path: root/design/hs_pki_uc+req
diff options
authord3llf <>2017-02-05 17:15:28 +0100
committerd3llf <>2017-02-05 17:15:28 +0100
commite44a25b64378eddbe5c0c402e8def082b2c65fa6 (patch)
treefc4e69c67fbfc5fa55b591cc2b8f0d47dab21a4c /design/hs_pki_uc+req
parentf5c69eaf0b7359d0ce9be655d9fdce9212b57352 (diff)
RootCA Init; Interesting external resources
Diffstat (limited to 'design/hs_pki_uc+req')
1 files changed, 62 insertions, 0 deletions
diff --git a/design/hs_pki_uc+req b/design/hs_pki_uc+req
new file mode 100644
index 0000000..b96031d
--- /dev/null
+++ b/design/hs_pki_uc+req
@@ -0,0 +1,62 @@
+UC1. Bootstraping itself
+UC2. Issuing new certificates
+UC2.1 Key Generation + Archival (encryption certs)
+UC2.2 Signing external CRL's
+UC2.3 End user certificates
+UC2.4 Applications
+UC2.4.1 Device certificates
+UC2.4.1.1 Servers
+UC2. Linux
+UC2. Hypervisors
+UC2. Kubernetes
+UC2.4.1.2 Network devices
+UC2.4.1.3 HS Access
+UC2.4.2 Dedicated user certificates (if main user certificate is not suitable)
+UC2.4.3 Other certificates (?)
+UC2.5 Certificate templates
+UC2.5.1 Device certificate templates
+UC2.5.2 End user certificate templates (US CAC format preferred)
+UC2.5.3 Other certificates (?)
+UC3. Revoking existing keys (CRL)
+UC3.1 Renewing CRL (no need of KC interaction if there was no additional certs)
+UC3.2? DeltaCRL
+UC4. Monitoring
+UC5. Backup
+UC5.1 Backup verification
+UC5.2 Backup of encryption certificates
+UC6 High availability (cluster)
+UC6.1 Adding/decomissioning new Root CA node to PKI cluster
+UC6.2 Adding/decomissioning new CA node to PKI cluster
+UC6.3 Adding/decomissioning new Monitor
+UC7.1 RA notifies KC on new requests (
+UC8 Enrollment
+UC8.1 Agent(?) to request/renew certificates from end device (a'la certbot)
+UC8.2 ICC deployment agent
+UC8.2.1 for member cards
+UC8.2.2 for devices
+UC8.2.2.1 support device migration between hosts
+UC8.2.3 Enrollment agent for stupid devices (ansible/salt)
+UC8.3 Manage certificates issued by external CA
+UC8.3.1 Notify about expiry
+UC8.3.2 Manage renewal (if possible) & redeploy (letsencrypt)
+UC9 Certificate renewal
+UC9.1 Renewing member certificate / lost password (other 2 members is enough,
+ no KC need to be involved)
+UC9.2 Plain renewal - use plain cert authentication, to ask for renewal
+UC9.2.1 Consider signing / encryption certs without auth extensions
+UC10 Agent(?) to fetch CRL
+UC11 List of all certificates
+UC11.1 Certificate status from whole infrastructure on demand
+UC12 Support for PKCS#11 interface
+SR1. CA Private key is never under control of single user or device (SPOF)
+SR2. Low level verification if CA is issuing only end-user certificates
+SR2.1 Policy constraints with certificate depth for CA
+SR3. Auditing
+SR3.1 Non repudative audit log (merkle trees with pbkdf2)
+SR4 Adding new KC
+SR4.1 Revoking KC
+SR5 Mass revoke/renew certificates