chore: sync GovOPlaN module split state

This commit is contained in:
2026-07-10 12:51:22 +02:00
parent 86f1cf8018
commit 783c62a6bb

View File

@@ -0,0 +1,37 @@
# Device Key And Identity Trust Concept
`govoplan-identity-trust` should own the trust primitives that let GovOPlaN
separate authentication, authorization, and cryptographic access.
The initial driver is encrypted postbox support, but the same trust layer may
later support stronger assurance, signatures, recovery policy, and external
recipient trust.
## Responsibilities
The module should eventually own:
- public key directory
- per-device encryption keys
- account or identity signing-key references
- device registration and revocation
- key rotation and key epochs
- assurance metadata from OIDC, WebAuthn, SAML, or other providers
- recovery and lost-device policy hooks
- audited key-access and rewrap decisions
It should not own login sessions, tenant membership, groups, functions, roles,
or permission decisions. Those remain in `govoplan-access`.
## Postbox Contract
For encrypted role/function postboxes, identity trust should be able to:
- publish recipient/device public keys
- verify that a device belongs to the authenticated actor
- track key epochs when role membership changes
- rewrap or release encrypted content keys only after access approves the actor
- emit audit events for key fetch or rewrap operations
The module must never require an identity provider or directory service to see
message plaintext or private postbox keys.