The whining form vendors (or so it is said in the blogs) about "wish they had been told earlier" has been amusing. Waaah.
And I like this new disclosure model (which turns the existing model upside down, vendors have to sign NDAs instead of the the researchers, brilliant!) end the fact that there is a real exploitation (however limited) prior to a fix which brings the end-user community into the disclosure dance.
However, I can't help but think this was sort of a letdown (and I don't think it is just because crypto puts me to sleep) and I liked this summary from This morning's MD5 attack - resolved
Q: Is Internet security broken?
A: Hardly. The presenters of this morning's paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. VeriSign has already eliminated the attack as a possibility.
It bothered me that this was positioned as "critical internet infrastructure" attack/vulnerability/compromise to me which pretty much means routing or nameservice or some other collosal failure in the transport layer or below. Which this was not. Web security completely broken I could buy but Internet security, let alone Critical Internet Infrastructure security.
Hardly is a pretty good summary.