Skip to content

Instantly share code, notes, and snippets.

@CMCDragonkai

CMCDragonkai/linux-trust-root.txt

Last active December 30, 2025 08:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save CMCDragonkai/2e5f3f54eeb9621a6450d6033cc854fa to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save CMCDragonkai/2e5f3f54eeb9621a6450d6033cc854fa to your computer and use it in GitHub Desktop.
Download ZIP
Linux Trust Root
Raw
linux-trust-root.txt
+------------------------------+
| Hardware / OS |
| (TPM/FIDO2, kernel keyring) |
+---------------+--------------+
|
v
(system services / daemons)
+----------------------+ | +------------------------+
| systemd-credentials| | | Polykey agent |
| (LoadCredential=, | | | - JWK root keys |
| /run/credstore, fds)| | | - sigchains, claims |
+-----------+----------+ | +-----------+------------+
| | |
| inject secrets into | uses OS creds (TPM, files) | exports X.509
| unit's file descriptors | for its own storage | (PEM/P12) for apps
v v v
+----------------------+ +---------------------------+ +----------------------+
| system services | | Filesystem key stores | | X.509 artefacts |
| (nginx, postgres, | | - /etc/ssl/certs (CAs) | | - cert.pem |
| your infra) | | - /etc/pki (CAs) | | - key.pem |
+----------------------+ | - ~/.pki, NSS DB | | - x.p12 |
| - ~/.gnupg (GPG+S/MIME) | +----------+----------+
| - ~/.ssh (SSH keys) | |
+---------------------------+ |
readable via
OpenSSL/NSS/QCA
or PKCS#11
+-------------------------------------------------------------+
| Middleware / APIs |
| |
| +-----------+ +-----------+ +-----------+ |
| | OpenSSL | | GnuTLS | | NSS | |
| +-----------+ +-----------+ +-----------+ |
| ^ ^ ^ |
| | | | |
| (PEM/P12) (PEM/P12) (NSS DB) |
| |
| +-----------------------------------------------------+ |
| | PKCS#11 / p11-kit hub | |
| | - exposes tokens: gnupg-pkcs11, GNOME keyring, | |
| | smartcards, HSMs | |
| +--------------------+--------------------------------+ |
| | |
+-----------------------|-----------------------------------+
|
+---------------+-----------------+
| GNOME keyring |
| (gnome-keyring-daemon) |
| - secrets, some keys/certs |
| - Secret Service (D-Bus) |
| - PKCS#11 module for p11-kit |
+---------------+-----------------+
^
|
+-------+--------+
| Seahorse |
| (GUI: manages |
| GNOME keyring |
| + sometimes |
| GPG keys) |
+----------------+
+----------------------+ +------------------------------+
| GnuPG | | SSH |
| ~/.gnupg, gpg-agent | | ~/.ssh, ssh-agent or |
| - OpenPGP | | gpg-agent w/ ssh support |
| - gpgsm (X.509/S-MIME)| +------------------------------+
+----------+-----------+
|
GPGME / assuan / pinentry
|
Apps that speak GPG: git, mail, etc.
+---------------------------------------------------------------------------------+
| Apps |
| |
| Browsers PDF tools Mailers CLI tools |
| - Firefox - Okular - Thunderbird - curl, git, ssh |
| - Chrome - Master PDF Editor - Evolution - openssl, gpg |
| |
| They pull keys/certs via: |
| - direct file paths (PEM, P12) |
| - NSS DB (Firefox) |
| - PKCS#11/p11-kit (YubiKey, GNOME keyring, etc.) |
| - GPGME/gpg-agent (for OpenPGP stuff) |
+---------------------------------------------------------------------------------+
Polykey node
+-------------------+
| private.jwk |
| public.jwk |
| sigchain, claims |
+---------+---------+
|
"export X.509"
v
cert.pem / key.pem / p12 (for PDF signing, TLS, etc.)
|
imported into:
- Master PDF Editor / Okular (PKCS#12)
- GNOME keyring via Seahorse (PKCS#12 or cert+key)
- systemd-credentials (as opaque secret)
- NSS/OpenSSL-driven apps
@CMCDragonkai
Copy link
Author

