In relation to what (not) happened to a fellow Apache member I stumbled over this post by Martin Smith.

So, if the police want a key to a file, using your private key you can retrieve the symmetric key used for this particular file, and by handing this one-time key over you have satisfied the requirements under RIPA without compromising your main private key and allowing law enforcement to decrypt further messages without your knowledge or sign messages as you.

path: /en/crypto | #

Sam puts the news into perspective and he's certainly right about it. It still takes a lot of effort to attack a SHA-1 digest. But it also means you should be looking for something else if security is a really important issue.

path: /en/crypto | #

via Bruce Schneier.

MD5 is unusable since last August and SHA-1 was recommended as a replacement as hash function for digital signatures. No more.

Update: Eugene Kuleshov provides some pointers to alternatives in the Java world.

path: /en/crypto | #