[hinkley]

MD-5 died the same way. We had to scare people into investing into upgrading to SHA-1 by showing them the slope of hardware and the variability in new breakthroughs and ask if they'd rather have an emergency that lasted for over a month or work it into the schedule among the other requirements now?

Yes, people can upgrade but nobody fucking will until you impress upon them how stupid they're being by gambling the entire company on carrying that debt for another year.

[bluGill]

Only those who can change. In work in embedded systems - we still have to talk to machines that were built with exportable encryption in the 90's (read if it isn't broken that is only because nobody who has a clue has bothered to try). They can't be upgraded anymore so I have to keep those algorithms building just in case someone wants to mix new with old. (fortunately the old machines are never internet connected so vulnerability requires local access - but the vulnerability is in safety critical functions so I don't rest too easy)

[hinkley]

I use the SHA-1 example in part because that was the newest hash that a bunch of smart cards someone wanted to try to use with our system supported.

Of course the max RSA key lengths on the card weren't up to it anyway (kids: if you by crypto hardware and don't use it immediately, don't warehouse it looking for a problem for your solution), but at least I got to put my foot down and we only shipped with SHA-1 and SHA-2 support