chore: sync GovOPlaN module split state
This commit is contained in:
37
docs/DEVICE_KEY_TRUST_CONCEPT.md
Normal file
37
docs/DEVICE_KEY_TRUST_CONCEPT.md
Normal file
@@ -0,0 +1,37 @@
|
||||
# Device Key And Identity Trust Concept
|
||||
|
||||
`govoplan-identity-trust` should own the trust primitives that let GovOPlaN
|
||||
separate authentication, authorization, and cryptographic access.
|
||||
|
||||
The initial driver is encrypted postbox support, but the same trust layer may
|
||||
later support stronger assurance, signatures, recovery policy, and external
|
||||
recipient trust.
|
||||
|
||||
## Responsibilities
|
||||
|
||||
The module should eventually own:
|
||||
|
||||
- public key directory
|
||||
- per-device encryption keys
|
||||
- account or identity signing-key references
|
||||
- device registration and revocation
|
||||
- key rotation and key epochs
|
||||
- assurance metadata from OIDC, WebAuthn, SAML, or other providers
|
||||
- recovery and lost-device policy hooks
|
||||
- audited key-access and rewrap decisions
|
||||
|
||||
It should not own login sessions, tenant membership, groups, functions, roles,
|
||||
or permission decisions. Those remain in `govoplan-access`.
|
||||
|
||||
## Postbox Contract
|
||||
|
||||
For encrypted role/function postboxes, identity trust should be able to:
|
||||
|
||||
- publish recipient/device public keys
|
||||
- verify that a device belongs to the authenticated actor
|
||||
- track key epochs when role membership changes
|
||||
- rewrap or release encrypted content keys only after access approves the actor
|
||||
- emit audit events for key fetch or rewrap operations
|
||||
|
||||
The module must never require an identity provider or directory service to see
|
||||
message plaintext or private postbox keys.
|
||||
Reference in New Issue
Block a user