On 08/16/2016 05:44 AM, Peter Gutmann wrote: > As far as I can see what this text is saying is that if the client can't guess > in advance which PFS suite/group the server knows about, the server must > disable use of PFS. In other words instead of saying "give me a PFS suite, > preferably with this group", it's saying "give me a PFS suite with exactly > this group and if you can't do that, don't do PFS". This seems like a pretty > awful way to handle things. >
Recall that the "perfect" part depends on both sides doing what they're supposed to. And if the server wants to behave badly and is doing a not-named group, it can send something that is not prime, or has small subgroups, etc. -- not all clients will check, so the client is definitely not guaranteed forward secrecy. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
