RFC6962 notes that "In order to avoid logs being spammed into uselessness, it is required that each chain is rooted in a known CA certificate." If a log accepts certificates that are signed with weak signature algorithms (e.g., md2WithRSAEncryption, md5WithRSAEncryption), there may be a risk that an attacker could mint fake certificates (where the hash of the TBSCertificate matches that of an existing certificate) at a rate that's fast enough to spam the log into uselessness.
This issue could be mitigated by policy, perhaps by requiring logs to...
not accept certificates signed using certain (weak) signature algorithms (i.e., blacklist).
or
only accept certificates signed using certain (non-weak) signature algorithms (i.e., whitelist).
or
implement rate limiting for certain (weak) signature algorithms.
RFC6962 notes that "In order to avoid logs being spammed into uselessness, it is required that each chain is rooted in a known CA certificate." If a log accepts certificates that are signed with weak signature algorithms (e.g., md2WithRSAEncryption, md5WithRSAEncryption), there may be a risk that an attacker could mint fake certificates (where the hash of the TBSCertificate matches that of an existing certificate) at a rate that's fast enough to spam the log into uselessness.
This issue could be mitigated by policy, perhaps by requiring logs to...