[cryptography] airgaps in CAs

Florian Weimer fw at deneb.enyo.de
Sun Jan 8 06:29:26 EST 2012


* Eugen Leitl:

> Is anyone aware of a CA that actually maintains its signing
> secrets on secured, airgapped machines, with transfers batched and
> done purely by sneakernet?

Does airgapping provide significant security benefits these days,
compared to its costs?

File systems are generally less robust than network stacks.  USB
auto-detection is somewhat difficult to control on COTS systems.  So
unless you build your own transfer mechanism, a single TCP port
exposes less code, and code which has received more scrutiny.



More information about the cryptography mailing list