# SDOP-app-v.2
building an application to deliver ca
# SDOP — Self-Service Device Onboarding Portal

**Bell Retail Zero Trust Device Registration System**

A comprehensive web application suite for securely enrolling unmanaged retail devices with Bell's PKI infrastructure, enabling Okta Userless Device Signal (UDS) for shared and BYOD environments.

---

## 🚀 Live Demos

**GitHub Pages:** https://gabrielvaillancourt2024-source.github.io/SDOP-app-v.2/

### Interactive Applications:

1. **[Landing Page](https://gabrielvaillancourt2024-source.github.io/SDOP-app-v.2/)** — Overview with quick links
2. **[SDOP App](https://gabrielvaillancourt2024-source.github.io/SDOP-app-v.2/SDOP-App.html)** — End-user device registration
3. **[Admin Console](https://gabrielvaillancourt2024-source.github.io/SDOP-app-v.2/SDOP-Admin.html)** — IT governance dashboard
4. **[Architecture Docs](https://gabrielvaillancourt2024-source.github.io/SDOP-app-v.2/SDOP-Architecture.html)** — RFC v3.1 reference

---

## 📋 Overview

SDOP replaces Bell's legacy Arcot machine registration system with a modern, Zero Trust-aligned device onboarding platform. It addresses the critical challenge of establishing cryptographic device trust on **80% unmanaged retail devices** without requiring Mobile Device Management (MDM).

### Key Problem Solved

Bell retail applications are migrating to Okta for authentication. Okta requires a **client certificate on each device** to activate Userless Device Signal (UDS) — but there's no scalable way to distribute Bell CA certificates to unmanaged endpoints. SDOP solves this through a **"Pull" enrollment model** where authenticated Store Managers download and install certificates via a web portal.

---

## ✨ Features

### 🔐 **Zero Trust Architecture**
- Explicit separation of **Authentication** (Okta), **Device Trust** (SDOP + UDS), and **Authorization** (InfoNet/SiteMinder)
- No implicit trust — continuous verification required
- Device trust independent of user identity

### 📱 **Multi-OS Support**
- **Windows**: Signed PowerShell script → LocalMachine cert store
- **macOS/iOS**: Apple .mobileconfig profile → System Keychain
- **Android**: PKCS#12 with QR code password delivery

### 🔄 **Lifecycle Management**
7 explicit device states: `UNENROLLED` → `ENROLLING` → `BOOTSTRAP-TRUSTED` → `ACTIVE` → `SUSPENDED` → `REVOKED` → `EXPIRED`

Real-time lifecycle enforcement with automated revocation triggers.

### 🎯 **Three Enrollment Models**

1. **Self-Service** — Low-risk Store Manager enrollment (no approval)
2. **Managed Enrollment** — MSP/IT Service Desk with authorization windows
3. **Bootstrap Enrollment** — New store onboarding with temporary trust

### 🛡️ **Security-First Design**
- Phase 1: Server-assisted key gen in volatile memory (mandatory 18mo sunset)
- Phase 2: Hardware-backed keystores (TPM 2.0, Secure Enclave, Android HW Keystore)
- Non-exportable certificates where platform supports
- Single-use, short-lived download tokens
- Full audit trail to SIEM

---

## 🚀 Live Demos

### 1️⃣ **SDOP Application** (`SDOP-App.html`)
**The actual device registration experience** — complete interactive workflow

**Try it:**
- Login with any credentials (demo accepts all — format: `dealerid.userid`)
- Watch live device checks run
- Name your device
- See certificate generation with real UUIDs
- OS-specific installer download
- Okta Verify simulation
- Full device inventory management

**What you'll see:**
- ✅ Okta OIDC authentication flow with MFA
- ✅ 5 live device eligibility checks (registry, role, risk, OS, quota)
- ✅ Real-time certificate generation (7 PKI operations animated)
- ✅ OS auto-detection with manual override modal
- ✅ Step-by-step install instructions (PowerShell / .mobileconfig / PKCS#12)
- ✅ Okta Verify QR code binding
- ✅ Device lifecycle state tracking
- ✅ Suspend / Revoke controls

---

### 2️⃣ **Architecture Documentation** (`SDOP-Architecture.html`)
**RFC v3.1 Technical Reference** — 9 comprehensive tabs

