Commit d4522190 authored by Sammy Haddad's avatar Sammy Haddad
Browse files

Table of content adjustement to Drfat CRA Vertical standard structure. 

 Modification of use case naming (introducing critical or none critical entity concept).
 Adding of out of scope context as proposed by Nick Pope.
 Adding of   ANNEXES
to the
Commission Implementing Regulation
on the technical description of the categories of important and critical products with
digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and
of the Council PKI definition.
parent 4ca01325

EN-304-624.md

+20 −18
Original line number Diff line number Diff line
@@ -260,7 +260,7 @@ Commission Implementing Regulation (EU) 2024/2690 for the application Directive 
_Explain the overall architecture and relationship among the parts of the products. Use diagrams if that is helpful._





<mark> FIXME include the current vertical definition supplied by the EC, use that as a starting point.

Products with digital elements used as part of a public key cryptography scheme to manage asymmetric cryptographic keys and digital certificates, including their creation, issuance, distribution, validation, renewal, storage or revocation. This category includes but is not limited to key management systems, digital certificate management systems and online certificate status protocol responders
@@ -363,7 +363,10 @@ PKIs can take many forms and this standard doesn't aim to cover all possible PKI 
- Open or public PKI for Certficate Authorities (CA) 

- C-ITS PKI



Security Profiles are defined for those specific use cases. Products not directly matching those use cases have to refine one of those profile to adapt them to there own risk analaysis.

Security Profiles are defined for those specific use cases. Those profiles are the combination of the security and assessment requirements applicable to each use cases. In section 5 requirements are associated to an applicability conditions which depends on the use cases risks analysis as defined in Annex C.





Products not directly matching those use cases have to refine one of those profile to adapt them to there own risk analaysis.



In the <strong>SME product context</strong>, a single instance of a self-contained PKI product will typically support all of the required PKI functionality.
@@ -377,10 +380,10 @@ EXAMPLE 3: The dissemination service is not needed as an enterprise directory se 






### 4.7.1 Private PKI for none critical entities

#### 4.7.1.1 Assets



### 5.1.2 Assets



#### 5.1.2.1 System administration

##### 4.7.1.1.1 System administration



Table 5.1 provides a list of system administration assets for the PKI product.
@@ -402,7 +405,7 @@ Table 5.1 provides a list of system administration assets for the PKI product. 


</div>



#### 5.1.2.2 Registration service

##### 4.7.1.1.2 Registration service



Table 5.2 provides a list of assets for a PKI product that supports registration services.
@@ -422,7 +425,7 @@ Table 5.2 provides a list of assets for a PKI product that supports registration 


If the PKI product does not provide support for subscriber management as part of its registration services, then the subscriber data (REG01) and subscriber management function (REG11) assets will not be present. 



#### 5.1.2.3 Certificate generation service

##### 4.7.1.1.3 Certificate generation service



Table 5.3 provides a list of assets for a PKI product that supports certificate generation services.
@@ -448,7 +451,7 @@ If the PKI product does not support the use of subject key generation or subject 


If the PKI product does not support registration services, then certificate requests can either be submitted directly via the certificate generation service user interface (GEN21) or via a related logical interface.



#### 5.1.2.4 Dissemination service

##### 4.7.1.1.4 Dissemination service



Table 5.4 provides a list of assets for a PKI product that supports dissemination services.
@@ -468,7 +471,7 @@ Table 5.4 provides a list of assets for a PKI product that supports disseminatio 


If the PKI product does not support dissemination services, then the dissemination assets will be replaced by a logical interface to a third-party enterprise directory service.



#### 5.1.2.5 Revocation management service

##### 4.7.1.1.5 Revocation management service



Table 5.5 provides a list of assets for a PKI product that supports revocation management services.
@@ -486,7 +489,7 @@ Table 5.5 provides a list of assets for a PKI product that supports revocation m 


The PKI product can support limited revocation management services even if it does not support a certificate status service. In such cases, the revocation management function (REV11) and user interface (REV21) assets can be considered part of the corresponding certificate generation function (GEN12) and user interface (GEN21) assets.



#### 5.1.2.6 Certificate status service

##### 4.7.1.1.6 Certificate status service



Table 5.5 provides a list of assets for a PKI product that supports certificate status services.
@@ -503,9 +506,9 @@ Table 5.5 provides a list of assets for a PKI product that supports certificate 
</div>





### 5.1.3 Threats

#### 4.7.1.2 Threats



#### 5.1.3.1 System administration

##### 4.7.1.2.1 System administration



<div align="center">
@@ -532,7 +535,7 @@ Table 5.5 provides a list of assets for a PKI product that supports certificate 


</div>



#### 5.1.3.2 Registration service

##### 4.7.1.2.2 Registration service



<div align="center">
@@ -555,7 +558,7 @@ Table 5.5 provides a list of assets for a PKI product that supports certificate 


If the PKI product does not provide support for subscriber management as part of its registration services, then the threats to the subscriber data (T_REG01 and T_REG02) and subscriber management function (T_REG04) are not present.



#### 5.1.3.3 Certificate generation service

##### 4.7.1.2.3 Certificate generation service



<div align="center">
@@ -587,7 +590,7 @@ If the PKI product does not support the use of a secure cryptographic device, th 


If the product does not support subject key generation or key recovery, the threats to the subject key data (T_GEN04, T_GEN05 and T_GEN06) will not be present and the threat to the key management function (T_GEN07) will only cover the CA key data.



#### 5.1.3.4 Dissemination service

##### 4.7.1.2.4 Dissemination service



<div align="center">
@@ -608,7 +611,7 @@ If the product does not support subject key generation or key recovery, the thre 


If the PKI product does not support dissemination services and provides a logical interface to a third-party directory service, then the the threats to the subscriber dissemination interface (T_DIS05 and T_DIS06) apply to the directory service interface instead.



#### 5.1.3.5 Revocation management service

##### 4.7.1.2.5 Revocation management service



<div align="center">
@@ -628,7 +631,7 @@ If the PKI product does not support dissemination services and provides a logica 


The PKI product can support limited revocation management services even if it does not support a certificate status service. In such cases, the threats to the revocation management function (T_REV03) and user interface (T_REV04, T_REV05, T_REV06 and T_REV07) apply to the corresponding certificate generation function and user interface.



#### 5.1.3.6 Certificate status service

##### 4.7.1.2.6 Certificate status service



<div align="center">
@@ -645,7 +648,6 @@ The PKI product can support limited revocation management services even if it do 


</div>





## 4.7.2 Critical entities and public CA PKI software



### 4.7.2.1 Use