RE: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

Yes, this is an area where list members like to debate a semantic issue
without agreeing on what the terms mean (the other being preshared
key/preshared secret/password).

Let us remember that the original forward secrecy requirement for this WG
was that compromise of the RSA private key should not endanger the session
keys. The forward secrecy across phase 2 rekeys was added later. The
description of one type of forward secrecy as "perfect" sounds like
marketing jargon. If you negotiate 3 SAs at the same time, there is no
reason to use 3 different DH keys, and using only one DH key does not make
the forward secrecy any less perfect.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Bill Sommerfeld
> Sent: Saturday, June 22, 2002 11:04 AM
> To: Joel M Snyder
> Cc: Michael Richardson; ipsec@lists.tislabs.com
> Subject: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
>
>
> Let's be careful to distinguish between:
>
>  1) the forward-secrecy properties of IPsec key management
>
>  2) the optional second DH exchange done in IKEv1 phase 2, which is
>     what many people think of when they hear "PFS".
>
> I don't believe that there's a need for every SA to have a separate DH
> exchange; what is important is for the spec to allow a user of the
> protocol to know what the forward-secrecy properties are, and that
> requires protocol-visible lifetimes for keying material.
>
> 					- Bill
>