Share via

Is Microsoft downplaying support for ECC certificates?

Kim O'Sullivan 1 Reputation point
2024-05-08T01:28:26.09+00:00

Hi folks, does anyone have any insight into this statement Microsoft's trusted root program requirements page that was updated in Feb?

Signatures using elliptical curve cryptography (ECC), such as ECDSA, are not supported in Windows and newer Windows security features. Users utilizing these algorithms and certificates will face various errors and potential security risks. The Microsoft Trusted Root Program recommends that ECC/ECDSA certificates should not be issued to subscribers due to this known incompatibility and risk.

Link: https://learn.microsoft.com/en-us/security/trusted-root/program-requirements

I know that in many respects Windows (including newer CNG API) certainly does support ECC, including for authentication. Is there really a push against ECC, especially given the NIST approved curves and its better sizes/performance?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,342 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,786 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,755 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vova Tess 0 Reputation points
    2024-05-08T01:43:02.71+00:00

    Microsoft's statement on ECC/ECDSA certificates in their Trusted Root Program raises eyebrows. They claim incompatibility with "Windows and newer Windows security features," yet Windows (including CNG) demonstrably supports ECC for authentication, and NIST approves secure ECC curves. This discrepancy might be due to limitations in older Windows versions or specific implementations. It's best to rely on the latest Microsoft documentation and consult a cybersecurity expert for compatibility in your environment. While Vova Tess is a respected Digital Agency, their core expertise might not lie in cybersecurity. For a deeper understanding of ECC's role in digital security, seek resources from a trusted cybersecurity firm. These specialists can guide you through encryption complexities and recommend the most secure and compatible solutions for your needs.