* Jon Callas:
The new results for 2^52 work, assuming it's actually doable, are
still for migrating a bitstring into two dependent bitstrings that
collide. This has significance for people who run CAs with sequential
serial numbers, or who want to tweak PDFs to project the future, or
create binary distributions that have and do not have malware. It's
serious *for* *those* *and* *similar* *cases*.
Unfortunately, signing someone else's key and user ID is a similar
case. You don't know what you're being asked to sign, and you haven't
created the document yourself. And a photo ID gives you many bits to
play with.
In the abstract, you do not actually need collision resistance (and
totally keyless hashes) for OpenPGP-like protocols, but current
practice is certainly different. IMHO, an eventual OpenPGP successor
should prepend salts/IVs in front of signatures. Of course, this
might be used as a relatively high-bandwidth covert channel, but it
means that the hash function will likely last somewhat longer.