Bill Stewart writes:
perry@piermont.com replied
Signed Diffie-Hellman key exchanges have the property known as "Perfect Forward Secrecy". Even if the opponent gets your public keys it still will not decrypt any traffic for him at all -- it just lets him pretend to be you. Thats one reason why protocols like Photuris and Oakley use the technique.
DH key exchange is really only Exponentially Good Forward Secrecy, and in its primary use (exchanging keys for symmetric-key algorithms) the system is at best Good Enough Forward Secrecy.
No, signed D-H like STS is in fact perfect forward secrecy in the sense that breaking the RSA keys gives you no information about the session keys, and breaking one of the D-H exchanges does not (in theory) give you any information about any of the others. Perry