This is a discovered flaw that attacks the certification process even for SSL, and now that researchers showed the exploit is possible Verisign is changing how it generates hashes:
http://www.freedom-to-tinker.com/blog/felten/researchers-show-how-forge-site-certificates

Just an update on the confirmation:
http://www.mobile-tech-today.com/story.xhtml?story_id=00200072W9EQ