[Openswan Users] Re: X.509 and signing
petermcgill at goco.net
Mon Jul 17 11:48:25 CEST 2006
Re: Root Cert Signing Key
Do not let anyone get this!
If you think it is no longer private, then generate an new one.
And resign all your certs with it.
It would depend on your setup how easy it would be for someone with your
signing key to gain access, or at least spy on your connections. But it is
possible, perhaps unlikely, but possible.
Besides you might decide to sign email or something else in the future as
Likewise with user cert keys, if there compromised, revoke them, generate
your CRL, and get your user to generate a new cert key for you to sign.
Re: Validity Length
There is no perfect answer to this.
Lower times equate to higher security but more user hassle.
In general it is considered more secure to change your keys more frequently.
Really this is up to you to decide what is best for you, balancing security
level versus user friendliness.
Personally I use 5 years for servers and equipment, and 1 year for users,
but I don't think this is particularly serious, as long as you implement
Certificate Revocation Lists.
Revoke certificates that are invalid before they expire, generate and
distribute a CRL, and have your servers check the CRL before accepting
Re: 3DES vs AES
Well I don't think I've heard of either being cracked yet.
However some people are uncomfortable with 3DES because it is basically
(Single) DES used 3 times.
It's a little more complicated than that, but since DES is broken,
crackable, then it becomes questionable how secure 3DES is.
But to my knowledge, it hasn't been demonstrated crackable yet.
AES is newer and considered by most more secure.
However some believe that since it has a smaller key size than 3DES, that
AES is not better, but key size is not the only factor that affects
Also sometimes the encryption strength is not the only factor to consider,
but throughput and encryption time is another factor.
AES is also faster than 3DES.
AES is used by the US and a number of other governments. (And although some
might not like them, they generally only want to choose the best.)
Generally I would say where possible use AES, and if the other end doesn't
support it, then use 3DES for that connection.
Software Developer / Network Administrator
Gra Ham Energy Limited
More information about the Users