zhu qun-ying wrote:
>
> > They should be sufficient. Certificates are usually public knowledge
> > anyway so using weak or no encryption on them is harmless but if you
> > want to use strong encryption on it you can, however some of the older
> > export browsers wont import 3DES encrypted certificates.
> >
> > Steve.
> My concern is that, since they used the same password, will the weak encryption
> of certificate open a door for the private key?
>
They use different salts and keys so fiding out the certificate key
wont help at all in finding out the private key scret key.
> What's the effect on increasing mac_iter, does it worse the iteration?
>
The larger the value the more work is involved in checking the mac
value,
and the harder it is for an attacker to run through large quantities of
candidate passwords on the mac.
Theres quite a bit of info on this in my PKCS#12 FAQ (see homepage)
though some of it needs updating.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
