Two main reasons have been given on the OpenPGP list for allowing
ElGamal signatures: flexibility in key size and its patent status.
Your discussion of the first is wrong (see below), you don't address
the second. In much of the rest of your message, you are beating a
strawman ("can imagine some of the reasons"). All in all, your mail
does not justify changing the status of ElGamal signatures in the
draft.
to admit I didn't follow the traffic on this list when this type of
signature was introduced, but I can imagine some of the reasons that one
might have for introducing them into OpenPGP. Let's review them.
Please do read the messages in the archive, then feel free to review
them.
If discrete logs prove to be a solvable problem, both DSA and
ElGamal will fall, as well as DH encryption.
As you probably know, discrete logs are a solvable problem, the
difficulty of which is a function of the key size. You fail to
consider the effect of progress in algorithms to efficiently compute
discrete logarithms.
it would be just as easy to expand the p and q parameters of DSS as
it would to expand the parameters of pure ElGamal.
Then we need a specification, and a notice from the DSA patent holder
(NSA) that they have no objections against this use.
Since the DH patent is now expired, that opens the door for free
unencumbered public key cryptography, creating a level playing
field.
You seem to imply that the DSA is not covered by patents. That again
is wrong. Please refer to the past discussion on the Kravitz patent
on DSA, and Schnorr's US patent, which the owner claims covers DSA and
which has not been challenged in court.
But straight ElGamal signatures offers no new real capability. It brings
nothing new to the table.
As pointed out above, they do.
In principal, an especially careful implementation could avoid these
weaknesses. But at least one implementation of OpenPGP's ElGamal signatures
has done it wrong. Others might also do it wrong. PGP users should not
have to lie awake at night wondering if the implementor did a perfect job,
or did he fall into one of the pitfalls that are so easy to fall into.
Netscape, SecuDE and several others fell into one of the pitfalls that
are so easy to fall into by fielding crypto implementations with
fatally flawed PRNGs. RSA has been done wrong. Your poing being
what?
It does not matter that it is a bad algorithm, reviewers will
compare products in such a way as to make it look better if you
implement ElGamal signatures.
It is not a bad algorithm. If you feel that your company is not
capable of implementing it properly, well, don't do it. Others can
avoid all known weaknesses and provide their users with a useful
algorithm.
there will always be doubts raised when mainstream lay journalists
(or lay users) rediscover any of the old academic papers that have
reported on weaknesses or attacks on ElGamal signatures. We will
find ourselves having to explain this away, over and over again.
There are academic papers on weaknesses of RSA, PRNGs and what not.
There even are papers on specific weaknesses of PGP. The purpose of
academic papers is to learn from the past and do better afterwards.
None of those papers is a reason not to implement RSA or ElGamal. You
just have to know the weaknesses and avoid them.