I'm talking about users that have the understanding and desire/need to disconnect their Signal identity from their phone number. That's hundreds of thousands, minimum, if not millions.

> Signal’s intended userbase is O(humanity).

This doesn't obviously interfere with Signal's ability to create Good privacy mechanisms, e.g. disassociation between identity and phone number.

> The complexity here is in crossing domains: Signal will need to decide how to communicate which “kind” of identity a user has, what that means, etc. They’ll need to decide whether to use random-but-intelligible identifiers (easy to make errors with) or allow people to configure identifies (which means storing more personal data, plus impersonation risks)

None of these obviously "substantially complicates Signal’s design" as you claimed earlier.

> communicate which “kind” of identity a user has

Tell the user that other users either have a "phone number" identity or a "certificate" identity. Done. They're already responsible for verifying that the phone number matches the person they think it does.

> what that means

Tell users that a "certificate identity" just means that that person isn't using a phone number. And they need to be extremely careful when interacting with people using these, and absolutely should verify them using a secure channel. Or just disable these entirely until the user taps the "about signal" button in the settings menu 7 times or something.

I don't see any problems here that can't be overcome with a very modest amount of engineering. And, because it's the right thing, they should invest that effort.