Which you use depends on the implementation you are exporting to. "Export grade"(i.e. cryptograhically challenged) products cannot support all algorithms.
Typically you may be able to use any encryption on shrouded key bags but they
must then be placed in an unencrypted authsafe. Other authsafes may only support
40bit encryption. Of course if you are using SSLeay throughout you can strongly
encrypt everything and have high iteration counts on everything.
Which you use depends on the implementation you are exporting to. "Export
grade" (i.e. cryptograhically challenged) products cannot support all
algorithms. Typically you may be able to use any encryption on shrouded key
bags but they must then be placed in an unencrypted authsafe. Other authsafes
may only support 40bit encryption. Of course if you are using SSLeay
throughout you can strongly encrypt everything and have high iteration counts
on everything.
3. For decryption routines only the password and length are needed.