[lvh]

Securealpolitik: saying there are safe asymmetric primitives doesn’t mean that’s what’s actually deployed. As long as the spec says is P256 ECDSA it’s a pretty reasonable assumption someone is going to screw up nonce handling.

(Incidentally ECDSA really is that much slower, but I appreciate that could be seen as cherry picking because ECDSA is slow even for an asymmetric algorithm.)

I don’t think the argument we’re trying to make is that asymmetric crypto definitionally can’t work. I’m pretty happy TLS exists. Just skeptical that you want to build your s2s auth on it.