It appears that Hannah Stern <[email protected]> said: >Hi! > >On 7/20/25 21:10, John R Levine wrote: >> On Sun, 20 Jul 2025, Wei Chuang wrote: >>> There are two problems: first, the keys that a sender supports are >>> obscured by the selectors. > >> I don't see what the problem is. Every signature has the selector and >> algorithm so the verifier knows what to look for, right? > >Only if we implicitly assume the decision to mandatorily use the same >selector for all algorithms.
No, that depends how we do it. Several of the proposals have separate selectors for each signature. >> Hmm. I want to think some more about whether the rule is that ALL the >> signatures have to be valid (give or take ones the verifier doesn't >> support) or ANY signature is adequate. > >For the still newer PQC algorithms, it could make sense to require that >at least one PQC and at least one preQC algorithm yield a valid >signature. So in case the chosen PQC algorithm turns out to be weak, >we'd be at least still secure-enough against non-quantum attackers. I fear this is a swamp we do not want to enter, trying to say which signatures are "better" than others. If recipient systems want to apply their own heuristics they can do that, but I do not believe that we can guess now what sort of heuristics will be useful or which will be useless or even worse, counterproductive. R's, John _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
