Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
Christopher Wood <caw@heapingbits.net> Wed, 18 March 2020 16:45 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id E37D83A1886
for <saag@ietfa.amsl.com>; Wed, 18 Mar 2020 09:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=heapingbits.net header.b=UbDDXAnB;
dkim=pass (2048-bit key)
header.d=messagingengine.com header.b=0DxK3vi1
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id mWAE_KaQcaLg for <saag@ietfa.amsl.com>;
Wed, 18 Mar 2020 09:45:56 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
[66.111.4.26])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 688183A187E
for <saag@ietf.org>; Wed, 18 Mar 2020 09:45:56 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
by mailout.nyi.internal (Postfix) with ESMTP id F14055C0200;
Wed, 18 Mar 2020 12:45:54 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
by compute1.internal (MEProxy); Wed, 18 Mar 2020 12:45:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net;
h=from:to:cc:subject:date:message-id:in-reply-to:references
:mime-version:content-type:content-transfer-encoding; s=fm3; bh=
XHLMSGTtyMc5EI//O5gw6oJgbmKydcqF5Yg5tU+KsiE=; b=UbDDXAnBvTqB7KI2
oaavVyIsiMtTHYaowXfrtLxnQXYN2WqHT1wGqLMIvBs/gIvcmHjN+ZPsuZ64tm5D
6z0kePVII45Szcfxc7yMLtk2ie6/21gsxgrchezYtBYh0Wmt5w5wiexO8vGOhqmc
FhDHbC4fkK5bEqt79xXcjCvHud9i3/QrG6iPnOO/wOGCDgBS/vRTRqPbED9vwKHL
q9g1Y8h6RtgNOQEFw0lPHx9t7ICHtlLQD6cOyvfflgtYAxui7iyYutthza+MaQK6
flBJoxYInsTVuZGgmRpkqLZfaNRQKPdvk+/DaA1Cbld3aN1006zo+NTShtN1nBMG
Nr/9Pg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-transfer-encoding:content-type
:date:from:in-reply-to:message-id:mime-version:references
:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
:x-sasl-enc; s=fm2; bh=XHLMSGTtyMc5EI//O5gw6oJgbmKydcqF5Yg5tU+Ks
iE=; b=0DxK3vi1fgo8nUywBVCAefQ2mRSkobLycRlsec1VOGT15vIl45f+WA7kZ
2u0LInTY1UCne5aq7B/WqHH4LA/FlnzVWZlQAnmFmzaHzOAZqdE5ZMznydVVEjF5
z/nG9yRdf++XHYdFtteY6tgZf/Z+LJdvDU6ijo6Q5LowTdS8SoGsfsuTuG8FD+Yv
+/5mQvZ35BR6THdGrahT/1ab5BBsFnHXV3rt6uUWPR5qU3FoHZySuSc2lHO/PHxw
oDkf1MzJyDOB/KFdAwCOPp3IE0JyQ2ctl9WUzGPzYFxb2R44xbwrAv2PftUlIiZc
Wr1+jT3tPZZVD33Kkvcdm/utRjo9g==
X-ME-Sender: <xms:QVByXtaoJoTm07G4KLUIIHtNSJOoJ_R4HDYvUpb0Ks5y34FPXfQ8pw>
X-ME-Proxy-Cause:
gggruggvucftvghtrhhoucdtuddrgedugedrudefjedgkeelucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffokfgjfhggtgfgsehtke
hmtdertdejnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif
sehhvggrphhinhhgsghithhsrdhnvghtqeenucfkphepjeefrdelvddrieegrddufedtne
cuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfies
hhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:QVByXuujSCmh3C4WmDZrCR7aAXemQW8GA2Cu1Atfmep3a6oIklziJQ>
<xmx:QVByXqPXNnuC5UFcyDAT1xgyFGE3IwFoD-aN7ZQxrpDCdxu53DA7UA>
<xmx:QVByXh43DMZvWXIx7gCz4xgUo-TCn7WDtIxOvc5UiWeVmSd6TXQTwQ>
<xmx:QlByXgZ6_e_KG85vI5CQxjlBwvD-8_SqOvGoGIvfejF3AEcP3v59DQ>
Received: from [10.0.0.184] (c-73-92-64-130.hsd1.ca.comcast.net
[73.92.64.130]) by mail.messagingengine.com (Postfix) with ESMTPA id
7ED633061DC5; Wed, 18 Mar 2020 12:45:53 -0400 (EDT)
From: "Christopher Wood" <caw@heapingbits.net>
To: "Eric Rescorla" <ekr@rtfm.com>
Cc: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>, saag@ietf.org
Date: Wed, 18 Mar 2020 09:45:52 -0700
X-Mailer: MailMate (1.13.1r5671)
Message-ID: <EAF2B7B5-2366-4FFE-BC15-D03C87A55696@heapingbits.net>
In-Reply-To:
<CABcZeBOFLLYK3LZWQ_dSptQPc1u7=pOS6QWcJZu0sPGn9X_iVw@mail.gmail.com>
References: <7231a98e-e4a2-55c9-3a51-d62886d7d061@htt-consult.com>
<F318A864-CC99-47F7-BEFF-608F93AEB451@akamai.com>
<6b73afd0-6eda-4533-a499-166934702f6e@www.fastmail.com>
<3517.1584548794@eng-mail01.juniper.net>
<CABcZeBOFLLYK3LZWQ_dSptQPc1u7=pOS6QWcJZu0sPGn9X_iVw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At:
<https://mailarchive.ietf.org/arch/msg/saag/BjX_wRkSwFt7t05oBs1MmCPkcFM>
Subject: Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 16:45:58 -0000
On 18 Mar 2020, at 9:38, Eric Rescorla wrote: > I don't feel strongly about this, but would make three points: > > 1. RFC 4949 seems to have both terms, with the main > definition under PFS and FS pointing to PFS and then says: > > Ordinary forward secrecy vs. "perfect" forward secret: Experts > disagree about the difference between these two. Some say there is > no > difference, and some say that the initial naming was unfortunate > and > suggest dropping the word "perfect". Some suggest using "forward > secrecy" for the case where one long-term private key is > compromised, > and adding "perfect" for when both private keys (or, when the > protocol is multi-party, all private keys) are > > > 2. TLS 1.3 explicitly chose to use the term "forward secret" and not > "perfect forward secret". > > 3. One advantage of saying FS and not PFS is that you can then > describe > things as "forward secret" in a way that isn't grammatically awkward, > as in RFC 8446; S 2.3. > > 1. This data is not forward secret, as it is encrypted solely > under > keys derived using the offered PSK. All good points! I based my opinion on the HAC definition, though Jon’s response nudged me the other way. (Thanks, Jon!)
- [saag] Perfect Forward Secrecy vs Forward Secrecy Robert Moskowitz
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Salz, Rich
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Robert Moskowitz
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Christopher Wood
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Salz, Rich
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Dan Brown
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Mark D. Baushke
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Jon Callas
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Eric Rescorla
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Christopher Wood
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Hao, Feng
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Eric Rescorla
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Dan Brown
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Benjamin Kaduk
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Robert Moskowitz
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… John Mattsson