[tptacek]

This is pretty overwrought. There have been numerous times over the last 15-or-so years where people have quietly had the ability to spoof arbitrary certificates due to PKCS1v15 signature verification bugs – there was just this year an NDSS paper published on a whole new raft of them, and it'll be at Black Hat in August as well.

A fundamental class break that takes down RSA would be a big deal, but not a national emergency; the world is already moving somewhat rapidly towards elliptic curve systems anyways.

[akvadrako]

Spoofing certs is not comparable to breaking RSA. Also, I think for this thought experiment, you should also consider breaking elliptic curve crypto. Neither has been proven hard.

[tptacek]

Spoofing certificates was the example given in the parent comment. We use elliptic curves specifically because they are harder, in a specific way (resistance to index calculus) than simple multiplicative group cryptography.

My point is just that nobody is going to kill you for this ability.