Commit bcd411a9 authored by Sammy Haddad's avatar Sammy Haddad
Browse files

Update file EN-304-624.md

parent a336b434

EN-304-624.md

+44 −4
Original line number Diff line number Diff line
@@ -362,7 +362,6 @@ PKI products users' roles and responsibilities can be: 
  - Ensure compliance with **organizational policies and regulatory requirements**.

  - Troubleshoot and resolve **technical issues** related to the PKI infrastructure.





**PKI Operator**

- **Role:** Authorized to **perform operational tasks** to ensure the availability and integrity of the PKI system.

- **Responsibilities:**
@@ -372,7 +371,6 @@ PKI products users' roles and responsibilities can be: 
  - Ensure **high availability** of PKI services.

  - Assist in **disaster recovery and contingency planning**.





**PKI Officer (or Registration Authority Officer)**

- **Role:** Authorized to **manage certificate lifecycle operations**, including approvals and revocations.

- **Responsibilities:**
@@ -383,7 +381,6 @@ PKI products users' roles and responsibilities can be: 
  - Ensure that **certificate issuance and revocation processes** align with organizational policies.

  - Collaborate with the **PKI Administrator** to maintain the integrity of the PKI system.





**PKI Auditor**

- **Role:** Authorized to **monitor and review PKI operations** to ensure compliance and security.

- **Responsibilities:**
@@ -1265,7 +1262,6 @@ information shall be recorded, after a proper verification. 
- REFERENCE: REQ-5.7-01

  - REQUIREMENT: In case of certificate modification, if any certified names or attributes have changed, the related registration information shall be recorded, after a proper verification.





## 5.8 Certificate suspension and revocation

- REFERENCE: REQ-5.8-01

  - REQUIREMENT: Once a certificate is revoked, it shall not be reinstated.
@@ -1286,7 +1282,24 @@ information shall be recorded, after a proper verification. 
  - APPLICABILITY: UC1, UC2 and UC3.

  - NOTE: This is aligned with requirement CSS-6.3.10-09 contained in ETSI EN 319 411-1 (V1.5.1)



## 5.10 Access control



- REFERENCE: REQ-5.10-01

  - REQUIREMENT: Only authorized users shall be able to access PKI functionalities, stored data, and configuration data.

    To achieve this, the PKI shall enforce identification and authentication mechanisms.

  - RATIONALE: Only authorized, identified, and authenticated users should be able to access PKI services and stored data.

    This addresses all relevant threats.

  - APPLICABILITY: All use cases.



 

- REFERENCE: REQ-5.10-02

  - REQUIREMENT:The pki shall manage different user profile allowing privilage segragation. This mechanisme shall provide meand to differenciate users account capabilities for the following roles:

    - PKI Administrator: Authorized to install, configure, and maintain the PKI produt, ensuring its proper operation and security.

    - PKI Operator: Authorized to perform operational tasks to ensure the availability and integrity of the PKI system.

    - PKI Officer (or Registration Authority Officer): Authorized to manage certificate lifecycle operations, including approvals and revocations.

    - PKI Auditor: Authorized to monitor and review PKI operations to ensure compliance and security.

   - RATIONALE: Only authorised, identicated and authenticated user should be able to access the PKI services and stored data. This covers threats all threats. 

  - APPLICABILITY: All use cases. 



# 6 Conformity Assessment

*Editor's note: This section's structur is stable. The content is not stable.*
@@ -1875,6 +1888,33 @@ verify that no certificate may be issued until acceptables values for the identi 


  - EVIDENCE: The way OCSP responses were requested, and the responses and OCSP responses from the PKI.





#### 6.6 Access control



- REFERENCE: ASS-REQ-6.6-01



  - OBJECTIVE:

    Verify the PKI software allows to create different user profiles (users with different access rights to functions, configuration, and stored data) for the roles defined by PKI policies, each with distinct credentials.



  - PREPARATION:

    Access to the administrative and user interfaces of the PKI software.



  - ACTIVITIES:

    - Create one account for each manageable profile (at least: PKI Administrator, PKI Operator, PKI Officer, PKI Auditor) with unique credentials.

    - For each account:

      - Attempt to log in using credentials from other accounts or invalid credentials.

      - Log in with the correct credentials for each account.

      - Verify that only the authorized actions defined by the user profile are accessible.



  - VERDICT:

    SUCCESS if only correct identification and authentication allows access to the specific rights of a user profile.

    FAIL if unauthorized access or incorrect rights assignment is detected.



  - EVIDENCE:

    a) Results of identification and authentication attempts (successful and failed).

    b) List of validated functionalities and data access rights for each user profile.

    c) Screenshots or logs of access attempts and rights verification.



# Annex A Mapping with essential requirements of the CRA