![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 93%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
I think Microsoft root programme covers many aspects beyond just TLS. It is true that there is no ECDSA support for UEFI Secure boot, it pretty much hard requires RSA 2048. It will likely jump to PQC skipping ECDSA and EdDSA.
Is Microsoft downplaying support for ECC certificates?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 69%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKO%3C/text%3E%3C/svg%3E)
Kim O'Sullivan
6
Reputation points
Hi folks, does anyone have any insight into this statement Microsoft's trusted root program requirements page that was updated in Feb?
Signatures using elliptical curve cryptography (ECC), such as ECDSA, are not supported in Windows and newer Windows security features. Users utilizing these algorithms and certificates will face various errors and potential security risks. The Microsoft Trusted Root Program recommends that ECC/ECDSA certificates should not be issued to subscribers due to this known incompatibility and risk.
Link: https://learn.microsoft.com/en-us/security/trusted-root/program-requirements
I know that in many respects Windows (including newer CNG API) certainly does support ECC, including for authentication. Is there really a push against ECC, especially given the NIST approved curves and its better sizes/performance?
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
2 answers
Sort by: Most helpful
-
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
2 deleted comments
Comments have been turned off. Learn more