Eric Rescorla wrote:
Uh, you've just described the ephemeral DH mode that IPsec always uses and SSL provides.
I'm mystified by the word "always" there, and/or perhaps by the definition of Perfect Forward Secrecy. Here's the dilemma:
On the one hand, it would seem to the extent that you use ephemeral DH exponents, the very ephemerality should do most (all?) of what PFS is supposed to do. If not, why not?
And yes, IPsec always has ephemeral DH exponents lying around.
On the other hand, there are IPsec modes that are deemed to not provide PFS. See e.g. section 5.5 of http://www.faqs.org/rfcs/rfc2409.html
Perhaps the resolution of the dilemma is to say that IPsec "always" uses ephemeral DH for _some_ things, but it does not "always" use ephemeral DH for some _other_ things. Right?
Also note that 'ephemeral' is not a binary predicate. Some things are more ephemeral than others. Can you also have more-perfect PFS and less-perfect PFS?
=======
There are plenty of things out there (including Cisco boxes, in the default configuration) where the IPsec does not have PFS turned on.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
