None of these are a reason to not to also have a different number that you can publish publicly without giving someone your phone number. You can have your phone number for everyone in your phone book and a one way derived or random number for everyone else.
> When I first reach out to someone on Signal I know the person I'm reaching out to is the owner of the identifier I used unless their phone carrier is actively compromised when I exchange the first message.
Compromising is in this case rather common in sim swapping and spoofing (you can barely even call it spoofing). Phone numbers are not useful as some sort of continued point of trust. And I doubt Signal uses it like that under the hood.
> What more do people want?
Before you complain about other people maybe you should give other people the courtesy of reading what they wrote first. I have already said what I want, a public id I can publish on for example GitHub without the implications of publishing a phone number. Implications which anyone with a relevant opinion should already understand.
I think you're being hyperbolic about how weak phone numbers are. Yes, you can get sim swapped. But you pretty much know immediately since your phone stops working. We've never even heard of an attack where someone was swapped for days, weeks, or months and didn't know about it. It's an active attack and while it's possible and yes future messages with Signal users are vulnerable while it's happening, it's not a persistent threat. And your contacts will see your safety numbers change and reach out and make sure you're really you. That leaves a problem of somebody reaching out for the first time to contact you while you're actively being simjacked as the only real damage.
But, none of this even matters if you turn on registration lock. Sim swapping attack thwarted.
I've read your request worded in different ways many times and what people keep doing is pointing a finger at phone numbers, yelling "they're insecure", and then pointing at usernames and saying "look, it can be better". Nobody has actually argued how it could be better, just that phones suck. I don't find that a compelling argument, sorry.
Usernames/email are no less susceptible to whatever service you use to register them getting jacked. There is literally zero security difference and emails are easier to spam. Usernames just don't have KYC baggage that phones do in the US. But honestly as Signal has shown time and time again, all that law enforcement can get from Signal is that a given phone number registered with Signal. Because they have impeccable application layer crypto which is what actually matters.
Okay so what if Signal uses a username/password DB and doesn't allow email reset. That removes the 3rd party from the equation and now Signal takes the burden of being the central authority for usernames. And, while possible, it entirely inverts the whole premise of Signal in the first place.
Good news for you, that's not just my argument, it's actually happening. Signal is trying to add support for usernames by forcing everyone to add a pin. It's not clear at all that this pin is now the password to a signal account that is used to sync your contacts data and profile. That's not a problem in and of itself because it's all theoretically good crypto. The problem is that it isn't good crypto. It's a 4 digit pin for the majority of users. Signal knows this is in a bind trying to slip things in that they know would piss off half their users because it's shit security just in order to make usernames possible. And they're getting called out for it.
aside: It's not passwords per-say that are bad (even though they are because people and UX). It's that Signal is telling everyone "hey add this quick pin" and people don't realize that's actually a password for your whole account and that the whole model is changing underneath them. If you know and set a strong passpin, you're fine.
Anyway, the catcher is this: instead of having to deal with what it means to have passwords and get users up to speed, they developed some technically really cool but batshit insane system to throttle pin attempts so that the burden of trust gets moved from your carrier to Intel and they can wash their hands of how insanely bad a 4 digit pin is in terms of entropy. So you want usernames because you don't trust your carrier? Did you know that would come at the cost of trusting Intel instead? They don't really have a great track record recently...
My entire point is not that people are stupid for asking for usernames or something. It's that they don't come "for free" as everyone seems to think. If you want traditional username/password, then the world changes so that Signal becomes a cloud service you must trust to maintain a new global contacts book of usernames just for use on Signal. Signal didn't like that and that's definitely a problem for all the people who use Signal because they don't have their fingers in that cookie jar. So they punted and are moving the trust point to Intel.
> When I first reach out to someone on Signal I know the person I'm reaching out to is the owner of the identifier I used unless their phone carrier is actively compromised when I exchange the first message.
Compromising is in this case rather common in sim swapping and spoofing (you can barely even call it spoofing). Phone numbers are not useful as some sort of continued point of trust. And I doubt Signal uses it like that under the hood.
> What more do people want?
Before you complain about other people maybe you should give other people the courtesy of reading what they wrote first. I have already said what I want, a public id I can publish on for example GitHub without the implications of publishing a phone number. Implications which anyone with a relevant opinion should already understand.