stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/airgap/time-anchor-trust-roots.md
StellaOps Bot 7768555f2d blockers 2
2025-11-23 16:57:18 +02:00

2.3 KiB
Raw Permalink Blame History

Time Anchor Trust Roots (draft) — for AIRGAP-TIME-57-001

Provides a minimal, deterministic format for distributing trust roots used to validate time tokens (Roughtime and RFC3161) in sealed/offline environments.

Artefacts

  • JSON schema: docs/airgap/time-anchor-schema.json
  • Trust roots bundle (draft): docs/airgap/time-anchor-trust-roots.json

Bundle format (time-anchor-trust-roots.json)

{
  "version": 1,
  "roughtime": [
    {
      "name": "stellaops-test-roughtime",
      "publicKeyBase64": "BASE64_ED25519_PUBLIC_KEY",
      "validFrom": "2025-01-01T00:00:00Z",
      "validTo": "2026-01-01T00:00:00Z"
    }
  ],
  "rfc3161": [
    {
      "name": "stellaops-test-tsa",
      "certificatePem": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
      "validFrom": "2025-01-01T00:00:00Z",
      "validTo": "2026-01-01T00:00:00Z",
      "fingerprintSha256": "HEX_SHA256"
    }
  ]
}
  • All times are UTC ISO-8601.
  • Fields are deterministic; no optional properties other than multiple entries per list.
  • Consumers must reject expired roots and enforce matching token format (Roughtime vs RFC3161).

Usage guidance

  • Ship the bundle with the air-gapped deployment alongside the time-anchor schema.
  • Configure AirGap Time service to load roots from a sealed path; do not fetch over network.
  • Rotate by bumping version, adding new entries, and setting validFrom/validTo; keep prior roots until all deployments roll.

Next steps

  • Replace placeholder values with production Roughtime public keys and TSA certificates once issued by Security.
  • Add regression tests in StellaOps.AirGap.Time.Tests that load this bundle and validate sample tokens once real roots are present.
  • CI/Dev unblock: you can test end-to-end with a throwaway root by:
    1. Generate Ed25519 key for Roughtime: openssl genpkey -algorithm Ed25519 -out rtime-dev.pem && openssl pkey -in rtime-dev.pem -pubout -out rtime-dev.pub.
    2. Base64-encode the public key (base64 -w0 rtime-dev.pub) and place into publicKeyBase64; set validity to a short window.
    3. Point AirGap:TrustRootFile at your edited bundle and set AirGap:AllowUntrustedAnchors=true only in dev.
    4. Run scripts/mirror/verify_thin_bundle.py --time-root docs/airgap/time-anchor-trust-roots.json to ensure bundle is parsable.