[cryptography] airgaps in CAs

Adam Back adam at cypherspace.org
Fri Dec 9 03:27:09 EST 2011

Hi Arshad

Do the air gapped private PKI root certs (and if applicable their
non-airgapped sub-CA certs they authorize) have the critical name constraint
extension eg ".foocorp.com" meaning it is only valid for creating certs for

(I am presuming these private PKI certs are sub-CA certs certified by a CA
listed in browsers.)


On Thu, Dec 08, 2011 at 10:04:05AM -0800, Arshad Noor wrote:
>I am aware of at least one public CA - still in business - that
>fits this description.
>Every private PKI we have setup since 1999 (more than a dozen, of
>which a few were for the largest companies in the world) has had
>the Root CA on a non-networked machine with commensurate controls
>to protect the CA.
>Arshad Noor
>StrongAuth, Inc.
>On 12/08/2011 06:54 AM, Eugen Leitl wrote:
>>Is anyone aware of a CA that actually maintains its signing
>>secrets on secured, airgapped machines, with transfers batched and
>>done purely by sneakernet?

More information about the cryptography mailing list