[Openswan Users] Re: X.509 and signing

Peter McGill petermcgill at goco.net
Mon Jul 17 11:48:25 CEST 2006

Re: Root Cert Signing Key

Do not let anyone get this!
If you think it is no longer private, then generate an new one.
And resign all your certs with it.
It would depend on your setup how easy it would be for someone with your 
signing key to gain access, or at least spy on your connections. But it is 
possible, perhaps unlikely, but possible.
Besides you might decide to sign email or something else in the future as 
Likewise with user cert keys, if there compromised, revoke them, generate 
your CRL, and get your user to generate a new cert key for you to sign.

Re: Validity Length

There is no perfect answer to this.
Lower times equate to higher security but more user hassle.
In general it is considered more secure to change your keys more frequently.
Really this is up to you to decide what is best for you, balancing security 
level versus user friendliness.
Personally I use 5 years for servers and equipment, and 1 year for users, 
but I don't think this is particularly serious, as long as you implement 
Certificate Revocation Lists.
Revoke certificates that are invalid before they expire, generate and 
distribute a CRL, and have your servers check the CRL before accepting 

Re: 3DES vs AES
Well I don't think I've heard of either being cracked yet.
However some people are uncomfortable with 3DES because it is basically 
(Single) DES used 3 times.
It's a little more complicated than that, but since DES is broken, 
crackable, then it becomes questionable how secure 3DES is.
But to my knowledge, it hasn't been demonstrated crackable yet.
AES is newer and considered by most more secure.
However some believe that since it has a smaller key size than 3DES, that 
AES is not better, but key size is not the only factor that affects 
encryption strength.
Also sometimes the encryption strength is not the only factor to consider, 
but throughput and encryption time is another factor.
AES is also faster than 3DES.
AES is used by the US and a number of other governments. (And although some 
might not like them, they generally only want to choose the best.)
Generally I would say where possible use AES, and if the other end doesn't 
support it, then use 3DES for that connection.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 

More information about the Users mailing list