James Couzens writes:
I had thought it a bit strange that someone writing so comprehensively
about something related to digital signatures and to then make the
statement as you did at the end of the paragraph I quoted. Did you have
some other intended meaning, such as broken by draft explicit
prohibition or otherwise declared deprecated in a future draft?
Yes, sorry, my language was not as precise as it might have been.
I said we should be ready in case SHA-1 were broken, but as you note
it has been officially "broken" for over a year. However that is just
a theoretical break and no actual examples of SHA-1 message collisions
have yet been published. So at this point SHA-1 is in a bit of a limbo
state, theoretically broken but still in widespread use.
If the attack should get worse so that SHA-1 collisions could be found
in a practical amount of time, then we would have a much more urgent
need to switch to another hash. That is what I really meant when I
said we should be ready if SHA-1 should be broken.
Hal Finney