niklas/amduat
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat/tier1/asl-dap-1.md
Carl Niklas Rydberg f707244888 Add federation docs and implementation notes
2026-01-18 09:48:30 +01:00

3.3 KiB
Raw Blame History

ASL/DAP/1 -- Domain Admission Protocol

Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [admission, trust, federation]

Document ID: ASL/DAP/1 Layer: L2 -- Admission semantics (no transport)

Depends on (normative):

  • ASL/DAM/1
  • ASL/POLICY-HASH/1

Informative references:

  • ASL/OCS/1 -- offline certificate system
  • ASL/OFFLINE-ROOT-TRUST/1

0. Conventions

The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.

ASL/DAP/1 defines admission semantics for recognizing external domains. It does not define transport.

1. Purpose

The Domain Admission Protocol defines how a receiving domain evaluates and admits an applicant domain before any federation or trust is granted.

2. Actors

Actor Role
Applicant Domain Domain requesting admission
Receiving Domain Domain evaluating admission
Operator Optional human/policy agent

3. Admission Object Model

An admission request MUST include:

  • Domain Authority Manifest (DAM)
  • Proof of possession of the DAM root key
  • Requested admission scope
  • Optional courtesy lease request

No artifacts, blocks, or logs are required for admission.

4. Admission Record (Normative)

The receiving domain MUST persist an admission record that is snapshot-pinned:

AdmissionRecord {
  domain_id
  dam_hash
  policy_hash
  admitted_scope[]
  decision
  decision_epoch
}

The decision_epoch is a monotonically increasing local counter (not wall time).

5. Admission Flow (Normative)

  1. Submission

    • Applicant sends DAM and proof of root-key possession.

  2. Structural validation

    • Receiving domain verifies DAM schema and signature.
    • Policy hash integrity MUST be verified.

  3. Policy compatibility

    • Receiving domain evaluates requested scope and policy alignment.

  4. Decision

    • Outcomes: ACCEPTED, ACCEPTED_LIMITED, DEFERRED, REJECTED.

6. Admission Guarantees

If accepted:

  • DomainID is recognized by the receiving domain.
  • Root key and policy hash are pinned.
  • Admission scope is enforced for federation.

Admission does not imply trust in artifacts beyond the granted scope.

7. Scope Enforcement (Normative)

  • Admission scope MUST gate federation view construction and replay admission.
  • A receiving domain MUST NOT admit state outside the granted scope.
  • Scope changes require a new admission decision and updated AdmissionRecord.

8. Courtesy Lease (Optional)

A courtesy lease is a bounded, revocable grant of resources without semantic trust.

CourtesyLease {
  lease_id
  domain_id
  granted_by_domain

  resources: {
    storage_bytes
    block_count
    snapshot_count
  }

  duration: {
    start_time
    end_time
  }

  constraints: {
    encrypted_only: boolean
    no_federation: boolean
    no_public_indexing: boolean
  }
}

Courtesy storage MAY be deleted upon lease expiry. Courtesy does not grant federation or publication rights.

9. Non-Goals

  • Transport format
  • PKI integration
  • Live revocation or liveness checks

10. Summary

ASL/DAP/1 defines a deterministic admission process for domains, with optional courtesy leasing for rescue and bootstrap scenarios.