Commit 9ba40c59 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Enriched the crypto init lore

Closes #105
parent 6e91d8d6
Loading
Loading
Loading
Loading
+10 −1
Original line number Diff line number Diff line
@@ -177,10 +177,19 @@ NMS authorises the query based on the role and identity of the device.
### 5.2.2 Cryptographic key intialisation and rotation

* **[REQ-CRYPTO-4]** The product shall support and implement a on-demand rotation of cryptographic keys.
* **[REQ-CRYPTO-5]** The product shall support to initialisation of trust.
* **[REQ-CRYPTO-5]** The product shall support the initialisation of trust.
* **[REQ-CRYPTO-6]** The product shall support cryptographic mechanisms used to accept managed elements to the network.
* **[REQ-CRYPTO-7]** The product shall support a method to replace or update the cryptographic keys in the system and in the managed elements.

Trust is inherited from a parenting system or from an existing entity.
Rollout automation and zero touch configuration approaches rely on concepts, that are not nessesarily well established, and vendor specific.
When nothing prior trust source exists, there is always an initialisation and manual acceptanse that involves human intervention.
This intervention enables the administrator to transfer the seed.

> Example: Every PKI tree starts from the creating of the Certificate Authority. The administrator intervention is then to distribute the public part of the CA to all targets, which needs to trust the derived keys from this CA.

This document focuses on defining the expected outcomes of the chosen mechanisms without defining the details of the implementation.

### 5.2.3 Network segmentation

Network segmentation is encouraged to be used where applicable.