Fedora/Redhat and perfect forward secrecy

Gregory Maxwell gmaxwell at gmail.com
Fri Sep 6 23:52:11 UTC 2013

On Fri, Sep 6, 2013 at 2:31 PM, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> | From: Reindl Harald <h.reindl at thelounge.net>
> | Date: Sat, 24 Aug 2013 11:38:21 +0200
> | https://bugzilla.redhat.com/show_bug.cgi?id=3D319901
> |
> | looks like Redhat based systems are the only remaining
> | which does not support EECDHE which is a shame these
> | days in context of PRISM and more and more Ciphers
> | are going to be unuseable (BEAST/CRIME weakness)
> It might be the case that the NSA has their fingers in these ECC
> standards.
> Here's a Schneier article worth reading:
>   <http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance>
> In it, he recommends (among many other things):
>     Prefer conventional discrete-log-based systems over elliptic-curve
>     systems; the latter have constants that the NSA influences when
>     they can.
> It could be (by accident) that Fedora is more secure due to patents!

The P-256r curve commonly used for ECDH the web has it's parameters
generated by a nothing-up-my-sleeve CSPRNG approach.  I doubt Bruce
was speaking of that... it he was, I think thats a pretty audacious
claim that requires some justification.

Regardless, I think that argument would be an ignorant one:
Approximately no one runs non-ECDH PFS on the web: it's insanely slow
and it breaks clients.  The choice is not between ECDH and RSA based
PFS, the choice is between ECDH and no PFS at all.  Right now Fedora
webservers have no PFS at all.  This can not be argued to be an

More information about the devel mailing list