On Sat, Dec 14, 2013 at 2:13 PM, falcon <[email protected]> wrote:
> I believe startssl (even) will sign ecdsa certs if you send a csr for one, > but this is of little utility without an ecdsa trust anchor. > > -------- Original message -------- > From: [email protected] > > Brian Smith <[email protected]> writes: > > Cipher Suite Count % > > ---------------------------------------------------------- > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 332,786 8.30% > > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 4,601 0.11% > > Who issues ECDSA certs? > > Is that intra-government usage? > Several CAs in Mozilla's CA program are now offering ECDSA certificates. Some older versions of TLS had a requirement that all certificates in the cert chain must be signed using the same type of key. However, NSS has never enforced that and AFAICT most other implementations haven't either. However, some CAs won't sign ECDSA certificates with their RSA certificates for reasons that are better described by them than me. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
