Razvan Dragomirescu:
Thank you Ivan! I still dont see a very good reason to _replace_ the current HS system with the one in Prop224 and not run the two in parallel.
For me it's because it would make overall system more complex and thus error-prone and reasonably less secure. Is like using RC4, SHA1, 3DES in TLS and be vulnerable downgrade attacks and all kind of stuff like Sweet32 and LogJam (export-grade onions, haha).
Why not let the client decide what format and security features it wants for its services?
It's like dealing with plethora of ciphers and hashes in GnuPG:
https://moxie.org/blog/gpg-and-me/:
It’s up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words.
When system is complex in that way someone is going make huge mistake(s). If crypto is bad, just put it into museum.
So I don't see _any_ reason to manage outdated and less secure system while we have a better option (if we already deployed it).
-- Ivan Markin