I'm happy to remove it, if there's rough consensus that it be removed,
myself. I just want to make sure that there is that consensus.
Elgamal sigs have been controversial from the start.
The main reason for them is to have a discrete-log public key system
that parallels RSA in being able to both encrypt and sign. We've always
known that Elgamal signatures were tetchy, and 2440 has finger-wagging
in that direction, anyway.
In 1998, there was more reason to have a discrete-log encrypt+sign key
than there is in 2004. There's very little reason to have them today.
Lutz has stated a preference for them remaining, but with exactly zero
implementers of it, that sounds like something resembling rough
consensus to remove them.
If we *don't* remove them, then they are part of the standard, but an
interesting part of the folklore. If a brand new implemented came to me
and asked about them, I'd reply something like the following:
"I don't see why you should implement them. They're a MAY, which means
you don't have do. All signature algorithms are tetchy in that if you
don't do them right, bad things can happen, but Elgamal sigs are even
tetchier. The only people who did implement them removed them after
some exasperating bugs showed up. If you implement them, then you have
to make sure you don't put in some weird bug. If you do, people will
say, 'I told you so.' If you do, anyone with a different implementation
can't verify a signature -- you're the only one who does. I see a lot
of bother for you and not much benefit. There are much better things
for you to spend your time on."
I then hear in my head, "So why didn't you remove them from 2440+ when
you had the chance? If they're such a pain that no one does them, why
are they there at all?"
I don't have a good answer to that question. I say remove them, myself.
Jon