Off-line Root CA

From Wikipedia, the free encyclopedia

In a Public Key Infrastructure PKI the top of the trust path is the Certification Authority (CA), because is on the top is called the root CA. The CA is able to issue, distribute and revoke digital certificates X.509. The CA which is software running in a specialized server or hardware in general must be kept safe with the highest possible physical and logical security measures, therefore one of the options is not keeping the CA connected to the network and keep it physically separated, therefore several options exist:

1. Off-line Root CA. This means to disconnect the network cable from the server (where the CA is running), with two options:

a. To keep the server ON, and diconnected from the network.
b. To keep the server OFF diconnected from the networ and placed into a vault.

NOTE. In some literature the term "Disconnected Root CA" is ussed, it is assumed here that it means the same as "Off line Root CA".

There are also some issues related to the CRL signing, since the off-line Root CA can not be "that" active revoking CRLs, therefore:
1. Keep an off-line Root CA and an on-line signing CRL
2. Keep everything off-line

References
http://www.imc.org/ietf-pkix/old-archive-02/msg02609.html
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part2-Design.html

This article is uncategorized.
Please categorize this article to list it with similar articles. (May 2008)

Categories: Uncategorized pages

Hidden category: Uncategorized from May 2008

Off-line Root CA

From Wikipedia, the free encyclopedia

Views

Navigation

Interaction

Search