[eps]

> I believe the way PFS works is that it uses RSA to verify identity and then Diffie-Hellman to establish keys.

It's the other way around. First you do the DH and then use RSA to authenticate (a hash of) DH parameters.