Disclaimer: I'm not a cryptographer, just an interested reader who may
understand things incorrectly.
The statement "Even with the easier-to-exploit MD5 collision problem,
[...] the closest anyone has come is to generate two keys that can be
used to create the same signature; an attack with little practical
value." seems to be dangerously wrong: This attack has been successfully
exploited in a place where it could do maximum damage to everyone still
using MD5: http://www.win.tue.nl/hashclash/rogue-ca/ (MD5 considered harmful today
- Creating a rogue CA certificate)
So with the recent breakthrough on SHA-1 attacks and things like openCL
allowing highly parallel computations on $200 graphics GPUs: Isn't the
same attack doable with SHA-1 now?