That comment wasn't directed at any single individual. There's just been a lot of "I imagine you can just type in a username and that would all work, QED. Duh." type of comments across the board, hence my broad statement.
I agree Signal could add email addresses specifically, if verified and it wouldn't affect the threat model outside of introducing the network to more spam-able identifiers. Like I've said, if they figured out how to do that without degrading the quality of the experience today I doubt I'd be up in arms. I'm working on adding more email addresses to my contacts book, slowly. It probably makes more sense today than it did when Signal was born.
It's not about what Signal can and can't do, though. Signal needed a readily available offline locally owned and operated contacts book with to make their product vision work. So they used the one everyone has on their phone and it worked. They upgraded the security of everyone sending sms and mms. I think there's a way to celebrate that while asking for email address support without getting into the ream of "zomg Signal sux because they use gross phone numbers what idiots would design a system like that what a fucking mess of a royal debacle attn. whistle blowers and abortion seekers: signal is not for you". That type of response is what I'm railing against by simply reminding people that Signal is a successful product that does indeed work as advertised and that it doesn't exist in a vacuum.
They've been working on it for years. Their solution is that they have to take client-side ownership of your contacts list, keep it associated with your "account" and sync it across your devices so that when you correspond with someone by username, it becomes available to you everywhere. They have to be your contact book. I can find nothing on how they plan to verify usernames, perhaps in the traditional style with email.
So yeah, absolutely not some trivial change that they just don't want to do because fuck the few people that don't have a phone number (or don't want to use it). They're working toward supporting usernames and at every turn keep getting reamed by HN because, in their effort to solve a problem that only exists on HN, they have to deploy a solution that means you have to trust them in a teeny tiny way you didn't previously IF you set a weak pin on your account. It's mind boggling. It must be so disheartening to see that type of response.
But, that's my point. Signal can't add short names without changing the fundamental trust model which appealed to everybody initially. No amount of hiding a password as a pin, will change that. I really hope they don't kill their product along the way...
(Also man WTF they're running Raft on SGX enclaves just so they can rate limit attempts to brute force users' weak pins. While super cool, technically, what an incredible waste of resources just to try and make weak passwords okay. Probably the most backwards thing I've seen a security company attempt like ever. Just tell your users if they want a username they need a strong password. Or just generate the entropy for them and only allow the username option to people who also want to take custody of their new 32-bytes of entropy and have a signal-managed synced contact book.)
> Just tell your users if they want a username they need a strong password.
If their goal is to shift responsbility to the user, that solution works. If their goal is to provide secure communications to the general public, that solution doesn't work. As you probably know, strong passwords are widely recognized as a failed security technology for the general public.
Also, what happens when the user forgets their strong password? Dataloss is not an acceptable outcome for general end users whose priority usually is not ultimate security, but usability. Thus (as I understand it) Signal allows weak passwords ('PINs') that stay with the client, and adds 'invisible' entropy which is backed up to server-side SGX (because the user doesn't know the entropy, it must be backed up off-phone in case the phone is lost). It's a great, no-tradeoff solution IMHO: If SGX is compromised, the user is no worse off than if the supplemental entropy didn't exist at all - they have their (weak) password. If you don't want to depend on the 'supplemental entropy', use a strong password and then Signal's entropy and SGX security become irrelevant.
> Or just generate the entropy for them and only allow the username option to people who also want to take custody of their new 32-bytes of entropy and have a signal-managed synced contact book.
AFAICT, Signal is not interested in implementing features that are valuable only to geeks and that everyone else ignores, and those kinds of features don't seem to fit their mission.
I agree almost completely. It's just that my guess is that nobody actually cares about usernames either, just the few people who can't use a phone for <reasons>. So I'm thinking they're already kinda in the realm of building out this feature for nobody which is why I was suggesting something more wallet-like like generating 32bytes of entropy and showing users the mnemonic representation and telling them not to lose it (which is familiar, despite being a terrible UX, at least). Perhaps I'm underestimating how many people actually would use a username instead of their phone number in which case I think your 100% spot on.
> in their effort to solve a problem that only exists on HN
I don't understand why your takeaway from the fact that they're implementing it is that the people saying they want or need it are irrational and only exist on hn instead of "hmm, maybe I'm wrong and this is a legitimate feature request".
Anyways, let me assure you that the people who get "reamed" are in fact anyone who even causally mentions they want this feature who get a bunch of very dedicated people telling them how utterly wrong they are, no one should ever want that and anyways it's impossible actually.
I'd consider the way you're asking for the feature. There was definitely an air of "this is such a simple feature why can't I just have it it should be no trouble for everyone involved it's just a username". I think if people asking for this feature were to spitball through it and acknowledge the tradeoffs rather than incessantly repeat how uncompromising they are in their need for usernames and their need for Signal to have them yesterday, the conversation wouldn't seem so volatile. I actually wasn't trying to dive in and sling mud. I see this conversation all the time on HN and, coming across it again, wanted to suggest that maybe another product with usernames would work better for these people since literally every time Signal comes up on HN the peanut gallery shoots off with tired smears and entitled quips about how Signal users phone numbers.
The strong response you encounter is people trying to communicate that it isn't that simple for them. That it means enough of a shift in Signal's model that they're really worried about the change to the product if Signal implemented it, not least because it changes the very thing that drew them to the product in the first place. And unfortunately, it seems the worries are not unfounded. I genuinely don't think many of the people asking for usernames would want them if the proposition was clear: "you can have them but you have to trust us with your contacts book and personal information". It's the catch22: in order to have the privacy of a username, you must give up the privacy you'd win. For some people, they trust Signal with that responsibility more than their carrier (like a VPN) and it's a good tradeoff.
Me? What was compelling about Signal is that it was my contacts book and encrypted communication. No accounts/profiles, no passwords, no proprietary software, no invasive product analytics, just a global DB associating phone numbers with pubkeys. That was my pipe dream but I also acknowledge I'm not the center of the world either: in the same way you begrudgingly use Signal with a phone number, it's also not the end of the world for me if we have yet another company out there where I need to maintain a profile and stick a password in my password manager and login periodically. But sadly, if Signal gets to that point, it ultimately means the "Signal experiment" portion of the product's life will have come to an end. <- This, more than anything else, is why the suggestions to go use one of the products that already provide the experience you're looking for is apropos and not dismissive. We don't want the experiment to end. The entire point of championing Signal in the first place was idea that we could collectively participate in a product that didn't do what everyone else on the internet did and send off all your data to their servers the minute you opened their app.
I agree Signal could add email addresses specifically, if verified and it wouldn't affect the threat model outside of introducing the network to more spam-able identifiers. Like I've said, if they figured out how to do that without degrading the quality of the experience today I doubt I'd be up in arms. I'm working on adding more email addresses to my contacts book, slowly. It probably makes more sense today than it did when Signal was born.
It's not about what Signal can and can't do, though. Signal needed a readily available offline locally owned and operated contacts book with to make their product vision work. So they used the one everyone has on their phone and it worked. They upgraded the security of everyone sending sms and mms. I think there's a way to celebrate that while asking for email address support without getting into the ream of "zomg Signal sux because they use gross phone numbers what idiots would design a system like that what a fucking mess of a royal debacle attn. whistle blowers and abortion seekers: signal is not for you". That type of response is what I'm railing against by simply reminding people that Signal is a successful product that does indeed work as advertised and that it doesn't exist in a vacuum.