**Explore:**
- **Architecture** — Layered diagram with trust boundaries (Okta, Bell PKI, Registry, InfoNet)
- **Enrollment Flows** — Self-Service, Managed, Bootstrap with governance matrix
- **Lifecycle** — All 7 states + permitted transitions table
- **PKI & Crypto** — Phase 1 vs Phase 2 key generation, certificate profiles, SCEP vs EST vs PKCS#12 rationale
- **Threat Model** — 8 identified threats with mitigations and residual risk
- **Arcot vs SDOP** — Legacy comparison table
- **OS Payloads** — Windows / macOS / Android delivery mechanisms
- **Metrics** — Success criteria (90% device-trusted auth rate, <5min enrollment, etc.)
- **Glossary** — All RFC terminology

---

## 🏗️ Architecture

```
┌─────────────────────────────────────────────────────────────────┐
│  Retail Devices (Windows, macOS, iOS, Android)                 │
│  🖥️ POS  💻 Workstations  📱 Shared Devices  🤖 BYOD          │
└────────────────────────┬────────────────────────────────────────┘
                         │
        ┌────────────────┼────────────────┐
        │                │                │
   ┌────▼─────┐    ┌─────▼──────┐   ┌────▼─────┐
   │  Okta    │    │ InfoPoint  │   │ Direct   │
   │Dashboard │    │  Portal    │   │   URL    │
   └────┬─────┘    └─────┬──────┘   └────┬─────┘
        │                │                │
        └────────────────┼────────────────┘
                         │
                 ┌───────▼────────┐
                 │  Okta IdP      │  ← Authentication Boundary
                 │  MFA · UDS     │
                 └───────┬────────┘
                         │
          ┌──────────────▼───────────────┐
          │       SDOP Web App           │  ← Device Trust Boundary
          │  (Registration Authority)    │
          └──┬────────────┬──────────┬───┘
             │            │          │
    ┌────────▼──┐  ┌──────▼─────┐  ┌▼────────────┐
    │ Bell      │  │ Device     │  │ Audit Log   │
    │ Retail CA │  │ Registry   │  │ / SIEM      │
    │ (HSM)     │  │ (Lifecycle)│  │             │
    └───────────┘  └────────────┘  └─────────────┘
                         │
          ┌──────────────▼───────────────┐
          │   InfoNet · SiteMinder       │  ← Authorization Boundary
          │   (Dealer/Entity Scope)      │
          └──────────────────────────────┘
```

### Trust Separation Principle

**No single component crosses all three trust boundaries:**

1. **Authentication** (Okta) — Who is the user?
2. **Device Trust** (SDOP + UDS) — Is the device legitimate?
3. **Authorization** (InfoNet/SiteMinder) — What can the user access?

---

## 📊 Key Metrics (Success Criteria)

| Metric | Target | Timeline |
|--------|--------|----------|
| Device-Trusted Authentication Rate | ≥90% | 6 months |
| Avg Device Enrollment Time | <5 min | From access to ACTIVE |
| Mean Time to Revocation (Auto) | <15 min | Near real-time |
| Support Ticket Reduction | -40% | vs Arcot baseline |
| Phase 2 Hardware Readiness | ≥85% | Triggers Phase 1 sunset |

---

## 🔑 Core Components

### SDOP Application
- **Role**: Registration Authority (RA) + device lifecycle control plane
- **Does**: Certificate request orchestration, registry management, governance enforcement
- **Does NOT**: Certificate signing (delegated to CA), business authorization (delegated to InfoNet)

### Bell Retail PKI
- **Root CA**: Offline, air-gapped
- **Intermediate CA**: HSM-backed, FIPS-aligned
- **Certificates**: 5-year validity, non-meaningful Subject CN (random UUID), no dealer/user info embedded

### Device Registry
- **Stores**: Certificate UUID, dealer scope, lifecycle state, Okta device ID, enrollment metadata
- **Purpose**: Authoritative device trust context (not authorization)

### Okta Integration
- **Authentication**: OIDC Authorization Code flow, MFA enforcement
- **Device Signals**: Okta Verify binding + Userless Device Signal (UDS)
- **Critical**: UDS enables shared device trust without per-user enrollment

---

## 🔄 Device Lifecycle States

```
UNENROLLED
    ↓ (user initiates enrollment)
ENROLLING
    ↓ (cert issued + Okta Verify binding)
ACTIVE ⭐ ← Trust granted here only
    ↓ (admin action / inactivity / policy)
SUSPENDED
    ↓ (reinstatement or escalation)
REVOKED (terminal)

Special: BOOTSTRAP-TRUSTED (new stores only)
    ↓ (user auth + finalization required)
ACTIVE
```

