Clarifying A04:2021 – Insecure Design "key flows"

[websec119]

A04:2021 – Insecure Design

How to Prevent 3rd item Use threat modeling for critical authentication, access control, business logic, and key flows

In this explanation, which do you mean by "key flows".

• Critical or important flows in application? (Key means important)
• Cryptographic operation or process? (Key means crypto key)

[jmanico]

I would use "key lifecycle. Cryptographic operations seems ok as is. Just my 2 cents.