On 09/12/13 18:33, Tony Arcieri wrote:
> On Wed, Sep 11, 2013 at 8:00 PM, John Gilmore <g...@toad.com
> <mailto:g...@toad.com>> wrote:
>     There doesn't seem to be much downside to just calling it "Forward
>     Secrecy" rather than "Perfect Forward Secrecy".  We all seem to agree
>     that it isn't perfect, and that it is a step forward in security, at a
>     moderate cost in latency and performance.
> What's really bothered me about the phrase "perfect forward secrecy" is
> it's being applied to public key algorithms we know will be broken as
> soon as a large quantum computer has been built (in e.g. a decade or
> two). Meanwhile people seem to think that it's some sort of technique
> that will render messages unbreakable forever.

Perhaps of (little) comfort:

By the time that quantum computer has been built, it will become clear
that by breaking the PFS crypto, you also break the non-repudiation.

In other words: No one can claim in a (decent) court that a certain
message has been sent by you, when the quantum computer can break both
the PFS and the merkle-tree hashes that are supposed to prove the

In the mean time, remember Scott Mc Nealy: "Privacy online is dead."


Attachment: signature.asc
Description: OpenPGP digital signature

The cryptography mailing list

Reply via email to