**Forbidden Transitions:**
- ❌ BOOTSTRAP → ACTIVE without user authentication
- ❌ REVOKED → ACTIVE (permanent)
- ❌ EXPIRED → ACTIVE without re-enrollment

---

## 🛡️ Security Model

### Phase 1: Server-Assisted Key Generation (Transitional)
- RSA-2048 generated in **volatile server memory**
- Immediate zeroization after PKCS#12 packaging
- Memory locking to prevent swapping
- Single-use, session-bound download tokens
- **Mandatory sunset**: 18 months OR ≥85% hardware keystore adoption

### Phase 2: Hardware-Backed (Target State)
- **Windows**: TPM 2.0 with EK/AIK attestation
- **Apple**: Secure Enclave with DeviceCheck / App Attest
- **Android**: Hardware-backed Keystore attestation
- Private keys **never leave the device**
- Protocol evolution to EST or equivalent

### Threat Model (8 Threats Analyzed)

| Threat | Residual Risk |
|--------|--------------|
| Certificate copied to another device | **Low** (UDS binds additional signals) |
| Certificate + UDID copied together | **Low-Medium** (behavioral detection) |
| Credential phishing without device | **Low** (device trust required) |
| Credential phishing with trusted device | **Medium** (dynamic authz enforced) |
| Malicious Store Manager enrollment | **Medium** (rate-limited, audited) |
| Lost or stolen device | **Low** (MFA + revocation) |
| SDOP application compromise | **Medium** (no Root CA access) |
| Token replay/reuse | **Low** (nonce validation) |

---

## 🎮 Application Suite

### 1️⃣ **SDOP Application** (`SDOP-App.html`)
**End-user device registration experience**

**Features:**
- Okta OIDC login with MFA (Push/TOTP)
- 5 live device eligibility checks
- OS auto-detection (Windows/macOS/iOS/Android)
- Certificate generation with UUID/serial tracking
- OS-specific installers (PowerShell/.mobileconfig/PKCS#12)
- Okta Verify binding simulation
- Device inventory with lifecycle controls
- Dealer hierarchy (Entity vs POD scoping)
- Enrollment velocity detection (7+ in 5min = high-risk)
- Automatic approval workflow creation
- Reinstatement requests (always require IT approval)

### 2️⃣ **SDOP Admin Console** (`SDOP-Admin.html`)
**Bell IT Security governance dashboard**

**9 Main Sections:**
1. **Dashboard** — Real-time metrics, recent activity, growth trends
2. **Device Registry** — Complete inventory with UUID, serial, expiry, filters, CSV export
3. **Pending Approvals** — High-risk enrollments, reinstatements, SLA tracking, approve/reject
4. **Lifecycle Events** — State transitions, event filtering, actor tracking
5. **Threat Detection** — Anomaly alerts, detection rules, severity classification
6. **Audit Logs** — Immutable trail, SIEM export, date/type filtering
7. **Compliance Reports** — 6 report templates, scheduled reports, compliance rate
8. **Governance Policies** — Velocity limits, approval thresholds, cert lifecycle
9. **PKI Configuration** — CA status, certificate templates, HSM integration

**Pre-populated Data:**
- 15 sample devices across multiple dealers
- 3 pending approval requests
- 20 lifecycle events
- 5 threat detections (2 active, 3 resolved)

### 3️⃣ **Architecture Documentation** (`SDOP-Architecture.html`)
**RFC v3.1 Technical Reference — 9 interactive tabs**

---

## 📁 Files in This Repository

### Applications
- **`index.html`** — Landing page with overview and quick links
- **`SDOP-App.html`** — End-user device registration application (Store Managers)
- **`SDOP-Admin.html`** — IT admin governance console (Bell IT Security)
- **`SDOP-Architecture.html`** — RFC v3.1 technical documentation

### Documentation
- **`README.md`** — This file

---

## 🎯 Use Cases

### ✅ **Supported Scenarios**
- Retail POS terminals (shared, unmanaged)
- Store workstations (rebuilt frequently)
- Manager BYOD devices (personal phones/tablets)
- New store onboarding (Bootstrap enrollment)
- MSP-managed deployments (CGI, Staples IT)
- Device recovery after loss/theft/rebuild

### ❌ **Out of Scope**
- Corporate Bell employee workstations (use Corporate PKI)
- Endpoint compliance enforcement (no MDM)
- Network security controls (no VPN/firewall function)
- Business authorization policy (delegated to InfoNet)

