[Cryptography] Perfection versus Forward Secrecy
Guido Witmond
guido at witmond.nl
Thu Sep 12 17:32:29 EDT 2013
On 09/12/13 18:33, Tony Arcieri wrote:
> On Wed, Sep 11, 2013 at 8:00 PM, John Gilmore <gnu at toad.com
> <mailto:gnu at toad.com>> wrote:
>
> There doesn't seem to be much downside to just calling it "Forward
> Secrecy" rather than "Perfect Forward Secrecy". We all seem to agree
> that it isn't perfect, and that it is a step forward in security, at a
> moderate cost in latency and performance.
>
>
> What's really bothered me about the phrase "perfect forward secrecy" is
> it's being applied to public key algorithms we know will be broken as
> soon as a large quantum computer has been built (in e.g. a decade or
> two). Meanwhile people seem to think that it's some sort of technique
> that will render messages unbreakable forever.
Perhaps of (little) comfort:
By the time that quantum computer has been built, it will become clear
that by breaking the PFS crypto, you also break the non-repudiation.
In other words: No one can claim in a (decent) court that a certain
message has been sent by you, when the quantum computer can break both
the PFS and the merkle-tree hashes that are supposed to prove the
authenticity.
In the mean time, remember Scott Mc Nealy: "Privacy online is dead."
Guido.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130912/d3b91ef1/attachment.pgp>
More information about the cryptography
mailing list