Limit the certificate signature algorithms that logs are permitted to accept #13
Description
RFC6962 notes that "In order to avoid logs being spammed into uselessness, it is required that each chain is rooted in a known CA certificate." If a log accepts certificates that are signed with weak signature algorithms (e.g., md2WithRSAEncryption, md5WithRSAEncryption), there may be a risk that an attacker could mint fake certificates (where the hash of the TBSCertificate matches that of an existing certificate) at a rate that's fast enough to spam the log into uselessness.
This issue could be mitigated by policy, perhaps by requiring logs to...
- not accept certificates signed using certain (weak) signature algorithms (i.e., blacklist).
or - only accept certificates signed using certain (non-weak) signature algorithms (i.e., whitelist).
or - implement rate limiting for certain (weak) signature algorithms.