MD5 is no longer acceptable where collision resistance is required such as digital signatures. However, because MD5 is still used widely in the industry, we cannot disable MD5 algorithms by default in Java releases. For the same reason, we cannot disable RSA keys which key size is less than 1024, and SHA-1 signature by default.

Applications can controll these weak algorithms and key with AlgorithmConstraints. However, it may be necessary to provider a uniform and simple solution to simplify the control. We may define security levels. In the basic level, we support not-default-disabled algorithms and keys(/key sizes); in the lower level, we support any algorithms and keys; in the higher level, we only support strong algorithms and keys (RSA keysize >= 2048, etc.) and other policy (such as EV cert). Users can customize each level with algorithm constraints.