Unit 4 Discussion

Q: What are the advantages and disadvantages of a longer certificate life cycle?

A: The main advantage of using longer Certificate life cycles are the lessened need for maintenance on the parts of the users of the certificates.  If certificates are revoked and regenerated less-often, users have more time to work with the certificates, and have to spend less time reconfiguring their security certificates.  The inherent disadvantages of using a longer Certificate life cycle are, chiefly, that as time goes on, there is a greater possibility that some nefarious individual could crack the security of the CA or certificates based upon it, using brute force.  In such a case of cracking, it would then be possible for the attacker to quickly intercept and decrypt encrypted communications between two parties (in the case of our course, two computers or other networked devices communicating with encryption).

Q: What is the drawback to using a long key pair along with a complex encryption algorithm so that you can use a longer certificate life cycle?

A: The disadvantage of using longer key pairs is that the amount of encryption/decryption (CPU) power required to maintain secured communications would increase relative to the size of the encryption keys.  While it may seem like an excellent idea to increase the size of security keys greatly to reduce the process of keys getting cracked, it is important to keep in mind when increasing security key sizes, that CPU needs for encryption and decryption are kept in mind.

Q: What is the best strategy to secure the Root Certificate Authority (CA) in your CA hierarchy?

A: The best strategy would be to start off by securing “direct” use of the Root CA by setting up an Intermediate CA.  In theory, an Intermediate CA can be revoked and regenerated in case of an “emergency” type of security breach.  An Intermediate CA (with proper configuration) can be used to generate individual and client certificates (as if the Intermediate CA was a Root CA).  This way, the Root CA (which, in many cases, may have to be authorized by a governing body to avoid “Untrusted or Unverified Certificate” warnings on computer systems) can be protected from direct reference by issued certificates.