From: John Dlugosz
Anyway, both undeniable and designated confirmer signatures are patented
by Chaum, so they would probably not be suitable for use in a protocol
like OpenPGP.
In most cases, I think you can build anything out of anything else (if you
allow more round-trips), so a few primitives are all you need. OpenPGP
provides public key encryption and ordinary signatures, as well as symetric
encryption and HMAC. Those can be used as part of a protocol to do just
about anything.
A higher standard would say "here is how you use OpenPGP to do email" etc.
and specify such a protocol. So, I don't think it is necessary to add any
new stuff to PGP, just to use what we have in some new way.
--John