"You bust my chops (at least write very defensively/derisively), but write a new blog entry agreeing with my comments?!?"

1. You might notice, if you read closely, that the article to which you linked was posted a day before your first comment here -- and it was written even before that. I'm not writing posts to agree with you; your characterization of events is misleading.

2. You didn't just comment on a collision weakness in the MD5 algorithm. You said I should rethink my recommendation of MD5. I never made a specific recommendation that people should use MD5 -- I just explained how it's used, mentioned the fact it isn't as strong as some other algorithms, and explained why it's not a big problem to use it for verifying downloads.

3. Speaking of why it's not a problem: Because the collision weakness is not a preimage weakness, the only way it's a problem for software download verification is if the person providing the download is untrustworthy. If that person is untrustworthy, you're screwed anyway -- so it's an entirely superfluous weakness in that respect. Even then, it would be extremely difficult for the person providing the download to come up with two working pieces of software, one innocuous and one malicious, that match the same MD5 hash.

4. The newer article to which you linked is about password hashes, not download verification hashes. The security landscape is somewhat different there, thus justifying giving a crap about the collision weakness in that context. I even explained that in some detail in that article.

5. I actually quoted (and linked to) that article in my first response to you, elaborating upon the difference between the MD5 dangers to passwords and the effective lack of danger for software download verification in the common case. You seem to have ignored that, however, and didn't bother to check the material until that same article appeared in your inbox in a TR newsletter (the URL you provided, ending in "&tag=nl.e036", indicates how you got to the article). Additionally, when I quoted that article you decided that it somehow "didn't count" -- even though I was just using it to elucidate a point -- because it wasn't from the same article as the one to which you responded. Somehow, though, it's okay for you to quote from my other articles -- from the same article, even. What's up with that?

6. I didn't write "defensively". I pointed out all the problems with your statements, starting with the one that suggested that I "recommended" MD5 over other algorithms.

7. Even if I did write "defensively", it's not entirely unwarranted considering the accusation implicit in the title of your first post in this discussion.

edit: added some quotes