Hi Arshad
Do the air gapped private PKI root certs (and if applicable their
non-airgapped sub-CA certs they authorize) have the critical name constraint
extension eg ".foocorp.com" meaning it is only valid for creating certs for
*.foocorp.com?
(I am presuming these private PKI certs are sub-CA certs certified by a CA
listed in browsers.)
Adam
On Thu, Dec 08, 2011 at 10:04:05AM -0800, Arshad Noor wrote:
I am aware of at least one public CA - still in business - that
fits this description.
Every private PKI we have setup since 1999 (more than a dozen, of
which a few were for the largest companies in the world) has had
the Root CA on a non-networked machine with commensurate controls
to protect the CA.
Arshad Noor
StrongAuth, Inc.
On 12/08/2011 06:54 AM, Eugen Leitl wrote:
Is anyone aware of a CA that actually maintains its signing
secrets on secured, airgapped machines, with transfers batched and
done purely by sneakernet?
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
