On 12/9/11 6:16 , Peter Gutmann wrote: > Arshad Noor <[email protected]> writes: > >> Every private PKI we have setup since 1999 (more than a dozen, of which a >> few >> were for the largest companies in the world) has had the Root CA on a >> non-networked machine with commensurate controls to protect the CA. > > What about TSAs, where you need a key with an irrevocable cert active on a > machine directly connected to the Internet?
Then why not use GuardTime or some similar service: http://en.wikipedia.org/wiki/Linked_timestamping I believe that for actual sub-CA-s issuing certificates to users, it is quite common to have them on-line to some extent (ip-net not sneakernet). Especially in commercial CA world. -- @MartinPaljak +3725156495 _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
