Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?

From: Carson Gaspar (carson@taltos.org)
Date: 09/06/02


From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Sep  6 21:05:16 2002


--On Friday, September 06, 2002 9:28 AM -0400 Adam Shostack
<adam@homeport.org> wrote:

> On Fri, Sep 06, 2002 at 01:28:41AM -0400, Carson Gaspar wrote:
>| - Cert generation is computationally expensive. This is mitigated by
>| caching the certs.
>
> Actually, key generation is expensive, cert generation is relatively
> cheap. (Or so I expect. Even all that x.509 cruftage should take
> less time than finding a set of primes.) I pick this nit because it
> should be possible to generate one key (or one key daily) and just
> sign that with new and appropriate certified information surrounding
> it, speeding up the process dramatically.

It all depends on how one defines expensive ;-)

Yes, key generation is more expensive than signing, but signing is _not_
cheap. It all depends on what load you need to support, and what hardware
you have. Of course, the same box will also be doing a decrypt/excrypt for
the data stream, so the cert signing load may be noise. Caching certs is so
cheap, that it's still worth-while, imho.

Re-using keys makes a lot of sense, though, especially if the bitrate on
your random number source is less than stellar.

-- 
Carson


Relevant Pages

  • Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert
    ... Can somebody explain why signing a cert for a domain is still so expensive? ... Or do CA pays a lot of money to browsers so they do not a allow CA with a ... costs money to handle the keys for the CA securely, ...
    (Full-Disclosure)
  • Re: Certificates Dont Show Up
    ... I used the Keychain app as well as the MS Cert Manager to ... > signing or encryption, ... When I first tried this months ago, certificates did ...
    (microsoft.public.mac.office.entourage)
  • Re: why persist PKCS#7 CRL in embedded file sigs?
    ... Data of this type has an extended lifetime, ... >adding a CRL to a SignedData block? ... cert was valid. ... cert was valid at signing. ...
    (sci.crypt)
  • Certificates Dont Show Up
    ... I used the Keychain app as well as the MS Cert Manager to ... signing or encryption, ... When I first tried this months ago, certificates did ...
    (microsoft.public.mac.office.entourage)