[Openswan Users] X.509 and signing

[ted leslie]

not directly a openswan question, but the people who frequent here, its the right place.

If you have a vpn set up , with openswan,
and you followed the standard instructions,
generating a CA and signing keys,
and putting those into the openswan openssl configuration, and the clients get their
part of the key .....
if the signing cert (created via openssl, not a verisign, etc)
is obtained,
It seems to me it doesn't actaully hurt your security for a simple open swan VPN
does it?
i mean a person can sign a cert. with your stolen signing key (and say they know the passcode),
and sign other certs, but thats not going to magically get them into 
a openswan vpn concentrator, as the openswan does need the newly created keys on its side?
I thought the only issue was that if for other things, like email certs, web certs
etc that it could allow people to fake that they are authorized by you,
but for a simple use of a openswan vpn server and roadwarrior example,
would there really be any security breach possible  if someone obtained the signing auth?
or is it possible that some set ups of openswan would actually let someone in 
that was signed by the stolen CA.

Then related to this you have the issue of validity length, 
to keep things simple i do 10years,
if someone were to hack, and get everything, well i am just going to restart and reissue,
and allow only new certs.

what is the benifit of having a 1 year period over 10 years?
you have to create new before the 1 year period is up, so thats a drag.
down side of 10 years? 

also as a side note, what is pro's and cons to 3des vs. AES ?
i thought they were generally considered a draw? 
some one told me today that 3des is for sissy'es and you have to use AES, 
which i found surprizing.

-tl