Date: Fri, 8 Mar 2002 18:04:46 -0800 (PST) From: Jason Stone <jason@shalott.net> To: <freebsd-security@freebsd.org> Subject: Re: ESP + IPFW Message-ID: <20020308171818.G2192-100000@walter> In-Reply-To: <3C8945FB.CD9CFC7D@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The vulnerability of any key is growing for every second the key > is used and for every byte passed throught the key. Also note, the > compromising of a key mean all data encrypted by the key during recent > transmissions should be counted compromised. > > So, from paranoid point of view - yes, it is more secure to use > IKE and rotate the keys. Uh, doesn't IKE use public keys to share symmetric keys? Doesn't that imply that if you crack the private keys, you can then go back and decrypt the symmetric key exchange and finally decrypt the traffic? Isn't this why people expire their PGP keys and SSL CA's encourage you to expire your ssl keys? So it would seem to me that failing to expire your symmetric keys is not so different from failing to expire your public keys, and that this is a key management issue and doesn't effect the security of the system directly. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8iW3BswXMWWtptckRAjnDAKCEn4yqTyi8Z4smyYkInAcSK7Y6KQCfVZih Js7V5CskWFtzZYO96PC0xko= =7sh8 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020308171818.G2192-100000>