# Time Anchor Trust Roots (draft) — for AIRGAP-TIME-57-001 Provides a minimal, deterministic format for distributing trust roots used to validate time tokens (Roughtime and RFC3161) in sealed/offline environments. ## Artefacts - JSON schema: `docs/airgap/time-anchor-schema.json` - Trust roots bundle (draft): `docs/airgap/time-anchor-trust-roots.json` ## Bundle format (`time-anchor-trust-roots.json`) ```json { "version": 1, "roughtime": [ { "name": "stellaops-test-roughtime", "publicKeyBase64": "BASE64_ED25519_PUBLIC_KEY", "validFrom": "2025-01-01T00:00:00Z", "validTo": "2026-01-01T00:00:00Z" } ], "rfc3161": [ { "name": "stellaops-test-tsa", "certificatePem": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----", "validFrom": "2025-01-01T00:00:00Z", "validTo": "2026-01-01T00:00:00Z", "fingerprintSha256": "HEX_SHA256" } ] } ``` - All times are UTC ISO-8601. - Fields are deterministic; no optional properties other than multiple entries per list. - Consumers must reject expired roots and enforce matching token format (Roughtime vs RFC3161). ## Usage guidance - Ship the bundle with the air-gapped deployment alongside the time-anchor schema. - Configure AirGap Time service to load roots from a sealed path; do not fetch over network. - Rotate by bumping `version`, adding new entries, and setting `validFrom/validTo`; keep prior roots until all deployments roll. ## Next steps - Replace placeholder values with production Roughtime public keys and TSA certificates once issued by Security. - Add regression tests in `StellaOps.AirGap.Time.Tests` that load this bundle and validate sample tokens once real roots are present. - CI/Dev unblock: you can test end-to-end with a throwaway root by: 1. Generate Ed25519 key for Roughtime: `openssl genpkey -algorithm Ed25519 -out rtime-dev.pem && openssl pkey -in rtime-dev.pem -pubout -out rtime-dev.pub`. 2. Base64-encode the public key (`base64 -w0 rtime-dev.pub`) and place into `publicKeyBase64`; set validity to a short window. 3. Point `AirGap:TrustRootFile` at your edited bundle and set `AirGap:AllowUntrustedAnchors=true` only in dev. 4. Run `scripts/mirror/verify_thin_bundle.py --time-root docs/airgap/time-anchor-trust-roots.json` to ensure bundle is parsable.