Use RSA-PSS and RSA-OAEP for v5 PKESKs and signatures
Currently, RSA keys in OpenPGP use PKCS #1 (closed) padding. If implemented incorrectly, PKCS #1 (closed) signatures are vulnerable to the Bleichenbacher oracle attack. This attack is well known and many cryptographic implementations, despite their best efforts, have been vulnerable to it, sometimes multiple times.
The proposal is, when using v5 signatures with RSA, to use RSA-PSS with MGF1, using the digest in the signature for both PSS and MGF1, and that when creating a v5 PKESK, that we use RSA-OAEP with SHA-256. SHA-256 is the must-implement algorithm, so it is a logical choice and avoids us needing to implement a parameter for this option.
RSA-PSS is mandatory in TLS 1.3, and both RSA-PSS and RSA-OAEP are already part of S/MIME.
I've verified that OpenSSL, libgcrypt, the Go crypto code, and RustCrypto all implement both algorithms, and Nettle implements RSA-PSS already. I think, therefore, that most implementers will have a wide variety of secure and interoperable implementations that they could choose from and the burden of implementation would be low.