---

## 🚦 Governance Model

### Low-Risk (Self-Service)
✅ Store Manager within primary dealer  
✅ Normal enrollment velocity  
✅ Device passes all checks  
➡️ **Immediate ACTIVE** (no approval)

### High-Risk (Approval Required)
⚠️ Enrollment velocity exceeds norms  
⚠️ Bulk onboarding / new store  
⚠️ Re-enrollment after suspension/revocation  
➡️ **Bell IT approval + scoped window**

### Managed Enrollment
🏢 MSP executes on behalf of Bell IT  
🏢 Authorization window pre-approved  
🏢 Quota-limited, time-bound  
➡️ **No user auth at install time**

---

## 📖 RFC Reference

This implementation is based on **RFC v3.1** (2026-02-09) authored by Gabriel Vaillancourt.

**Document Control:**
- Status: Draft / Proposed
- Target: Devs, PKI/CA Architecture, Security, Retail IT
- Purpose: Arcot replacement + Okta UDS enablement

**Key Sections:**
- Section 6: High-Level Architecture
- Section 7: Authentication, Identity Resolution, Trust Signals
- Section 10: Device Certificate Model
- Section 11: Certificate Enrollment Protocol Selection (PKCS#12 rationale)
- Section 14: Lifecycle Management & Governance (authoritative)
- Section 17: Threat Model
- Section 18: Arcot vs SDOP Comparison

---

## 🔗 Integration Points

### Okta
- **OIDC Client**: Authorization Code flow with PKCE
- **MFA**: Enforced via Okta risk policies
- **Device Signals**: Okta Verify + UDS
- **API**: Devices API for lifecycle sync

### Bell Retail PKI
- **CA Interface**: Authenticated API for cert issuance/revocation
- **CRL/OCSP**: Published endpoints for cert validation
- **Audit**: Structured events to SIEM

### InfoNet
- **User Roles**: Store Manager, Retail Admin identification
- **Dealer Scope**: Primary dealer + entity resolution
- **Dynamic Resolution**: No cached entitlements

### SiteMinder
- **Unchanged**: Continues as policy enforcement point for retail apps
- **Device Context**: SDOP registry state evaluated as additional signal

---

## 💡 Design Principles

1. **Identity-First, Device-Aware** — User identity always established first, device trust evaluated as required signal
2. **Lifecycle as First-Class Control** — Enrollment is not a one-time event; trust is continuously managed
3. **Separation of Trust Domains** — Authentication ≠ Device Trust ≠ Authorization
4. **Zero Trust Alignment** — No implicit trust from network location or prior enrollment
5. **Enabling Trust Without Management** — CA bootstrap on unmanaged devices via PKCS#12
6. **Fail Secure** — Compromise of any single signal does not grant persistent access

---

## 🎨 Frontend Design

**Aesthetic Direction**: Enterprise-grade, refined minimalism with **unexpected typographic choices**

- **Fonts**: Instrument Sans + Instrument Serif + Geist Mono (no Inter/Roboto)
- **Color Palette**: Bell blue primary (#0057a8) with success/warn/danger states
- **Motion**: Orchestrated page-load animations with staggered reveals
- **Composition**: Clean card-based layouts with generous whitespace
- **Forms**: High-contrast borders, clear focus states, real-time validation
- **No Generic AI Aesthetics**: Every design decision is intentional and context-specific

---

## 📝 License

**Proprietary** — Bell Canada Internal Use Only

This is a reference implementation for Bell's Retail Device Onboarding Portal based on RFC v3.1. Not for external distribution or commercial use.

---

## 👤 Author

**Gabriel Vaillancourt**  
RFC Author & SDOP Architecture Lead  
Bell Canada — Retail IT & Security

---

## 🙏 Acknowledgments

Built with insights from:
- Bell PKI/CA Architecture Team
- Bell Retail IT Operations
- Okta Identity Platform Team
- InfoNet Authorization Team
- Security Operations & Governance

---

## 📬 Support

For questions about SDOP architecture, implementation, or governance:
- Review the full RFC v3.1 in `SDOP-Architecture.html`
- Check the Glossary tab for terminology
- Consult the Threat Model for security scenarios

---

**Zero Trust. Lifecycle-Driven. Identity-First.**

🔐 SDOP — Replacing Arcot with modern device trust for Bell Retail.