On 15/10/13 23:00, Piotr Sikora wrote:
<snip>
>> Because someone else might use DSA certificates.
>
> It's ECDSA, not DSA... And I'm yet to see a site that offers ECDSA
> instead of RSA certificate.

There are some sites that offer an ECDSA cert where possible, but
fallback to an RSA cert when the client doesn't offer any ECDSA ciphers.
AFAIK, Apache httpd is the only major webserver that can currently be
configured this way.
I expect to see this configuration become more common in the (near?)
future, given that some commercial CAs are now actively selling ECDSA certs.

Nginx currently only allows one cert to be configured, and I too am yet
to see a site that offers _only_ an ECDSA cert. I expect this is due to
the large proportion (I estimate ~20%) of clients that support RSA certs
but not ECDSA certs.

I'd love to see the ECDSA cert + RSA cert feature implemented in Nginx
too. OpenSSL does most of the hard work already. I've written a PoC
patch, but I'll post it to a different thread.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx