[wolf550e]

1. They show libgcrypt managed to have the bug in EdDSA (https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=c...).

2. People need to use ECDSA for same reason they need to use RSA: compatibility. In particular, EdDSA webpki certificates will likely never happen (https://cabforum.org/pipermail/servercert-wg/2019-June/00087...).

[tptacek]

But, if you fear and loathe ECDSA (and I do as well), it's probably a good idea to get in early against protocols that seek to deploy more of it. For instance, DNSSEC, which is barely deployed anywhere on the Internet, is just now (as in, resolvers couldn't reliably verify ECC records until recently) introducing ECC support --- with ECDSA.

[wolf550e]

I think EdDSA desperately needs to be allowed in FIPS certified hardware, so that secure hardware will have support for EdDSA so that people who have to store keys in secure hardware will be able to use it. I mean HSMs, smart cards, secure enclaves, TPMs, things with a ATECC508A, etc.

[wolf550e]

Can downvoters explain why I'm wrong?

[loeg]

There's no reason I'm aware of to use libgcrypt over other available crypto. Don't use libgcrypt.