63 lines
2.3 KiB
Plaintext
63 lines
2.3 KiB
Plaintext
UC1. Bootstraping itself
|
|
UC2. Issuing new certificates
|
|
UC2.1 Key Generation + Archival (encryption certs)
|
|
UC2.2 Signing external CRL's
|
|
UC2.3 End user certificates
|
|
UC2.4 Applications
|
|
UC2.4.1 Device certificates
|
|
UC2.4.1.1 Servers
|
|
UC2.4.1.1.1 Linux
|
|
UC2.4.1.1.2 Hypervisors
|
|
UC2.4.1.1.2.1 Kubernetes
|
|
UC2.4.1.1.2.1.1 POD
|
|
UC2.4.1.2 Network devices
|
|
UC2.4.1.3 HS Access
|
|
UC2.4.2 Dedicated user certificates (if main user certificate is not suitable)
|
|
UC2.4.3 Other certificates (?)
|
|
UC2.5 Certificate templates
|
|
UC2.5.1 Device certificate templates
|
|
UC2.5.2 End user certificate templates (US CAC format preferred)
|
|
UC2.5.3 Other certificates (?)
|
|
UC3. Revoking existing keys (CRL)
|
|
UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs)
|
|
UC3.2? DeltaCRL
|
|
UC4. Monitoring
|
|
UC5. Backup
|
|
UC5.1 Backup verification
|
|
UC5.2 Backup of encryption certificates
|
|
UC6 High availability (cluster)
|
|
UC6.1 Adding/decomissioning new Root CA node to PKI cluster
|
|
UC6.2 Adding/decomissioning new CA node to PKI cluster
|
|
UC6.3 Adding/decomissioning new Monitor
|
|
UC7 RA
|
|
UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?)
|
|
UC8 Enrollment
|
|
UC8.1 Agent(?) to request/renew certificates from end device (a'la certbot)
|
|
UC8.2 ICC deployment agent
|
|
UC8.2.1 for member cards
|
|
UC8.2.2 for devices
|
|
UC8.2.2.1 support device migration between hosts
|
|
UC8.2.3 Enrollment agent for stupid devices (ansible/salt)
|
|
UC8.3 Manage certificates issued by external CA
|
|
UC8.3.1 Notify about expiry
|
|
UC8.3.2 Manage renewal (if possible) & redeploy (letsencrypt)
|
|
UC9 Certificate renewal
|
|
UC9.1 Renewing member certificate / lost password (other 2 members is enough,
|
|
no KC need to be involved)
|
|
UC9.2 Plain renewal - use plain cert authentication, to ask for renewal
|
|
UC9.2.1 Consider signing / encryption certs without auth extensions
|
|
UC10 Agent(?) to fetch CRL
|
|
UC11 List of all certificates
|
|
UC11.1 Certificate status from whole infrastructure on demand
|
|
UC12 Support for PKCS#11 interface
|
|
|
|
SR1. CA Private key is never under control of single user or device (SPOF)
|
|
SR2. Low level verification if CA is issuing only end-user certificates
|
|
SR2.1 Policy constraints with certificate depth for CA
|
|
SR3. Auditing
|
|
SR3.1 Non repudative audit log (merkle trees with pbkdf2)
|
|
SR3.2 COINKS?
|
|
SR4 Adding new KC
|
|
SR4.1 Revoking KC
|
|
SR5 Mass revoke/renew certificates
|