...
What changes to defaults do we want or need to make?
See Message Level Security, an old document discussing issues connected to changing defaults related to signing.
What mechanism do we have or want to have for blacklisting or whitelisting algorithms?
Are there algorithms we need to block? Should we enforce minimum key sizes?