stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
d519782a8f0b30f425c9b6ae0f316b19259972a2
git.stella-ops.org/docs/modules/authority/prep/2025-11-20-auth-crypto-provider-prep.md
master d519782a8f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
prep docs and service updates
2025-11-21 06:56:36 +00:00

1.3 KiB
Raw Blame History

Authority Crypto Provider Contract Prep — PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI

Status: Draft (2025-11-20) Owners: Authority Core Guild · Security Guild Scope: Capture the provider/key/JWKS contract Authority must publish to unblock sovereign crypto enablement.

Required contract elements

  • Provider registry binding for Authority signing keys (FIPS, GOST, PQ optional): fields provider_id, key_id, alg, kid, usage, tenant_scope?.
  • JWKS export requirements: which keys exposed, x5u/x5c handling, kid format, and rotation cadence.
  • Signing profiles: mapping of Authority API operations to provider profiles (default, ru-gost, pq-experimental).
  • Determinism: canonical JSON for JWKS; stable kid composition (hash of public key + profile).

Acceptance / unblock criteria

  • Publish provider contract in docs/modules/authority/crypto-provider-contract.md (or update existing doc) with sample JWKS and provider config snippet.
  • Record schema hash/kid composition rule here and in Sprint 0514 Decisions/Risks.
  • Notify downstream consumers (Scanner, Attestor, Concelier) via sprint links once frozen.

Handoff

Use this doc as the prep artefact for PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI. Update with the final contract and samples; then set the sprint task to DONE and unblock AUTH-CRYPTO-90-001 implementation.