I hope there’s more to it than presented here, because this can be summarized as “64 bytes is too weak, so we make it bigger. Solved. The big is too big so we reduce it to 64 bytes. Solved.”

The strong certificate is not part of the end check, but proven via merkle tree reference. At the end of the day the end user check is only verifying 64 bytes of proof.

So it is kinda pointless? Can I attack the merkle tree reference to claim the strong certificate is used when it is not?

What am I missing?