Another possibility is to say that the ESSCertid hash should use the hash function used for signing the authenticated attributes.