John Denker <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
>
>> Uh, you've just described the ephemeral DH mode that IPsec
>> always uses and SSL provides.
>
> I'm mystified by the word "always" there, and/or perhaps by
> the definition of Perfect Forward Secrecy.  Here's the dilemma:
>
> On the one hand, it would seem to the extent that you use
> ephemeral DH exponents, the very ephemerality should do most
> (all?) of what PFS is supposed to do.  If not, why not?
>
> And yes, IPsec always has ephemeral DH exponents lying around.
>
> On the other hand, there are IPsec modes that are deemed to
> not provide PFS.  See e.g. section 5.5 of
>    http://www.faqs.org/rfcs/rfc2409.html

Sorry, when I said IPsec I mean IKE. I keep trying to forget
about the manual keying modes. AFAICT IKE always uses the
DH exchange as part of establishment.

-Ekr

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to