* I want to us ECDSA for my Web server's SSL certificate via an ACME client to Let's Encrypt and maybe later BuyPass.
That’s fine. * I thought that EC is better than RSA, but now I don't think so. The answer seems to be: it depends. There are trade-offs. The biggest one is that EC gives equivalent security with a much smaller keysize. * Safe Curves (SafeCurves: Introduction<https://urldefense.proofpoint.com/v2/url?u=https-3A__safecurves.cr.yp.to_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=FZ0AXmFqGUcUdZYm5wdvA4_d71tTi9iIRfHWFcL8wRo&s=ntsSs3tKgynp0pN2J8Yxf8Cd1wrWobKgA4jQ_PLgtPY&e=>) says … FWIW, SafeCurves is mostly the guy behind 25519 :) This is not a slam against djb, who’s kinda brilliant. If you’re not sure what to do, perhaps follow what the browsers do. That way if something’s wrong you’ll just be going up in flames with the rest of the world. If you don’t trust the NSA and therefore don’t trust NIST, do you accept AES? What about when they approve 25519?
