Commit 82b71446 authored by Peter Campbell's avatar Peter Campbell
Browse files

Updated architecture

parent 12e60c47

EN-304-624.md

+13 −5
Original line number Diff line number Diff line
@@ -309,7 +309,7 @@ NOTE 3: This service can use a secure cryptographic device to generate, store an 


NOTE 4: This service can include generation of subject keys and, if used for decryption, storage of subject private keys to allow key recovery.



-	<strong>Dissemination service:</strong> disseminates signed certificates to subscribers; and, if the subscriber consents, stores and makes them available to relying parties.

-	<strong>Dissemination service:</strong> disseminates signed certificates to subscribers; and, if applicable, stores and makes them available to relying parties.



NOTE 5: This service can disseminate subject private keys to subscribers if the subject keys are generated by the certificate generation service.
@@ -333,7 +333,7 @@ The product will typically support some logging of events relevant to each of th 


#### 4.2.2.3 Accounts



The product will support one or more of the following user accounts:

In the SME context, the product will support one or more of the following user accounts:



- <strong>System administrator account:</strong> authorized to install, configure and update the product.
@@ -341,18 +341,26 @@ The product will support one or more of the following user accounts: 


### 4.2.3 Architecture



#### 4.2.2.1 Overview



Figure 4.1 gives a high-level overview of a PKI architecture.



<div align="center">



![PKI architecture](media/PKI-diagram.png)

<img src="media/PKI-diagram.png" width="600">



<strong>Figure 4.1.</strong> Illustrative PKI architecture



</div>



In the SME product context, a single PKI product will typically support all of the required PKI functionality.



However, some component PKI services might not be necessary or could be supported through generic enterprise products and services.



EXAMPLE 1: The registration service is not needed as subscriber enrollment and certificate request approvals are handled through standard enterprise on-boarding and account management processes.



EXAMPLE 2: The revocation managment and certificate status services are not needed as compromised certificates can be mitigate through standard enterprise account management and off-boarding processes.



EXAMPLE 3: The dissemination service is not needed as an enterprise directory service can be used to store and distribute certificates.



### 4.2.4 Operational environment



#### 4.2.4.1 Deployment