[omeid2]

imagine is hardly assuming. But it doesn't have to be exactly 1 year, any attack that takes longer but less than 2x average certificate lifetime with 64bit serial numbers (useless) becomes practical on 63bit serial numbers (useful, for a strange meaning of useful).

[fwip]

Such an attack doesn't exist.

Any such attack would also become feasible with twice the budget.

[omeid2]

> Such an attack doesn't exist.

As far as we know.

> Any such attack would also become feasible with twice the budget.

Assuming that the attack yields to parallel computing and scales linearly with more cpu/cores, because linear programming is bound to current compute capabilities and then theoretical limits like Bremermann's limit and Margolus–Levitin theorem.

[fwip]

Yeah, assuming these true things.

[omeid2]

Assuming the parallelism of an algorithm that you know nothing about is beyond foolish.

[geofft]

Right, which is why we know things about the algorithm.