UC1.	Bootstraping itself
UC2.	Issuing new certificates
UC2.1	Key Generation + Archival (encryption certs)
UC2.2	Signing external CRL's
UC2.3	End user certificates
UC2.4	Applications
UC2.4.1	Device certificates
UC2.4.1.1	Servers
UC2.4.1.1.1	Linux
UC2.4.1.1.2	Hypervisors
UC2.4.1.1.2.1	Kubernetes
UC2.4.1.1.2.1.1	POD
UC2.4.1.2	Network devices
UC2.4.1.3	HS Access
UC2.4.2	Dedicated user certificates (if main user certificate is not suitable)
UC2.4.3	Other certificates (?)
UC2.5	Certificate templates
UC2.5.1	Device certificate templates
UC2.5.2 End user certificate templates (US CAC format preferred)
UC2.5.3	Other certificates (?)
UC3.	Revoking existing keys (CRL)
UC3.1	Renewing CRL (no need of KC interaction if there was no additional certs)
UC3.2?	DeltaCRL
UC4.	Monitoring
UC5.	Backup
UC5.1	Backup verification
UC5.2	Backup of encryption certificates
UC6	High availability (cluster)
UC6.1	Adding/decomissioning new Root CA node to PKI cluster
UC6.2	Adding/decomissioning new CA node to PKI cluster
UC6.3	Adding/decomissioning new Monitor
UC7	RA
UC7.1	RA notifies KC on new requests (ra@pki.hackerspace.pl?)
UC8	Enrollment
UC8.1	Agent(?) to request/renew certificates from end device (a'la certbot)
UC8.2	ICC deployment agent 
UC8.2.1	for member cards
UC8.2.2	for devices
UC8.2.2.1	support device migration between hosts
UC8.2.3	Enrollment agent for stupid devices (ansible/salt)
UC8.3	Manage certificates issued by external CA
UC8.3.1	Notify about expiry
UC8.3.2	Manage renewal (if possible) & redeploy (letsencrypt)
UC9	Certificate renewal
UC9.1	Renewing member certificate / lost password (other 2 members is enough, 
	no KC need to be involved)
UC9.2	Plain renewal - use plain cert authentication, to ask for renewal
UC9.2.1	Consider signing / encryption certs without auth extensions
UC10	Agent(?) to fetch CRL
UC11	List of all certificates
UC11.1	Certificate status from whole infrastructure on demand
UC12	Support for PKCS#11 interface

SR1.	CA Private key is never under control of single user or device (SPOF)
SR2.	Low level verification if CA is issuing only end-user certificates
SR2.1	Policy constraints with certificate depth for CA
SR3.	Auditing
SR3.1	Non repudative audit log (merkle trees with pbkdf2)
SR3.2	COINKS?
SR4	Adding new KC
SR4.1	Revoking KC
SR5	Mass revoke/renew certificates