docs consolidation and others

2026-01-06 19:02:21 +02:00
parent d7bdca6d97
commit 4789027317
849 changed files with 16551 additions and 66770 deletions
--- a/docs/modules/airgap/guides/time-anchor-trust-roots.md
+++ b/docs/modules/airgap/guides/time-anchor-trust-roots.md
@@ -0,0 +1,48 @@
+# Time Anchor Trust Roots (draft) — for AIRGAP-TIME-57-001
+
+Provides a minimal, deterministic format for distributing trust roots used to validate time tokens (Roughtime and RFC3161) in sealed/offline environments.
+
+## Artefacts
+- JSON schema: `docs/modules/airgap/schemas/time-anchor-schema.json`
+- Trust roots bundle (draft): `docs/modules/airgap/samples/time-anchor-trust-roots.json`
+
+## Bundle format (`time-anchor-trust-roots.json`)
+```json
+{
+  "version": 1,
+  "roughtime": [
+    {
+      "name": "stellaops-test-roughtime",
+      "publicKeyBase64": "BASE64_ED25519_PUBLIC_KEY",
+      "validFrom": "2025-01-01T00:00:00Z",
+      "validTo": "2026-01-01T00:00:00Z"
+    }
+  ],
+  "rfc3161": [
+    {
+      "name": "stellaops-test-tsa",
+      "certificatePem": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
+      "validFrom": "2025-01-01T00:00:00Z",
+      "validTo": "2026-01-01T00:00:00Z",
+      "fingerprintSha256": "HEX_SHA256"
+    }
+  ]
+}
+```
+- All times are UTC ISO-8601.
+- Fields are deterministic; no optional properties other than multiple entries per list.
+- Consumers must reject expired roots and enforce matching token format (Roughtime vs RFC3161).
+
+## Usage guidance
+- Ship the bundle with the air-gapped deployment alongside the time-anchor schema.
+- Configure AirGap Time service to load roots from a sealed path; do not fetch over network.
+- Rotate by bumping `version`, adding new entries, and setting `validFrom/validTo`; keep prior roots until all deployments roll.
+
+## Next steps
+- Replace placeholder values with production Roughtime public keys and TSA certificates once issued by Security.
+- Add regression tests in `StellaOps.AirGap.Time.Tests` that load this bundle and validate sample tokens once real roots are present.
+- CI/Dev unblock: you can test end-to-end with a throwaway root by:
+  1. Generate Ed25519 key for Roughtime: `openssl genpkey -algorithm Ed25519 -out rtime-dev.pem && openssl pkey -in rtime-dev.pem -pubout -out rtime-dev.pub`.
+  2. Base64-encode the public key (`base64 -w0 rtime-dev.pub`) and place into `publicKeyBase64`; set validity to a short window.
+  3. Point `AirGap:TrustRootFile` at your edited bundle and set `AirGap:AllowUntrustedAnchors=true` only in dev.
+  4. Run `scripts/mirror/verify_thin_bundle.py --time-root docs/modules/airgap/samples/time-anchor-trust-roots.json` to ensure bundle is parsable.