Initialize ops repository
This commit is contained in:
vaultsovereign
27
00-doctrine/identity-law.md
Normal file
27
00-doctrine/identity-law.md
Normal file
@@ -0,0 +1,27 @@
|
||||
# Identity Law
|
||||
|
||||
## Principles
|
||||
|
||||
- Operate via **roles**, not personalities.
|
||||
- Issue access as **leases** (time-bound, revocable), not permanence.
|
||||
- Prefer **short-lived credentials** over long-lived secrets.
|
||||
- Public keys are safe to store; private keys are not.
|
||||
|
||||
## In-repo boundaries
|
||||
|
||||
- Role definitions live in `20-identity/roles/`.
|
||||
- Policies and intent live in `20-identity/policies/`.
|
||||
- Leases (who/what has access, until when) live in `20-identity/leases/`.
|
||||
- Public keys live in `20-identity/keys/public/`.
|
||||
- Private keys and plaintext secrets never live in this repo.
|
||||
|
||||
## Required properties (revocation)
|
||||
|
||||
Every identity mechanism must support:
|
||||
|
||||
1. **Revoke**: shut it off quickly.
|
||||
2. **Rotate**: replace it predictably.
|
||||
3. **Prove**: show what changed and when.
|
||||
|
||||
If any of the above is not true, the mechanism does not belong in the core.
|
||||
|
||||
Reference in New Issue
Block a user