In 2019, ISRG is going to create a ECDSA root certificate, which is good but ECDSA and P-256 and P-384 curves are not considered very secure by cryptographers. Also P-384 currently is not correctly implemented in OpenSSL (it is extremely slow). I think ISRG should strongly advise CA/B Forum to allow Ed25519 and Ed448 certificates and then focus on quantum computer-resistant signing algorithms.
What’s the state of support for these algorithms in browsers and other TLS clients?
Chrome/Chromium already uses Curve25519 as key exchange curve (X25519) in EDHE.
I’m always disappointed when people wait for some other party to implement something. What remains is a chicken and egg dilemma. I already know that even when Chrome/Chromium has some Ed25519 support, it will refuse to implement Ed25519 EdDSA because no CA can issue such certificates.
There was an interesting CA/B Forum thread in December:
Quoting Wayne from that thread:
So, if you are a cryptographer or know one who would like to work on that ticket, thay would be one way to advance the progress of EdDSA in browsers.
OpenSSL already supports Ed25519 and Ed448 certs.
openssl req -x509 -newkey Ed25519
openssl req -x509 -newkey Ed448
Some VPN providers already use them for OpenVPN server authentication.