In your previous mail you wrote:

> - ECs are based on a different mechanism than RSA, it is important
> to provide a choice between two basic mechanisms in case one of
> them is discovered far too weak (note this applies too to a EC
> only solution :-)

This I disagree with.

Although the elliptic curve discrete log problem (and the discrete log
problem in general) are separate from the factoring problem, every
breakthrough in one almost invariably produces a breakthrough in the

=> this is your opinion but we have no proof one way or the other.
I agree it should be better to have the other mechanism very different
but as far as I know there is no solid proposal today...

Additionaly, there was a big discussion of this very problem at the
AES candidate meeting in the "choose 1 algorithm or 2" discussion. In
general, the crptographer's consensus is that only a single algorithm
should be chosen, as actually specifying two opens up more
vulnerabilities than a fallback provision provides.

=> the situation is not the same in PKI-like system where a second
mechanism is desirable. This role was taken by DSA but it seems nobody
uses DSA in DNSSEC and X.509 PKIs go from DSA to EC. My idea is if
this is good for X.509 PKI there is no reason to stay far behind.


PS: about DNSSEC today we are no more a choice: it is simply too late:
if there was a good alternative to DNSSEC its time was some years ago...

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.