George Kadianakis:
If we move to the higher security of (e.g.) 128-bits, the base32 string suddenly becomes 26 characters. Is that still conveniently sized to pass around, or should we admit that we failed this goal and we are free to crank up the security to 256-bits (output size of sha-256) which is a 52 character string?
In doubt: if possible, maintainable, not too much work, you name it... When having the less secure version as default, please let the hidden service hosts decide if they want to use the more secure version by using an option.
I don't know if the petname system is an completely orthogonal issue or if it could be considered when you decide this one.
Or have an option for maximum key length and a weaker default if common CPU's are still too slow? I mean, if you want to make 2048 bit keys the default because you feel most hidden services have CPU's which are too slow for 4096 bit keys, then use 2048 bit as default with an option to use the max. of 4096 bit.
Bonus point: Can you make the new implementation support less painful updates (anyone or everyone) when the next update will be required? (forward compatibility)
I was also trying to think of a solution to this problem, but I failed.
Thanks for considering!