> Meanwhile I would gladly fire someone for using AES128 or the NSA-sponsored curves, despite being in Suite B.
Why? Pointing SSL Labs at my bank, it's what they use (ECDH secp256r1). What does your bank use? Or is there a site that you consider more important than that one?
Would you fire the folks at Let's Encrypt, who only offer certs of RSA and P-{256,384}? Gmail, where they do offer x25519, but where most browsers use secp256r1?
Banks are not known for using the best/safest solutions. Just take 4 digit pins and 3DES into account for example.
> who only offer certs of RSA and P-{256,384}?
I am pretty sure that nginx and openssl only recently added support for ed25519 certificates. Although to be honest I don't really like the idea of let's encrypt. The addressing system that tor uses has solved that issue already.
> but where most browsers use secp256r1?
This is an issue. Browser vendors should prioritize the djb algorithms.
Why? Pointing SSL Labs at my bank, it's what they use (ECDH secp256r1). What does your bank use? Or is there a site that you consider more important than that one?
Would you fire the folks at Let's Encrypt, who only offer certs of RSA and P-{256,384}? Gmail, where they do offer x25519, but where most browsers use secp256r1?