[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

[John Kelsey]

Your cryptosystem should be designed with the assumption that an attacker will record all old ciphertexts and try to break it later.  The whole point of encryption is to make that attack not scary.  We can never rule out future attacks, or secret ones now.  But we can move away from marginal key lengths and outdated, weak ciphers.  Getting people to do that is like pulling teeth, which is why we're still using RC4, and 1024-bit RSA keys and DH primes.  

--John