Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Application Proxy/L7 Firewall Recommendation?

From: Adam Shostack <adam () homeport org>
Date: Fri, 6 Sep 2002 09:28:00 -0400
On Fri, Sep 06, 2002 at 01:28:41AM -0400, Carson Gaspar wrote:
| 
| - The proxy must be a CA able to automatically sign certificates (or must 
| be able to request certificates from another system)

| - The generated cert is then used to initiate a TLS session with the client
| 
| There are some technical issues with this:

| - Cert generation is computationally expensive. This is mitigated by 
| caching the certs.

Actually, key generation is expensive, cert generation is relatively
cheap.  (Or so I expect.  Even all that x.509 cruftage should take
less time than finding a set of primes.)  I pick this nit because it
should be possible to generate one key (or one key daily) and just
sign that with new and appropriate certified information surrounding
it, speeding up the process dramatically.

Adam



-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: