...
It is useful to consider the lifecycle of the credentials. This section describes the considered lifecycle steps of the credentials (note the usage of the credentials are out-of-scope of the credential management):
<< Remove this section, keep red text, but in implementation close section >>
- Credential Null
- The security credential does not exist.
- Credential Creation
- The credentials are created. The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used.
Note: The credentials may be created by a CA. (binding an identity to a credential using the X.509v3 certificate)
- The credentials are created. The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used.
- Credential Provisioning
- Provisioning the credentials involves putting the credentials into the ONAP system, ensuring that they are securily stored. (PKCS11 secure generation and storage of private key)
- Credential Update
- The credentials that have been previously provisioned are updated.
- Credential Validation
- The validation of provisioned credentials to ensure that the credentials are still valid.
- Credential Distribution
- The distribution of the credentials so that they are accessable to the ONAP functions.
Note: this implies no statement on the means to distribute the credentials. - Note: For discussin - is (or should) this state visible in the lifecycle ?
- The distribution of the credentials so that they are accessable to the ONAP functions.
- Credential Expiration
- The credential has been expired and is no longer considered valid.
- Credential Revoke
- The ability to revoke and remove a credential
2.3
...
Credential Management Requirements
The credential management solution considers the following:
General Requirements
- The credential management solution must be able to interact with existing credential creation and validation schemes
- (PKCS11 secure generation and storage of private key)
- (binding an identity to a credential using the X.509v3 certificate)
<< Insert section here for each credential type >>
2.4 Formal Credential Lifecycle
2.4.1 Credential State Diagram
<<<<<Comment: Remove external to ONAP and ONAP operations. Add descriptive text that who the owning authority of the credential is (external, or onap) >>>
2.4
2.3.1 Credential State Diagram
...
.2 Credential States
State | Definition |
---|---|
Credential_Null | No credential currently exists. The only valid operation is to create a credential. (The mechanism for creating a credential is out of scope of ONAP.) |
Credential_Created | A credential has been created. The credential is not yet available within ONAP, and cannot be validated. |
Credential_Provisioned | The credential is provisioned into ONAP. The credential can be validated within ONAP. |
Credential_Expired | The credential has expired. Credential validation within ONAP will fail. The credential can be updated. |
Credential_Revoked | The credential has been revoked. Credential validation within ONAP will fail. The credential cannot be updated. |
Credential_Destroyed | Note: Credentials can be copied, and the copy can be presented for validation. Credentials can never be destroyed. |
2.
...
4.3 Credential Operations
Operation | Definition |
---|---|
CREATE | Creates a new credential. Credential creation is external to ONAP. |
Credentials may not be deleted. (Design Note 1). | |
PROVISION | Provisions an existing credential into ONAP. A credential must go through state Credential_Provisioned before it can be used within ONAP. |
UPDATE | Updates an existing credential within ONAP. UPDATE is used to update a credential in state Credential_Expired and return it to state Credential_Provisioned. UPDATE may also be used to update internal parts of a credential. |
VALIDATE | Validates an existing credential. VALIDATE is used to test that a presented credential gives permission for access to a resource within ONAP (e.g. to access an ONAP component, perform an ONAP operation, or access data). |
EXPIRE | Expires an existing credential. EXPIRE may be an implicit operation, as some credentials have a defined lifetime, and will expire automatically. EXPIRE may be an explicit operation, where a specific credential is expired. Credentials in state Credential_Expired may be updated. |
REVOKE | Revokes an existing credential. Once a credential is in state Credential_Revoked there are no valid operations. A new credential is required. |
Design Notes:
- Design Note 1 - this is intended to make explicit that digital credentials may always be re-used, even if they are expired or revoked.
2.4 Credential Management Input Requirements
The credential management solution considers the following:
...
<<<<<< insert a section here detailing how the credentials classifications come into here >>>
2.5 ONAP Credential Management Overview
...
- Provisioning the credentials
<<insert here>> - Retrieving the credentials
For ONAP_Admin credentials:
NOTE to seccom: Probably should describe how this works for all lifecycle steps.
...