Description
MD5 is very broken, which is why we don't implement support for verifying certificates that use the RSA-MD5 (MD5WithRSA) signature algorithm. We do still support signing new certificates with RSA-MD5 though, which is not ideal as it introduces some inconsistency around how we handle certificates (i.e. see https://go-review.googlesource.com/c/go/+/264019).
Presumably we still provide support because at some point in the past there were still some users of RSA-MD5 certificates, and we're only allowing them to create broken certificates rather than verifying them (and thus relying on them). Unless there are still significant use cases I'd suggest we just completely axe support for this broken signature algorithm, reducing our support burden, and hopefully further dissuading anyone from making a serious mistake in their choice of algorithms.