On 09/12/13 18:33, Tony Arcieri wrote: > On Wed, Sep 11, 2013 at 8:00 PM, John Gilmore <g...@toad.com > <mailto:g...@toad.com>> wrote: > > There doesn't seem to be much downside to just calling it "Forward > Secrecy" rather than "Perfect Forward Secrecy". We all seem to agree > that it isn't perfect, and that it is a step forward in security, at a > moderate cost in latency and performance. > > > What's really bothered me about the phrase "perfect forward secrecy" is > it's being applied to public key algorithms we know will be broken as > soon as a large quantum computer has been built (in e.g. a decade or > two). Meanwhile people seem to think that it's some sort of technique > that will render messages unbreakable forever.
Perhaps of (little) comfort: By the time that quantum computer has been built, it will become clear that by breaking the PFS crypto, you also break the non-repudiation. In other words: No one can claim in a (decent) court that a certain message has been sent by you, when the quantum computer can break both the PFS and the merkle-tree hashes that are supposed to prove the authenticity. In the mean time, remember Scott Mc Nealy: "Privacy online is dead." Guido.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
