A number of additional suggestions have been made for how to address this
problem, including:
1) Add a new error code explaining that the cert uses an insecure algorithm
(requires changes to PSM also)
2) also disallow MD2 (easy enough)
3) Since the vulnerability only applies to certs whose serial numbers are
predictable, only apply the limitation to certs whose serial numbers are
"short" (e.g. less than 65 bits), on the grounds that larger serial
numbers are very likely to be random
4) make this rejection of old hash algorithms configurable (e.g. allow it
to be turned on or off)
5) invent a callback API by which applications can supply a function that
decides whether to accept or reject the signature based on the hash algorithm
and any other info it can glean from the certificate.
A number of additional suggestions have been made for how to address this
problem, including:
1) Add a new error code explaining that the cert uses an insecure algorithm
(requires changes to PSM also)
2) also disallow MD2 (easy enough)
3) Since the vulnerability only applies to certs whose serial numbers are
predictable, only apply the limitation to certs whose serial numbers are
"short" (e.g. less than 65 bits), on the grounds that larger serial
numbers are very likely to be random
4) make this rejection of old hash algorithms configurable (e.g. allow it
to be turned on or off)
5) invent a callback API by which applications can supply a function that
decides whether to accept or reject the signature based on the hash algorithm
and any other info it can glean from the certificate.