On Sat, Jan 22, 2011 at 10:24:35PM +0100, Ralf Hildebrandt wrote:
> Incidentially, I recompiled Postfix against opensssl-1.0 yesterday :)
> I still have to find out if the DFN-PKI-CA (which we're using) is
> issuing certs on ECC keys
There are no mainstream CAs issuing certificates for ECC public keys. In
fact there is a silly (but issued) patent on ECC certificates signed
via an RSA key (all the root CAs are RSA CAs). Also, since most clients
don't grok ECC, an ECC cert would be a second cert for you to pay for,
not your primary cert.
While Postfix supports ECC certs just fine, the topic in this thread
is ECC ephemeral key-agreement, not ECC authentication (i.e. certs).
--
Viktor.
