https://z.cash/technology/history-of-hash-function-attacks.h...
Specifically the section 'When collision attacks do matter' and the referenced write-up at
http://www.win.tue.nl/hashclash/rogue-ca/
But isn't the real lesson here that X.509 is flawed?
Also, as the linked article says:
> The bottom line is that no widely-studied hash function has ever succumbed to a (second-)pre-image attack except for one.
And there are signatures that are provably resistant to collisions, shouldn't we move to such signatures?
I don't think that's the case
It's just much simpler to move to a better hash function.
I don't see how one excludes the other. :P
https://z.cash/technology/history-of-hash-function-attacks.h...
Specifically the section 'When collision attacks do matter' and the referenced write-up at
http://www.win.tue.nl/hashclash/rogue-ca/