blockers 2

docs/airgap/time-anchor-trust-roots.md

@@ -0,0 +1,43 @@
+# Time Anchor Trust Roots (draft) — for AIRGAP-TIME-57-001
+
+Provides a minimal, deterministic format for distributing trust roots used to validate time tokens (Roughtime and RFC3161) in sealed/offline environments.
+
+## Artefacts
+- JSON schema: `docs/airgap/time-anchor-schema.json`
+- Trust roots bundle (draft): `docs/airgap/time-anchor-trust-roots.json`
+
+## Bundle format (`time-anchor-trust-roots.json`)
+```json
+{
+  "version": 1,
+  "roughtime": [
+    {
+      "name": "stellaops-test-roughtime",
+      "publicKeyBase64": "BASE64_ED25519_PUBLIC_KEY",
+      "validFrom": "2025-01-01T00:00:00Z",
+      "validTo": "2026-01-01T00:00:00Z"
+    }
+  ],
+  "rfc3161": [
+    {
+      "name": "stellaops-test-tsa",
+      "certificatePem": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
+      "validFrom": "2025-01-01T00:00:00Z",
+      "validTo": "2026-01-01T00:00:00Z",
+      "fingerprintSha256": "HEX_SHA256"
+    }
+  ]
+}
+```
+- All times are UTC ISO-8601.
+- Fields are deterministic; no optional properties other than multiple entries per list.
+- Consumers must reject expired roots and enforce matching token format (Roughtime vs RFC3161).
+
+## Usage guidance
+- Ship the bundle with the air-gapped deployment alongside the time-anchor schema.
+- Configure AirGap Time service to load roots from a sealed path; do not fetch over network.
+- Rotate by bumping `version`, adding new entries, and setting `validFrom/validTo`; keep prior roots until all deployments roll.
+
+## Next steps
+- Replace placeholder values with production Roughtime public keys and TSA certificates once issued by Security.
+- Add regression tests in `StellaOps.AirGap.Time.Tests` that load this bundle and validate sample tokens once real roots are present.