Do you really think we will see this more in ECC? How will that happen
more in the ECC?
If I have Ed25519 key, why would someone go against the "SHOULD NOT"
in draft-nir-ipsecme-eddsa draft and use something else than Ed25519,
i.e., why would someone use Ed25519ph, or why would someone use ECDSA
with Ed25519 key (even if it would be possible). Are people really
going to mix different ECC keys with different algorithms? I would
assume it would be better to just create separete keys for each
signature algorithm, and not use the same key.
With RSA I can see the reason, as people do want to reuse the old
existing key they already have and want to use it with old RSA and
with RSASSA-PSS, but I have not yet seen reason for that in ECC.
So can you explain why you think this will happen in the ECC?
I didn't say it would happen. I said it could happen.
The reasons can be various. For example, after wide adoption
of EdDSA some vulnerability is found in the scheme and some
modifications are introduced to eliminate it (analogously to
appearance of RSASSA-PSS). Or more efficient signature
algorithm for exactly the same elliptic curve is found.
I don't know. If you asked me few years ago why would new
RSA signature format ever appear, I wouldn't know what to
answer and would probably agree with you that there were no reasons.
But it happened.
Regards,
Valery.
--
kivi...@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
