Security

The "weakest link" (well, one of the weakest links) in a Public Key System is the initial registration process. It is important to remember that the basic model in a public key system is to trust anyone with a certificate. You need to actively "key out" bad guys with CRL (certificate revocation lists) or CKLs (compromised key lists). Thus, instead of an ongoing key distribution problem, you have an ongoing CRL/CKL distribution problem.. making sure everyone has an updated list of no-longer-good guys.

So, because a Registration Authority is the main way to create new, valid users, it is an obvious target for attack. Also, for public key systems, the real question is "what is a valid user? ... that is what an RA answers. An RA could be online if it can somehow ensure the integrity of the data/registration validation provided to it - but this is the question that the RA is usually answering.

A non-standard PKI architecture could certainly have an online RA, but the typical model where trust is established through the registration process doesn't work.

Steven Davis
http://www.secureplay.com/ corporate
http://www.playnoevil.com/ blog