Uh, what? “Elliptic Curve Digital Signature (ECDSA) is the new kid on the block and makes for much smaller key sizes but isn’t quite as performance friendly or compatible as the old standby RSA.”https://aws.amazon.com/blogs/aws/aws-certificate-manager-launches-private-certificate-authority/ …
-
-
Replying to @grittygrease
We probably over-simplified that blog post. It's being updated, but here's where it came from, for those interested in the minutia: key size and compatibility are uncontroversial, the perf story is harder. Basically: ECDSA saves CPU/time on the server side, but not the client ..
2 replies 1 retweet 5 likes -
Replying to @colmmacc @grittygrease
Here's "openssl speed" for a simple example, ECDSA Vs RSA for verify. In wall-clock time: we've measured about an 80 microsecond hit. Keep in mind that ACM Private CA is for client certificates.pic.twitter.com/UVT97hMRlN
3 replies 1 retweet 3 likes -
Replying to @colmmacc @grittygrease
Our EC2 network RTTs are in tens of micros too, so it can show up. Moral of the story: ECDSA can slow things down end-to-end. But probably too nuanced a take for a launch blog post.
2 replies 0 retweets 2 likes -
Replying to @colmmacc
Every handshake has a sign and a verify. RSA sign+verify: 0.00217+0.00005=0.00222s ECDSA sign+verify: 0.0002+0.0007=0.0009s Maybe what you're trying to say is this: - we're optimizing for *server* CPU - the server does the verify in client auth - this CA is only for client certs
1 reply 0 retweets 8 likes -
Replying to @grittygrease
Maybe too much nuance for a twitter thread too! In the case of Private CA, typically our customers are running both the servers and the clients, and we've found that ECDSA can degrade performance because verify is more expensive.
2 replies 0 retweets 2 likes
That can be a server that needs to scale, or a set of clients. We do like to err on the side of caution and warn customers about potential negative consequences. For many customers, ECDSA is a straight-forward win. That's why ALB and Cloudfront both support ECDSA.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.