What browsers/percent of users/legacy clients can't do ECDSA certs these days?
A few years back AWS Cloudfront couldn't, but I assume that's been upgraded?
Anything else?
Conversation
Though I guess, if they ever get to enough cubits to break tls 1.3 ed25519 (possibly never) then it won't be long before p521 gets broken.
1
ECDHE with x25519 can be used with an RSA certificate. The key for the certificate doesn't have to be secure over the long term when using proper modern ciphers with forward secrecy. Even old browsers can do it. The session keys matter a lot more and need to be secure long-term.
The certificate key needs to be secure enough to prevent active interception. Even RSA 2048 is still more than good enough. Session keys would ideally be stronger than what nearly everyone currently uses because that's what actually needs to be broken to get the data later on.
1
2
It's only Internet Explorer where you had to use ECDSA to use ECDHE ciphers. It supports DHE though, so you can still do forward secrecy for Internet Explorer with RSA. Can set up DHE to use 3072 bit keys so it has a comparable security level too. Unnecessarily complex though.
1
Show replies