Not a security expert here but it seem like akamai should also be required to use a root CA that does not use md5 for it's encryption. It am under the impression that md5 based encryption has been broken since 2008: http://www.win.tue.nl/hashclash/rogue-ca/#sec71

MD5 is not an encryption algorithm. It is a hashing algorithm. You're right though, it is broken.

The authentication is based on encrypting said hash, so I would say that md5-based is good enough as a description.

Regarding "All software downloads should be provided only over HTTPS", this is very expensive to provide, but is allowing users to compare a checksum an equally secure option?

By expensive you mean in CPU cycles, right? Isn't it becoming less expensive all the time thanks to Moore's Law? Is it really all that expensive these days? (I'm really asking because I don't know, this isn't rethorical.)

Yes, CPU cycles is the most expensive. Great discussion here on Stackoverflow:

http://stackoverflow.com/questions/149274/http-vs-https-perf...

Could this be mitigated by using some form of hardware accelration on servers?

What's to stop someone in the middle changing the checksum on the page?

The download page could still be served via HTTPS, even if the download itself isn't.

The checksum is normally gpg signed.