In message <[EMAIL PROTECTED]> <4.1.20000504185552.00
[EMAIL PROTECTED]>, John Kelsey writes:
>At 02:16 PM 5/4/00 -0400, William Allen Simpson wrote:
>>In response to Perry's editorial comment:
>
>...
>>Once the private RSA key is _destroyed_ PFS is attained.
>
>Right. The thing is, usually you think in terms of generating a new key
>for every communication session and then discarding the key at the end of
>the session. This is a lot cheaper for Diffie-Hellman keys than for RSA
>keys, but you can certainly do it in principle.
Right. I've been known to describe ssh's approach -- hourly, generate a new,
relatively-short RSA key for session key exchange -- as "imperfect forward
secrecy", since if you strike at the right time you can read the traffic.
--Steve Bellovin
