UC1.	Bootstraping itself
UC2.	Issuing new certificates
UC2.1	Key Generation + Archival
UC2.2	Signing external CRL's
UC3.	Revoking existing keys (CRL)
UC3.1	Renewing CRL (no need of KC interaction if there was no additional certs)
UC3.2?	DeltaCRL
UC4.	Monitoring
UC5.	Backup
UC5.1	Backup verification
UC6	High availability (cluster)
UC6.1	Adding/decomissioning new Root CA node to PKI cluster
UC6.2	Adding/decomissioning new CA node to PKI cluster
UC6.3	Adding/decomissioning new Monitor
UC7	RA
UC7.1	RA notifies KC on new requests (ra@pki.hackerspace.pl?)
UC	Agent(?) to request/renew certificates from end device
UC	ICC deployment agent (for issuing member cards)
UC	Renewing member certificate / lost password (other 2 members is enough, 
	no KC need to be involved)
UC	ICC for servers (how to secure?)
UC	Agent(?) to fetch CRL
UC	Enrollment agent for stupid devices (ansible/salt)


SR1.	CA Private key is never under control of single user or device (SPOF)
SR2.	Low level verification if CA is issuing only end-user certificates
SR2.1	Policy constraints with certificate depth for CA
SR3.	Auditing
SR3.1	Non repudative audit log (merkle trees)
SR4	Adding new KC
SR4.1	Revoking KC
SR5	Mass revoke/renew certificates