These things should be offline / resilient first right?

Smartcards / YubiKeys.

Never understood the logic for these to be centralised / online.

xorcist 13 hours ago | parent | next [-]

PKI works offline until you realize you need to handle revocations.

For this and related reasons, such as enforcing protocol upgrades, most smartcard systems end up permanently online.

	▲	VorpalWay 13 hours ago \| parent [-]
		You can have a mixed system, such that revocation lists are downloaded and cached every hour or so, and you can even try to check online more often than that, but fall back to the downloaded lists if the system is down.

consp 13 hours ago | parent | prev [-]

Revocation.

can be solved with a hybrid model that degrades when the central service is down. No?

	▲	erk__ 4 hours ago \| parent [-]
		Well they provide that if you want. they have both a OTP dongle, a OTP loud speaker and one that uses FIDO U2F (though you need to pay for that one). https://www.mitid.dk/en-gb/get-started-with-mitid/how-to-use...