Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?

From: Carson Gaspar (carson@taltos.org)
Date: 09/06/02

• Next message: mike@omnipod.com: "[fw-wiz] IPTables and Bridging"
• Previous message: Adam Shostack: "Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?"
• In reply to: Adam Shostack: "Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?"
• Next in thread: Balazs Scheidler: "Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Sep  6 21:05:16 2002

--On Friday, September 06, 2002 9:28 AM -0400 Adam Shostack
<adam@homeport.org> wrote:

> On Fri, Sep 06, 2002 at 01:28:41AM -0400, Carson Gaspar wrote:
>| - Cert generation is computationally expensive. This is mitigated by
>| caching the certs.
>
> Actually, key generation is expensive, cert generation is relatively
> cheap. (Or so I expect. Even all that x.509 cruftage should take
> less time than finding a set of primes.) I pick this nit because it
> should be possible to generate one key (or one key daily) and just
> sign that with new and appropriate certified information surrounding
> it, speeding up the process dramatically.

It all depends on how one defines expensive ;-)

Yes, key generation is more expensive than signing, but signing is _not_
cheap. It all depends on what load you need to support, and what hardware
you have. Of course, the same box will also be doing a decrypt/excrypt for
the data stream, so the cert signing load may be noise. Caching certs is so
cheap, that it's still worth-while, imho.

Re-using keys makes a lot of sense, though, especially if the bitrate on
your random number source is less than stellar.

-- 
Carson

---

• Next message: mike@omnipod.com: "[fw-wiz] IPTables and Bridging"
• Previous message: Adam Shostack: "Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?"
• In reply to: Adam Shostack: "Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?"
• Next in thread: Balazs Scheidler: "Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert ... Can somebody explain why signing a cert for a domain is still so expensive? ... Or do CA pays a lot of money to browsers so they do not a allow CA with a ... costs money to handle the keys for the CA securely, ... (Full-Disclosure) Re: Certificates Dont Show Up ... I used the Keychain app as well as the MS Cert Manager to ... > signing or encryption, ... When I first tried this months ago, certificates did ... (microsoft.public.mac.office.entourage) Re: why persist PKCS#7 CRL in embedded file sigs? ... Data of this type has an extended lifetime, ... >adding a CRL to a SignedData block? ... cert was valid. ... cert was valid at signing. ... (sci.crypt) Certificates Dont Show Up ... I used the Keychain app as well as the MS Cert Manager to ... signing or encryption, ... When I first tried this months ago, certificates did ... (microsoft.public.mac.office.entourage)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2002-09