Layer 7 (L7) - Key and Trust Management
Objective
Provide the lifecycle for keys and trust including generation, rotation, distribution, attestation, archival, and destruction with separation of duties.
Responsibilities
- Manage root and intermediate CAs and trust stores
- Generate keys inside validated boundaries and approved modes
- Provide attestation signals about platform and module state to relying systems
Common components
- Key management services and HSM backed CAs
- Certificate lifecycle management and automated issuance
- Attestation frameworks and policy engines
Implementation guidance
- Generate keys in hardware when required. Use approved key establishment to distribute or wrap
- Separate operator and auditor roles. Enforce approvals for sensitive operations
- Record provenance for keys and certificates and export signals to security monitoring
Validation and evidence
- Procedures for generation, rotation, archival, and destruction
- Attestation reports tied to module identity and platform state
- Audit trails with dual control for critical actions
Common pitfalls
- Generating keys outside the validated boundary
- Skipping rotation or using ad hoc key distribution
- Not anchoring trust to documented and controlled CAs
Relationship to other AFIPS Layers
| From | To | Why this edge exists | Typical operations | Evidence |
|---|---|---|---|---|
| L4 | L7 | Fetch verification keys or service certs | JWT or token verification, mTLS client certs. | Key ID match in logs |
| L7 | L0 | Generate and hold sensitive roots in hardware | Root CA keys, KEKs. | Dual control procedures, device inventory |
| L7 | L2 | Use approved wrapping and KDFs | RSA KTS, RSA OAEP, HKDF, PBKDF where approved. | Key wrap config and logs |
| L7 | L6 | Distribute trust anchors and certificates | mTLS, CRLs or OCSP. | Trust store baselines, issuance logs |
| L7 | L5 | Supply KEKs and rotation signals | DEK wrap or rewrap. | Rotation playbooks, wrap counts |