Either way, it seems that we need to clarify the standard.
I agree. I've been working on a specific use case (decryption and
validation of messages when public parts of the key are unavailable) and
the amount of cryptographic agility here is, in my opinion, unwarranted.
From what I can see SHA-256 is the most prevalent hash for ed25519
signed messages now but I see no problem in SHOULD'ing SHA-512 to align
with existing standards.
openpgp mailing list