What browsers/percent of users/legacy clients can't do ECDSA certs these days?
A few years back AWS Cloudfront couldn't, but I assume that's been upgraded?
Anything else?
Conversation
Though I guess, if they ever get to enough cubits to break tls 1.3 ed25519 (possibly never) then it won't be long before p521 gets broken.
1
ECDHE with x25519 can be used with an RSA certificate. The key for the certificate doesn't have to be secure over the long term when using proper modern ciphers with forward secrecy. Even old browsers can do it. The session keys matter a lot more and need to be secure long-term.
1
1
The certificate key needs to be secure enough to prevent active interception. Even RSA 2048 is still more than good enough. Session keys would ideally be stronger than what nearly everyone currently uses because that's what actually needs to be broken to get the data later on.
1
2
It's only Internet Explorer where you had to use ECDSA to use ECDHE ciphers. It supports DHE though, so you can still do forward secrecy for Internet Explorer with RSA. Can set up DHE to use 3072 bit keys so it has a comparable security level too. Unnecessarily complex though.
1
P-384, P-521, etc. are unnecessarily slow. It's entirely possible to have higher security level curves with far better performance.
It makes more sense for browsers to add support for more modern curves designed to be more robust with significantly better performance vs. those.
2
P521 was removed from chrome due to a bug and is more oerformant than RSA. This argument is an excuse. Ed25519 is good enough though.
1
Ed448 is the higher security level partner for Ed25519. It's included in TLS 1.3 as one of the standard curves.
US government (NIST) has approved both of these curves so they clearly see the advantages themselves.
It makes more sense to add that than looking to the past now.