Quorum / M-of-N authorization for sensitive key operations

[Manuthor]

Summary

High-value key operations (CA key creation, key export, key destruction) should require explicit approval from at least M of N designated custodians before execution. This is required by PCI-DSS 3.6.6 and FIPS 140-3 Level 3 operational guidance.

Impact

• Regulated financial and government entities block key lifecycle without quorum enforcement
• Single-person key operations are a compliance finding in PCI-DSS and ISO 27001 audits
• Required for key custodian workflows common in PKI, payment, and defence deployments

Implementation plan

1. New QuorumPolicy attribute on key objects:
   { min_approvers: N, approvers: [uid1, uid2, ...], operations: [Export, Destroy, Sign] }
2. New pending-op store crate/server_database/src/stores/sql/quorum_store.rs
3. New Actix scope crate/server/src/routes/quorum/:
   • POST /quorum/operations — request a guarded operation
   • POST /quorum/operations/{id}/approve
   • POST /quorum/operations/{id}/reject
   • GET /quorum/operations/{id} — check status
4. Execute the deferred KMIP operation when len(approvals) >= min_approvers
5. OTel event per approval/rejection

Effort: Large (6-8 weeks) | Requires #651 (RBAC)