Right now expert cryptographers seem to hold conflicting opinions. Some are saying we need to switch to ECC right away, because they take the NSA revelations to mean that the NSA might be able to crack low bit strength RSA and DH (ie: The leak says that ten years ago the NSA had a break through allowing them to crack many forms of cryptography). Others are saying we need to stay far away from it. Personally I prefer ECC by a lot, but if it is broken well obvious it is no good. ECC has been the traditional wisdom up until very recently, with pretty nearly everybody suggesting it be switched to from RSA and DH. But with the NSA revelations, some people are getting cold feet in regard to the ECC algorithms, because the NSA has been their biggest supporter and trying to get everybody to switch to them for some years now (ie: The leak says that the NSA is trying to get people to use encryption that they can break). So use ECC if you think the NSA revelations mean RSA and DH are screwed, and use high bit strength RSA and DH if you think the NSA revelations mean ECC is screwed. Right now the experts are split. ECC is pretty new. I think the mathematics behind ECC is relatively new, only being formalized a bit over a hundred years ago, whereas the mathematics behind RSA go back several thousand years. On the other hand, most people thought ECC was much stronger than RSA bit-for-bit. I really cannot say which I would use. I think ECC has much nicer properties and I would much rather use ECC than RSA or DH, provided it is secure. Honestly though I would probably have to lean more toward RSA or DH with really high bit strength, because not many people are worried the NSA can break those, but some people are worried they can break ECC in general and the others are worried they can break low bit strength RSA/DH.