[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing Elgamal signatures

I'm happy to remove it, if there's rough consensus that it be removed, myself. I just want to make sure that there is that consensus.

Elgamal sigs have been controversial from the start.

The main reason for them is to have a discrete-log public key system that parallels RSA in being able to both encrypt and sign. We've always known that Elgamal signatures were tetchy, and 2440 has finger-wagging in that direction, anyway.

In 1998, there was more reason to have a discrete-log encrypt+sign key than there is in 2004. There's very little reason to have them today.

Lutz has stated a preference for them remaining, but with exactly zero implementers of it, that sounds like something resembling rough consensus to remove them.

If we *don't* remove them, then they are part of the standard, but an interesting part of the folklore. If a brand new implemented came to me and asked about them, I'd reply something like the following:

"I don't see why you should implement them. They're a MAY, which means you don't have do. All signature algorithms are tetchy in that if you don't do them right, bad things can happen, but Elgamal sigs are even tetchier. The only people who did implement them removed them after some exasperating bugs showed up. If you implement them, then you have to make sure you don't put in some weird bug. If you do, people will say, 'I told you so.' If you do, anyone with a different implementation can't verify a signature -- you're the only one who does. I see a lot of bother for you and not much benefit. There are much better things for you to spend your time on."

I then hear in my head, "So why didn't you remove them from 2440+ when you had the chance? If they're such a pain that no one does them, why are they there at all?"

I don't have a good answer to that question. I say remove them, myself.