Re: forward secrecy

[Hilarie Orman <ho@cs.arizona.edu>]

First, a wry comment: It's difficult to fight against perfection.
Maybe if SKIP had instead been named "Perfectly Stateless Keying"
you'd be on more even footing.

Then, three non-wry comments:

While most hackers would prefer the joy of a passive attack, it would
seem more fruitful to mount an active attack than a passive one, and
I'm sure most operatives would agree.

Modular exponentiation isn't the only group in town, and elliptic
curve groups, for example, have a reduced computational cost.  And
there's no reason to believe that these are the only two
representations that will support DH efficiently and securely.

SKIP will probably be acceptable to some user communities.  It's
statelessness and resulting protocol simplicity are certainly pleasing.
But, I don't think that the schism over the threat model is going to
disappear through persuasion, so unless a third approach emerges, combining
PFS and statelessness, I doubt that there will be a way to satisfy all
parties.

---

Follow-Ups:

• Re: forward secrecy
• From: "Perry E. Metzger" <perry@piermont.com>

References:

• forward secrecy
• From: ashar@osmosys.incog.com (Ashar Aziz)

---

• Prev by Date: Re: forward secrecy
• Next by Date: forward secrecy: satisfying all parties
• Prev by thread: forward secrecy
• Next by thread: Re: forward secrecy
• Index(es):
  • Main
  • Thread