@@ -177,10 +177,19 @@ NMS authorises the query based on the role and identity of the device.
### 5.2.2 Cryptographic key intialisation and rotation
***[REQ-CRYPTO-4]** The product shall support and implement a on-demand rotation of cryptographic keys.
***[REQ-CRYPTO-5]** The product shall support to initialisation of trust.
***[REQ-CRYPTO-5]** The product shall support the initialisation of trust.
***[REQ-CRYPTO-6]** The product shall support cryptographic mechanisms used to accept managed elements to the network.
***[REQ-CRYPTO-7]** The product shall support a method to replace or update the cryptographic keys in the system and in the managed elements.
Trust is inherited from a parenting system or from an existing entity.
Rollout automation and zero touch configuration approaches rely on concepts, that are not nessesarily well established, and vendor specific.
When nothing prior trust source exists, there is always an initialisation and manual acceptanse that involves human intervention.
This intervention enables the administrator to transfer the seed.
> Example: Every PKI tree starts from the creating of the Certificate Authority. The administrator intervention is then to distribute the public part of the CA to all targets, which needs to trust the derived keys from this CA.
This document focuses on defining the expected outcomes of the chosen mechanisms without defining the details of the implementation.
### 5.2.3 Network segmentation
Network segmentation is encouraged to be used where applicable.