Ben Laurie writes:
The hash does include the ID of the hash, and hence the signature does.
Unfortunately, that doesn't protect against the attack. The ID of SHA-1
is 2 and the ID of RIPEMD-160 is 3. If SHA-1 were broken badly enough
it's entirely possible that we could find m1 and m2 such that:
SHA1 (2 || m1) == RIPEMD160 (3 || m2).
The mere fact that you feed the hash algorithm ID into the hash algorithm
doesn't stop you from finding collisions with a different, broken hash
The situation is different with RSA, where you do:
RSA_Sign (Alg ID || Hash).
Now, it is impossible to get collisions using two different algorithm ID's
because the algorithm ID is outside the hash.