* Joe Greco:
It seems that part of the proposed solution is to get people to move from MD5-signed to SHA1-signed. There will be a certain amount of resistance. What I was suggesting was the use of the revocation mechanism as part of the "stick" (think carrot-and-stick) in a campaign to replace MD5-based certs. If there is a credible threat to MD5-signed certs, then forcing their retirement would seem to be a reasonable reaction, but everyone here knows how successful "voluntary" conversion strategies typically are.
A CA statement that they won't issue MD5-signed certificates in the future should be sufficient. There's no need to reissue old certificates, unless the CA thinks other customers have attacked it.
Either we take the potential for transparent MitM attacks seriously, or we do not. I'm sure the NSA would prefer "not." :-)
I doubt the NSA is interested in MITM attacks which can be spotted by comparing key material. 8-)