Peter Warasin <[EMAIL PROTECTED]> writes: > We will not include a CA, since a firewall is normally not the place > where you want > to have a CA. > The CA necessarily must contain also the private key of the root > certificate in order to > sign certificates, so if one manages it to steal that private key, the > complete PKI > is compromised and you need to revoke and replace all certificates of > each of your > clients.
Hi Peter, thanks for this fast answer.... Ok, I understand your position in general...BUT (there is allways a But :-) ): 1. The same set of problems exists for IPSEC 2. If someone is able to steel the private key of the ca, I´ve a bigger problem than revoking the complete PKI ´cause my firewall is compromised. 3. In my view one of the greatest Advantages of EFW is the factor of easy administration for non-profis (that´s the biggest difference to other projects like IPCop or smoothwall). 4. Additionally, in difference to a ZERINA-based Implementation of OpenVPN it´s more handwork for the admin. In Zerina I only have to send the link for the GUI and the automaticly generated ZIP with the config-files. 5. To manage a external CA should not be a problem for "profis" but for normal part-time admins this will be a big barrier to implement a VPN (IPSEC is to complicated for unexperienced Roadwarriors). But, that´s only my opinion :-) > beta3 will be released end of this week if all goes on cleanly. I can´t expect it :-) > peter André ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user
