[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)

To: Joel M Snyder <JMS+ipsec@Opus1.COM>
Subject: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Sat, 22 Jun 2002 11:03:53 -0400
cc: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Fri, 21 Jun 2002 18:01:39 PDT." <01KJ79QWA3J8939294@Opus1.COM>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

Let's be careful to distinguish between:

 1) the forward-secrecy properties of IPsec key management

 2) the optional second DH exchange done in IKEv1 phase 2, which is
    what many people think of when they hear "PFS".

I don't believe that there's a need for every SA to have a separate DH
exchange; what is important is for the spec to allow a user of the
protocol to know what the forward-secrecy properties are, and that
requires protocol-visible lifetimes for keying material.

					- Bill

Follow-Ups:
- RE: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:
- Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
  - From: Joel M Snyder <JMS+ipsec@Opus1.COM>

Prev by Date: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Next by Date: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Prev by thread: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Next by thread: RE: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Index(es):
- Date
- Thread