34 lines
1.2 KiB
Plaintext
34 lines
1.2 KiB
Plaintext
UC1. Bootstraping itself
|
|
UC2. Issuing new certificates
|
|
UC2.1 Key Generation + Archival
|
|
UC2.2 Signing external CRL's
|
|
UC3. Revoking existing keys (CRL)
|
|
UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs)
|
|
UC3.2? DeltaCRL
|
|
UC4. Monitoring
|
|
UC5. Backup
|
|
UC5.1 Backup verification
|
|
UC6 High availability (cluster)
|
|
UC6.1 Adding/decomissioning new Root CA node to PKI cluster
|
|
UC6.2 Adding/decomissioning new CA node to PKI cluster
|
|
UC6.3 Adding/decomissioning new Monitor
|
|
UC7 RA
|
|
UC7.1 RA notifies KC on new requests (ra@pki.hackerspace.pl?)
|
|
UC Agent(?) to request/renew certificates from end device
|
|
UC ICC deployment agent (for issuing member cards)
|
|
UC Renewing member certificate / lost password (other 2 members is enough,
|
|
no KC need to be involved)
|
|
UC ICC for servers (how to secure?)
|
|
UC Agent(?) to fetch CRL
|
|
UC Enrollment agent for stupid devices (ansible/salt)
|
|
|
|
|
|
SR1. CA Private key is never under control of single user or device (SPOF)
|
|
SR2. Low level verification if CA is issuing only end-user certificates
|
|
SR2.1 Policy constraints with certificate depth for CA
|
|
SR3. Auditing
|
|
SR3.1 Non repudative audit log (merkle trees)
|
|
SR4 Adding new KC
|
|
SR4.1 Revoking KC
|
|
SR5 Mass revoke/renew certificates
|