--On Monday, April 21, 2008 3:11 PM +0200 Tim Tassonis timtas@cubic.ch wrote:
Sorry, but this is rubbish. By your logic, if one joins a conspirative gathering using a secret password and then is told than in future there is a new secret passphrase, he would then be required to leave the room again an reenter it using the new passphrase. There is absolutely no security value in this, just a small entertainment value perhaps.
Reestablishing expired encryption keys clearly has a security value, due to brute force issues on current connection keys.
But if somebody has brute-forced your initial shared secret to establish the connection an you have changed it in the meantime, he will not be more able to establish a connection if you keep that old connection.
I think you just argued for the point Howard was making. We aren't talking about establishing a *new* connection with an old encryption key. We are talking about maintaining a connection once the encryption key has expired. Heimdal lets you do this. MIT does not.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration