[tedunangst]

Curious that Schneier recommends discrete log crypto in response to a report that the NSA was breaking most crypto. In hindsight, there's a very good chance that the NSA attack in question was the logjam attack against discrete log DH. But, sure, stick with plain DH if it makes you feel safer.

[tptacek]

Yes, I think that recommendation was pretty irresponsible, and not just because of Logjam. You are probably safer using NIST P-curve crypto than you are with RSA, and not just because virtually all RSA applications use insecure RSA constructions, but also because RSA includes the huge footgun of having a direct and easy to (unsafely) use Encrypt/Decrypt primitive.

[ultramancool]

I assume he meant long 2048+ bit DH with user generated primes, which would arguably be safer, just due to sheer simplicity if nothing else.