[tor-dev] [draft] Proposal 220: Migrate server identity keys to Ed25519

[grarpamp]

> proposal, I guess, by having documents signed with Ed25519 and
> RSA1024... but one of the signatures is much better than the other:
> 255-bit ECC groups will be secure long after RSA1024 has fallen.

I think the reference I saw was referring not to extended effective key
length [1] but to offset algorithms [2], in case some maths pop up from
the hole and say look what we just broke. Yes, both are sortof happening
above. I doubt Tor would be the first realtime target upon that news anyway
and would be written around in a flag week. Stored traffic later might. O well.

[1] eg: 256 ecc ~= 3k rsa afaik
[2] As in the md5/sha1 to n (below) to sha3 situation. And maybe
some creeping closer for rsa now too.

> (I'm also a little surprised that nobody has said we should be using
> Keccak or Blake2 in place of SHA256/SHA512 here. ;) )