It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
"cooperative endpoint" scenario that I've seen discussed in other
forums, prompted by the latest revelations about what NSA has been up to.
But if your fave website (gmail, your bank, etc) is disclosing the
session-key(s) to the NSA, or has deliberately-weakened session-key
negotiation in
some way, then PFS doesn't help you.
I agree that if the scenario is "NSA has a database of RSA keys of
'popular sites'" then PFS helps tremendously. But if the scenario goes
deeper
into the "cooperative endpoint" territory, then waving the PFS flag
is perhaps like playing the violin on the deck of the Titantic.
Do we now strongly suspect that NSA have a flotilla of TWIRL (or
similar) machines, so that active cooperation of websites isn't strictly
necessary
to derive their (weaker) RSA secret keys?
--
Marcus Leech
Principal Investigator
Shirleys Bay Radio Astronomy Consortium
http://www.sbrac.org
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
