certs are imported via USB
  • Define revocation without CRLs
  • Show how auth-host stays simple

Youre converging on a very clean trust model.