This creates the ability to issue, distribute and revoke digital certificates without the direct action of the root CA.
A common method to ensure the security and integrity of a root CA is to keep it in an offline state.
It is only brought online when needed for specific, infrequent tasks, typically limited to the issuance or re-issuance of certificates authorizing intermediate CAs.
A drawback to offline operation is that hosting of a certificate revocation list by the root CA is not possible (as it is unable to respond to CRL requests via protocols such as HTTP, LDAP or OCSP).
Therefore, each CA (root or intermediate) is only responsible for tracking the revocation of certificates it alone has issued.