-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adi Shamir has pointed out for years now that no one has found *any*
first or second preimage collision for SHA1. I'll shill for him here.
The new results for 2^52 work, assuming it's actually doable, are
still for migrating a bitstring into two dependent bitstrings that
collide. This has significance for people who run CAs with sequential
serial numbers, or who want to tweak PDFs to project the future, or
create binary distributions that have and do not have malware. It's
serious *for* *those* *and* *similar* *cases*.
It does *not* mean that you can get a collision on an existing
signature, nor on an existing fingerprint, nor on an MDC, etc. We are
still sitting at *zero* first and second preimage collisions.
I think that we should push through the generic fingerprint proposal.
I sorta-kinda picked up the ball on that to work with Derek, but if
there's anyone else who wants it (or who wants to co-author with Derek
and me), I'm happy to have less work to do.
I also think it's completely reasonable for an implementation to back
away from SHA1 with all due speed -- but you're supposed to be doing
that by 2010, anyway!
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFKAH46sTedWZOD3gYRAgw4AKD+McI0GJOGcFXk/n7gmY0PYsKO0ACfa0DQ
zhTAaqwStSUApOg8EoG9Tuk=
=s+6q
-----END PGP SIGNATURE-----