It appears that Hanno Böck <[email protected]> said: >I already believe the support of Ed25519 is of limited usefulness. >Given DKIM has no algorithm negotiation mechanism, you have no way of >knowing what the receiving mail server supports. So you kinda cannot >really use Ed25519 alone. You'll always have to support RSA, and can >only support RSA+Ed25519, adding additional complexity for no real >security advantage.
Right. We wrote the Ed25519 RFC primarily as insurance against the unlikely event that there is a serious break of RSA. People have coded and tested the it so if there were a reason to switch away from RSA, it wouldn't be pleasant but it's doable. I agree there is no reason to worry about PQC in the forseeable future. DKIM signatures are intended to be secure for a few weeks, not months or years. In the even more unlikely event that someone builds a practical quantum computer, we will probably switch to whatever signature algorithm DNSSEC decides to use. But I expect to be dead long before that is an issue. R's, John _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
