stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
e91da22836b05d27dbe9c1f6189098bebfb54cd7
git.stella-ops.org/docs/security/crypto-registry-decision-2025-11-18.md
master e91da22836
Some checks failed
api-governance / spectral-lint (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add new provenance and crypto registry documentation 
- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages.
- Added a comprehensive crypto registry decision document outlining defaults and required follow-ups.
- Created an offline feeds manifest for bundling air-gap resources.
- Implemented a script to generate and update binary manifests for curated binaries.
- Added a verification script to ensure binary artefacts are located in approved directories.
- Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload.
- Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts.
- Updated vendor manifest to track pinned binaries for integrity.
2025-11-18 23:47:13 +02:00

1.4 KiB
Raw Blame History

Crypto Registry Decision · 2025-11-18

Outcome

  • Agree to ship ICryptoProviderRegistry with the following defaults:
    • PreferredProviders (global default): default, ru.openssl.gost, ru.pkcs11.
    • ActiveProfile for RU/sovereign deployments: ru-offline with preferred order ru.cryptopro.csp, ru.openssl.gost, ru.pkcs11.
    • For non-RU deployments, ActiveProfile remains default.
  • Registry contract to be published via shared library (StellaOps.Cryptography stack) and referenced by EvidenceLocker/ExportCenter/TimelineIndexer and downstream services.
  • Deterministic config binding: keep profile names and provider IDs lowercase ASCII; enforce ISO-8601 UTC timestamps for any audit material generated by registry actions.

Rationale

  • Aligns with 2025-11-07 crypto routing audit (docs/security/crypto-routing-audit-2025-11-07.md) to ensure sovereign-ready providers are selectable without code changes.
  • Keeps default provider chain intact for non-sovereign deployments while enabling RU-specific stacks where mandated.

Required follow-ups

  • Publish NuGet/package update exposing the approved registry contract and provider IDs.
  • Update module hosts (EvidenceLocker, ExportCenter, TimelineIndexer, CLI) to bind StellaOps:Crypto:Registry using the defaults above.
  • Add CI smoke to assert registry resolves the chosen ActiveProfile on Linux and Windows.
  • Mirror decision into sprint docs for affected modules (160/161).