Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Tue, Apr 15, 2003 at 09:16:40PM +0300, Heikki Nousiainen wrote:
> My point is, since we don't know whether the key exchange algorithm 
> provides PFS, I think we can't make an explicit claim about PFS in SSHv2. 
> Certainly that is the case for diffie-hellman-group1-sha1 (and as far as 
> I know, for the rest of the key exchange methods drafted), but not 
> necessarily for all key exchange methods used within the protocol.

Er, yes, but, a) today all key exchange methods specified for SSHv2 have
PFS, and b) one would hope that all future ones will also.

Of course, (b) is no guarantee of anything, so I must cede the point :)

> [...]
> > Perhaps there should be a sub-section on the key exchange phase of the
> > protocol.
> 
> The core document should address diffie-hellman-group1-sha1, and each key 
> exhance method draft should discuss the security considerations for the 
> given alogrihm.

I think the core doc's security considerations section can certainly
state that "if the kex used has PFS then the session keys can be
perfectly forward secure" or something like that.  Point is, it's worth
pointing out, in the core drafts, that PFS is there [always today, even
if perhaps not always tomorrow].

Cheers,

Nico
--