Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Application Proxy/L7 Firewall Recommendation?

From: Carson Gaspar <carson () taltos org>
Date: Fri, 06 Sep 2002 09:39:24 -0400
--On Friday, September 06, 2002 9:28 AM -0400 Adam Shostack <adam () homeport org> wrote: 


On Fri, Sep 06, 2002 at 01:28:41AM -0400, Carson Gaspar wrote:
| - Cert generation is computationally expensive. This is mitigated by
| caching the certs.

Actually, key generation is expensive, cert generation is relatively
cheap.  (Or so I expect.  Even all that x.509 cruftage should take
less time than finding a set of primes.)  I pick this nit because it
should be possible to generate one key (or one key daily) and just
sign that with new and appropriate certified information surrounding
it, speeding up the process dramatically.


It all depends on how one defines expensive ;-)
Yes, key generation is more expensive than signing, but signing is _not_ cheap. It all depends on what load you need to support, and what hardware you have. Of course, the same box will also be doing a decrypt/excrypt for the data stream, so the cert signing load may be noise. Caching certs is so cheap, that it's still worth-while, imho.
Re-using keys makes a lot of sense, though, especially if the bitrate on your random number source is less than stellar. 

--
Carson



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: