So just because other attacks are possible we should weaken the crypto
we use? You may feel comfortable weakening crypto used to protect a few
billion dollars of other peoples' money, but I dont.
No...
I'm saying we can eliminate one somewhat unlikely attack (that there is a bug in the code or test cases, today or some future version, that has to decide what to do with "version 0" versus "version 1" witness programs) by accepting the risk of another insanely, extremely unlikely attack.
My proposal would be to just do a version 0 witness program now, that is RIPEMD160(SHA256(script)).
And ten or twenty years from now, if there is a plausible attack on RIPEMD160 and/or SHA256, revisit and do a version 11 (or whatever).
It will simplify the BIP, means half as many test cases have to be written, means a little more scalability, and is as secure as the P2SH and P2PKH everybody is using to secure their bitcoin today.
Tell you what: I'll change my mind if anybody can describe a plausible attack if we were using MD5(SHA256), given what we know about how MD5 is broken.
---
I'm really disappointed with the "Here's the spec, take it or leave it" attitude. What's the point of having a BIP process if the discussion just comes down to "We think more is better. We don't care what you think."