> Yes, I do think PFS ciphersuites are a better way. Although sometimes > I've heard "performance" given as a reason for not enabling PFS. In > that case, frequent key rotation (if the CAs cooperate) would allow > much of the benefit of PFS, at essentially no additional computational > cost.
the operational cost, and room for mistakes, should not be discounted. randy _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
