Limit the certificate signature algorithms that logs are permitted to accept

[robstradling]

RFC6962 notes that "In order to avoid logs being spammed into uselessness, it is required that each chain is rooted in a known CA certificate." If a log accepts certificates that are signed with weak signature algorithms (e.g., md2WithRSAEncryption, md5WithRSAEncryption), there may be a risk that an attacker could mint fake certificates (where the hash of the TBSCertificate matches that of an existing certificate) at a rate that's fast enough to spam the log into uselessness.

This issue could be mitigated by policy, perhaps by requiring logs to...

• not accept certificates signed using certain (weak) signature algorithms (i.e., blacklist). or
• only accept certificates signed using certain (non-weak) signature algorithms (i.e., whitelist). or
• implement rate limiting for certain (weak) signature algorithms.