Downside is that the private keys have to be online in order to support on-demand signing requests and grant / revoke logic, right?