[cryptography] airgaps in CAs

Martin Paljak martin at martinpaljak.net
Fri Dec 9 00:15:07 EST 2011

On 12/9/11 6:16 , Peter Gutmann wrote:
> Arshad Noor <arshad.noor at strongauth.com> writes:
>> Every private PKI we have setup since 1999 (more than a dozen, of which a few 
>> were for the largest companies in the world) has had the Root CA on a 
>> non-networked machine with commensurate controls to protect the CA.
> What about TSAs, where you need a key with an irrevocable cert active on a 
> machine directly connected to the Internet?

Then why not use GuardTime or some similar service:


I believe that for actual sub-CA-s issuing certificates to users, it is
quite common to have them on-line to some extent (ip-net not
sneakernet). Especially in commercial CA world.


More information about the cryptography mailing list