Future proofing? The history of encryption is riddled with examples of
overconfidence.
Well, sure, and I would not be opposed to revisiting this issue in a
decade.
As Scott noted, approximately nobody handles ed25519 yet, and nobody will
until there is some reason to believe that RSA signatures are too weak.
Adding another five tons of steel to the door won't change that.
And on the third hand, if something unexpected happens and RSA and ed25519
both fail, why do you imagine Ed448 wouldn't fail too? If someone figures
out how to make large quantum computers, they're all toast and we'll have
to switch to PQC.
R's,
John
On Fri, Oct 27, 2023 at 2:02 PM John Levine <[email protected]> wrote:
It appears that Scott Kitterman <[email protected]> said:
On October 27, 2023 2:56:30 PM UTC, "Murray S. Kucherawy" <
[email protected]> wrote:
On Sun, Oct 1, 2023 at 1:50 AM Jan Dušátko <jan=
[email protected]>
wrote:
I would like to ask to consider the possibility of defining a DKIM
signature using Ed448. [...]
My view is that more encryption algorithms are bad for interoperability.
For DKIM signing/verifying to work, senders
and verifiers need a common algorithm. More choices make this more
complex to achieve.
We standardized ed25119 as a hedge against unknown vulnerability in RSA.
...
Since we already have ed25519, why would we want ed448? If ed25519 is a
ten ton steel
door on our cardboard box, ed448 is a fifteen ton steel door.
R's,
John
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
