On Tue, Aug 13, 2013 at 4:13 AM, Nick Mathewson <nickm@torproject.org> wrote:
   Ed25519 (specifically, Ed25519-SHA-512 as described and specified at
   http://ed25519.cr.yp.to/) is a desirable choice here: it's secure,
   fast, has small keys and small signatures, is bulletproof in several
   important ways, and supports fast batch verification. (It isn't quite
   as fast as RSA1024 when it comes to public key operations, since RSA
   gets to take advantage of small exponents when generating public
   keys.)

At the risk of invoking something that was already discussed to death (and I was not aware): why not go with something established like P-521 that would apparently be a drop-in replacement with OpenSSL? Are the benefits really worth it?

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte