FR-03 Ensure Data Integrity and Authenticity

[danisoler-charin]

Description: The system shall ensure the integrity and authenticity of all certificate requests and responses exchanged between pools.
Use Case: Any inter-pool communication
Already in OPNC 1?: This FR has been flagged as possible with current version through
"Oauth2 Access with Roles and Rights concept"

I have reviewed the code and understand the following:

Using OAuth2 Access with Roles and Rights means:
-Only authorized pools can make certificate requests.
-Each request is signed, so it can’t be modified undetected.
-The identity and permissions of the requester are verified with each request.

Under 04_authentication.md there is the RECOMMENDATION to use OAuth2 as authentincation method.

Please:

1. Validate that OAuth2 is enough and currently feasible
2. Should this be a requirement rather than a recommendation?
3. How does this connect with OPNC code? is there any changes needed?

[danisoler-charin]

After discussion on 09/07/25:
Current feasibility:
The existing OAuth2 implementation works to ensure data integrity and authenticity between pools in the current setup.

Limitation identified:
Each pool runs its own Identity Provider (IDP), leading to inconsistency and potential interoperability issues in cross-pool authentication.

Key open questions:

• Should OAuth2 be upgraded from a recommendation to a requirement in the OPNC specification to ensure interoperability?
• Is there a need for a central registration authority or unified IDP to manage cross-pool authentication effectively?
• Unclear if improvements in coding are needed or if the current approach is sufficient for OPNC v1.1