[tptacek]

Cryptographers who are much smarter than me disagree with me when I say this but I think there's some truth to this; RSA has, by design, more footguns than the comparable systems you'd create with a modern curve design, starting with the fact that the "directly encrypt with the RSA block transform" primitive is a misfeature.

[Ar-Curunir]

Tbh RSA should be deprecated; there's really almost no user for it in standard crypto IMO

[jcims]

https://blog.trailofbits.com/2019/07/08/fuck-rsa/

[commandlinefan]

It's been all but deprecated in TLS 1.3... however, it's been replaced with ECDH/ECDSA - which the NSA is now recommending against: https://threatpost.com/nsas-divorce-from-ecc-causing-crypto-...

[wolf550e]

That's mostly bullshit. NSA is just saying "don't start a multi-year project to upgrade from RSA to NIST P-256 because you will not be finished with that upgrade before we'll ask you to upgrade to a recommended PQ crypto scheme".

There is nothing wrong with X25519 and Ed25519, except that they are vulnerable to quantum computers (like anything else currently in use).