Define "air-gapped" and "offline"

[BenWilson-Mozilla]

Adding definitions for "air-gapped" and "offline" will provide greater clarity (notes from 2017-08-10).

[BenWilson-Mozilla]

Notes from 2017-08-23: Focusing on "roots" doesn't make sense.
We looked at suggested potential language for offline and air-gapped Root CAs.
Peter suggested we discuss the difference between offline CA and root CA. We should be focused on offline CAs. Root CAs are an example of something that has to be offline, I don’t think we should limit our changes to just roots. Peter said that defining “root” would be hard, and it would be easier to say offline CAs must do “XYZ” and then it’s up to the CA operator or trust service provider to say these are my offline CAs and these are the other ones.
Etc., etc.

[BenWilson-Mozilla]

Air Gapped: Physically and logically connected, at the most, only to a single utility network (without physical connectivity to the internet) and connected to no other network. (requires physical presence or physical proximity).
[from Tobias Josefowitz to everyone:
Air Gapped: Physically and logically disconnected from all other networks, interaction of any kind requires physical presence in proximity. If the system is built of several components, network technology may be used to connect them as long as network equipment and all systems connected are themselves otherwise Air Gapped.]

Offline State: A Certificate System or component that is not available via any external connection (e.g. powered down or unplugged).

[BenWilson-Mozilla]

Root CA System: A system in an Offline-State or Air-Gapped used to create a Root Certificate or to generate, store, or sign with the Private Key associated with a Root Certificate. -

[BenWilson-Mozilla]

This is mainly to differentiate NCSSR requirements for offline CAs that can't be audited the same as online CAs.