John Denker <[EMAIL PROTECTED]> writes: > Eric Rescorla wrote: > >> Uh, you've just described the ephemeral DH mode that IPsec >> always uses and SSL provides. > > I'm mystified by the word "always" there, and/or perhaps by > the definition of Perfect Forward Secrecy. Here's the dilemma: > > On the one hand, it would seem to the extent that you use > ephemeral DH exponents, the very ephemerality should do most > (all?) of what PFS is supposed to do. If not, why not? > > And yes, IPsec always has ephemeral DH exponents lying around. > > On the other hand, there are IPsec modes that are deemed to > not provide PFS. See e.g. section 5.5 of > http://www.faqs.org/rfcs/rfc2409.html
Sorry, when I said IPsec I mean IKE. I keep trying to forget about the manual keying modes. AFAICT IKE always uses the DH exchange as part of establishment. -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]