These things should be offline / resilient first right?
Smartcards / YubiKeys.
Never understood the logic for these to be centralised / online.
PKI works offline until you realize you need to handle revocations.
For this and related reasons, such as enforcing protocol upgrades, most smartcard systems end up permanently online.
Revocation.
PKI works offline until you realize you need to handle revocations.
For this and related reasons, such as enforcing protocol upgrades, most smartcard systems end up permanently online.