Interesting. I don't love the 7,856 Byte signatures, but that is because I am designing a protocol where any push notifications have to fit in a single network packet.

To: yourpk

For: application/context/hash

From: mypk

At: timestamp

Encrypted_Notification_Data: Could be a list of resources hashes available by request, or a short love letter, depending on above application context hash

Signed: signature

I want it all in a packet so spam can be dropped immediately. If the signature itself takes 6 packets without end-to-end jumbo frames, it isn't going to work.

But I do like the future proofing. Need to look into it more. I had kinda been hoping a good lattice method would rise to the top but I guess those have long signatures as well.