On Thu, 23 Feb 2017 15:03:34 -0500, "Patrick W. Gilmore" said: > For instance, someone cannot take Verisignâs root cert and create a cert > which collides on SHA-1. Or at least we do not think they can. Weâll know > in 90 > days when Google releases the code.
>From the announce: "It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file." So they're able to craft two objects that collide to the same unpredictable hash, but *not* produce an object that collides to a pre-specified hash.
pgpnNFrBlLfFP.pgp
Description: PGP signature
