[nullc]

Answering my own question: The reason it would continue to use 255 bit ECC is because an objective is (ab)using people's github ssh authentication keys.

FWIW, if the idea there is that you'll be able to send encrypted reports to github users based on their ssh keys... that might not work so well in the long run esp for security conscious projects, since good practice would have their github ssh key living in a keyfob that won't decrypt messages for them. :)

[FiloSottile]

Native age keys are pure X25519 with no connection to SSH keys. SSH support is kind of a growth hack, I made sure it didn't impact the rest of the design.

Recipient types are the one parameterized thing in the spec, so if we need to switch to Ed448 or a PQ hybrid at some point we absolutely can, without even bumping the version.

[jiofih]

I was ready to use this in a project but “made encryption weaker because GitHub” is not exactly high in its selling points