On Thu, 23 Feb 2017 15:03:34 -0500, "Patrick W. Gilmore" said:

> For instance, someone cannot take Verisign’s root cert and create a cert
> which collides on SHA-1. Or at least we do not think they can. We’ll know 
> in 90
> days when Google releases the code.

>From the announce:

"It is now practically possible to craft two colliding PDF files and obtain a
SHA-1 digital signature on the first PDF file which can also be abused as a
valid signature on the second PDF file."

So they're able to craft two objects that collide to the same unpredictable
hash, but *not* produce an object that collides to a pre-specified hash.

Attachment: pgpnNFrBlLfFP.pgp
Description: PGP signature

Reply via email to