Thanks Danny, Better understood, the offline portion of the process.
So ..... A simple Nagios plugin can be bright yellow 7 days to doomsday and blood red, three days to doomsday. Visible to all devops. Email is just too basic as an alert. Sunday. On Wed, Apr 10, 2019, 14:11 Daniel Shaw via Community-Discuss < [email protected]> wrote: > Hi Mark, Saul, Sunday, all, > > I suppose that Cedrick or other staff may possibly reply in due course > with more details as regards this specific implementation of a CA (aka the > AFRINIC RPKI CA). However let me respond a bit generally about the reason > to have an offline portion of a CA. > > Ultimately, a CA involves certificates and crypto as we all know. And this > needs keys, including private keys. The integrity of the entire system > below the CA depends on the top level private keys being ... private. > > To automate anything the system doing the automation needs to connect to > the system being automated. In other words everything has to be "online" to > an extent. The thinking, generally, is that anything that is connected to > other things has the potential, however small the chance to be compromised. > Therefore, the best way to ensure absolute and certain privacy of the > all-important private key material is to "air-gap" it. > > And thus it follows that when something else needs to be signed/verified > using these offline keys, you also don't want to copy them online, even > briefly and so you do the work offline and then copy the results back > online. It is this copy - bridging the air gap - that requires a human. > > Put another way: You can't really automate sneaker-net. > > - Daniel > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Wednesday, April 10, 2019 8:32 AM, Mark Tinka <[email protected]> > wrote: > > Thanks, Cedrick. > > A question that is, perhaps, obvious... are you able to take the human > component out of this? > > > _______________________________________________ > Community-Discuss mailing list > [email protected] > https://lists.afrinic.net/mailman/listinfo/community-discuss >
_______________________________________________ Community-Discuss mailing list [email protected] https://lists.afrinic.net/mailman/listinfo/community-discuss
