On Tue, Aug 16, 2016 at 1:34 PM, Benjamin Kaduk <bka...@akamai.com> wrote: > On 08/16/2016 05:44 AM, Peter Gutmann wrote: > > As far as I can see what this text is saying is that if the client can't > guess > in advance which PFS suite/group the server knows about, the server must > disable use of PFS. In other words instead of saying "give me a PFS suite, > preferably with this group", it's saying "give me a PFS suite with exactly > this group and if you can't do that, don't do PFS". This seems like a > pretty > awful way to handle things. > > > Recall that the "perfect" part depends on both sides doing what they're > supposed to. And if the server wants to behave badly and is doing a > not-named group, it can send something that is not prime, or has small > subgroups, etc. -- not all clients will check, so the client is definitely > not guaranteed forward secrecy.
A malicious server can also send the PMS to the Nation State Adversary. Compromised endpoints offer no security. > > -Ben > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