CMCDragonkai commented Dec 30, 2025

Going this.to try

                                  ┌─────────────────────────────────────────────┐
                                  │        CENTER (ADVERSARIAL “ROOTS”)         │
                                  │  - Default trust stores (browser/OS/runtime)│
                                  │  - BigTech recovery + phone-number anchors  │
                                  │  - Enterprise IdP/MDM/compliance gates      │
                                  │  - Fast-moving policy + revocation surfaces │
                                  └─────────────────────────────────────────────┘
                                              ▲            ▲            ▲
                                              │            │            │
                       Frontal siege loses     │            │            │    Policy churn
                       (attrition / upkeep)    │            │            │    + “sole discretion”
                                              │            │            │
──────────────────────────────────────────────┼────────────┼────────────┼──────────────────────────────
                                              │            │            │
          “GO MOVE”: break edges, island-hop, reroute around the center; build alternative trust-flow
          (Overlay → Invert; recovery becomes the true root; legacy anchors demoted to attributes)
──────────────────────────────────────────────┼────────────┼────────────┼──────────────────────────────
                                              │            │            │
                                              ▼            ▼            ▼

┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                   POLYKEY EDGE OVERLAY (FOOTHOLDS)                                  │
│  Many small, low-maintenance edges → compose into a large “net” of capability (not a single root). │
│                                                                                                    │
│   [Existing PK nodes]  introduce/join  [Target nodes]           [Legacy systems]                   │
│   phone / win / mac  ───────────────►  laptop / server / iot    ssh, browsers, pdf, smime, tls     │
│   container / worker                   container / worker       runtimes (java/node), device mgmt  │
│                                                                                                    │
│   Each join = scoped capability + receipt + continuity binding (idempotent “apply/verify/reapply”) │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
                  │
                  │ (stable invariants: minimal Rust core)
                  ▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                 POLYKEY SOVEREIGN CORE (INVARIANT)                                 │
│  - Peer keys + node state                                                                            │
│  - Sigchain / verifiable memory + cross-chain claims                                                  │
│  - Gestalt quorum recovery (the inversion lever)                                                      │
│  - Purpose keys + constraints + policy                                                                │
│  - Sign/attest API:  sign(digest, purpose, constraints)                                               │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
                  │
                  │ emits “plans” + “receipts” (P/S/R/V) + “projections”
                  ▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                               RECEIPT RAILS + CEP (THE CONTROL SURFACE)                             │
│   Principal ──grants──► Subject ──acts──► Resource ──receipts──► Verifier                            │
│   Enforcement Point can sit at edges (Principal-side / Subject-side / Resource-side)                 │
│   Modes (bridge legacy safely): Mediate / Derive / Reveal                                             │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
                  │
                  │ choose best available “edge rail” (robotic if possible; human-minimal otherwise)
                  ▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                    BOOTSTRAP / JOIN PLANNER (ADAPTIVE)                              │
│  Probe → select transport(s) → apply → verify                                                         │
│                                                                                                      │
│  Transports (how we “island hop”):                                                                    │
│   A) Robot rails (enterprise / infra): MDM, cloud-init/ignition, Redfish/BMC                          │
│   B) Human-minimal rails: passkeys/system keys, QR/short-code, USB                                    │
│   C) Runtime rails: systemd/service manager hooks, container platforms, worker secret APIs            │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
                  │
                  │  project capabilities into “legacy-shaped” views ONLY at the edge
                  ▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                           LEGACY “VIEWS” (DISPOSABLE PROJECTIONS, NOT ROOT)                         │
│  Packaging strategies:                                                                                │
│   - X.509 / PKCS#12 (TLS, S/MIME, enterprise)                                                         │
│   - CMS signatures (PDF / S/MIME)                                                                     │
│   - OpenSSH certs                                                                                     │
│   - OpenPGP                                                                                           │
│   - Wallet derivations / chain keys                                                                   │
│                                                                                                      │
│  Anti-export conduits (reduce weak edges):                                                            │
│   - Remote signing APIs (hash-in / signature-out)                                                     │
│   - Token-style local signing (where possible)                                                        │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
                  │
                  ▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                         MATERIALIZED TRUST “CACHES” (TARGET-SPECIFIC, CHURNY)                        │
│  OS store | Browser stores | Runtime stores | Enterprise policy stores                                │
│  Treated as: ephemeral caches that can be re-materialized from Polykey continuity + receipts.         │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment