79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced `SbomService` tasks documentation. - Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`. - Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace. - Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories. - Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests. - Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace. - Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
22 lines
1.1 KiB
Markdown
22 lines
1.1 KiB
Markdown
# ICryptoProviderRegistry Prep — PREP-EVID-CRYPTO-90-001 (Draft)
|
|
|
|
Status: Draft (2025-11-20)
|
|
Owners: Evidence Locker Guild · Security Guild
|
|
Scope: Capture requirements for crypto provider registry readiness to support sovereign/region-specific profiles.
|
|
|
|
## Required capabilities
|
|
- Registry interface to resolve crypto providers by profile ID (e.g., `default`, `ru-offline`, `fips140`, `eidass`).
|
|
- Provider metadata: `{algorithms[], key_formats[], offline_supported, hsm_supported, oq_ready}`.
|
|
- Deterministic selection rules: prefer tenant-scoped overrides, fall back to platform defaults; no network fetch.
|
|
|
|
## Integration points
|
|
- Evidence Locker signing pipeline to request provider by profile when sealing bundles.
|
|
- Replay validation to know which algorithms/hashes are acceptable for DSSE verification.
|
|
|
|
## Dependencies
|
|
- Final list of sovereign profiles from Security Guild.
|
|
- Key storage/backing (KMS/HSM) availability per profile.
|
|
|
|
## Handoff
|
|
Use this as the prep artefact for PREP-EVID-CRYPTO-90-001; update once profile list and key storage rules are confirmed.
|