Hey all, >From reading through the protocol, it seems there are two modes for forward secrecy:
A) Use forward secrecy, but allow the other side to turn it off. (default) B) Turn off forward secrecy. However, there could conceivably be a third mode: C) Use forward secrecy, and terminate any connection that tries to turn it off. The only problem is that if an endpoint receives 1 for the y value of the other side, it doesn't necessarily know that the other side has 0 for its x value. (I'd have to check whether it's possible, given the specific modulus and the possible range of x, to rule out a non-zero x for a zero y value, unless someone already knows the answer to this...) This third mode would make it possible to guard against misconfigurations, e.g. I might want forward secrecy to be always used, and for stuff to blow up / complain if that changes. Is this a valid use case? -- Fred
