I'm in Gaithersburg, MD, at the Cryptographic Hash Workshop hosted by NIST. I'm impressed by the turnout; a lot of the right people are here.
Xiaoyun Wang, the cryptographer who broke SHA-1, spoke about her latest results. They are the same results Adi Shamir presented in her name at Crypto this year: a time complexity of 264.
(I first wrote about Wang's results here, and discussed their implications here. I wrote about results from Crypto here. Here are her two papers from Crypto: "Efficient Collision Search Attacks on SHA-0" and "Finding Collisions in the Full SHA-1 Collision Search Attacks on SHA1.")
Steve Bellovin is now talking about the problems associated with upgrading hash functions. He and his coauthor Eric Rescorla looked at S/MIME, TLS, IPSec (and IKE), and DNSSEC. Basically, these protocols can't change algorithms overnight; it has to happen gradually, over the course of years. So the protocols need some secure way to "switch hit": to use both the new and old hash functions during the transition period. This requires some sort of signaling, which the protocols don't do very well. (Bellovin's and Rescorla's paper is here.)
(Via Schneier on Security.)