It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
"cooperative endpoint" scenario that I've seen discussed in other
forums, prompted by the latest revelations about what NSA has been up to.
But if your fave website (gmail, your bank, etc) is disclosing the
session-key(s) to the NSA, or has deliberately-weakened session-key
some way, then PFS doesn't help you.
I agree that if the scenario is "NSA has a database of RSA keys of
'popular sites'" then PFS helps tremendously. But if the scenario goes
into the "cooperative endpoint" territory, then waving the PFS flag
is perhaps like playing the violin on the deck of the Titantic.
Do we now strongly suspect that NSA have a flotilla of TWIRL (or
similar) machines, so that active cooperation of websites isn't strictly
to derive their (weaker) RSA secret keys?
Shirleys Bay Radio Astronomy Consortium
The cryptography mailing list