Requirements for the eID Server Zero-Trust solution

Problem:

In order to start writing down an ADR we need to first clarify the requirements for the zero-trust eID server.

Goal:

Clarify the requirements for the eID server.

ACs:

• Set up a meeting to discuss this and start drafting an ADR.
• Clarify the requirements for the following points:
  • What is the definition of zero trust? If we use eID, do we trust the eID server?
  • What should we trust, on what basis and in what circumstances?
  • Which PKI should we trust? Which sources of trust should we consider in the process?
  • Create an ADR based on the above definition.

Notes/ Resources:

• Requirements uIDs: LB_62, LB_63

→ Available information in the Leistungsbeschreibung:

• 4.1 Principles of architectural design
  • 4.1.2 Zero-Trust architecture
  • 4.1.2.1 All access to system components or data must be subject to strict authentication and authorization, regardless of location or origin.
  • 4.1.2.2 Identities must be continuously verified.