ZeroEcho

PKI Foundation Hardening and Regulated Operations Roadmap

This project tracks the hardening and completion of the PKI foundation in the pki module.

Scope

bootstrap and SPI wiring without implementation-specific dependencies
X.509 issuance and status infrastructure built on BC where JDK support is insufficient
profile-driven issuance for regulated environments
approval workflows, including multi-level and threshold approval
remote signing and delegated signing boundaries
ACME-ready architecture
audit, evidence, and operational consistency improvements
targeted refactoring of correctness and maintainability hotspots

Goal

Build a professional PKI foundation suitable for strongly regulated environments, with deterministic behavior, explicit governance, auditable workflows, and clean separation between PKI orchestration and cryptographic execution.

Backlog

Wire CredentialFrameworkProvider into PkiBootstrap without implementation-specific dependencies

#3 opened 2026-03-24 17:56:03 +01:00 by galambos

Define a first-class certificate profile engine for X.509 issuance

#4 opened 2026-03-24 17:57:14 +01:00 by galambos

Introduce approval workflows for issuance with assurance levels and M-of-N approval

#5 opened 2026-03-24 17:59:03 +01:00 by galambos

Add remote signing support as a first-class signing mode

#6 opened 2026-03-24 17:59:39 +01:00 by galambos

Design ACME integration on top of the profile and approval model

#7 opened 2026-03-24 18:00:22 +01:00 by galambos

Resolve the CRL_REVOKED_SERIAL vs SimpleAttributeSet.Builder semantic mismatch