Hi David,
On 4/3/23 12:58 PM, 'David Adrian' via blink-dev wrote:
Contact emails
[email protected]
Explainer
None
Specification
https://www.rfc-editor.org/rfc/rfc9155.html
Summary
Chrome is removing support for signature algorithms using SHA-1 for
server signatures during the TLS handshake. This does not affect SHA-1
support in server certificates, which was already removed, or in
client certificates, which continues to be supported.
Blink component
Internals>Network>SSL
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL>
Motivation
SHA1 has known collisions, and while difficult to exploit in practice,
should be avoided. Removing SHA1 support from server signatures
removes the ability for a future attacker to exploit some sort of
collision in SHA1 to impersonate a server. The use of SHA1 in TLS has
already been deprecated by the IETF in RFC 9155. This does not affect
client certificates. The decision of whether or not to accept SHA1 in
client certificates can be made by server operators who have deployed
mTLS.
Initial public proposal
Search tags
tls <https://chromestatus.com/features#tags:tls>, ssl
<https://chromestatus.com/features#tags:ssl>, sha1
<https://chromestatus.com/features#tags:sha1>
TAG review
TAG review status
Not applicable
Risks
Interoperability and Compatibility
/Gecko/: No signal
/WebKit/: No signal
Have Gecko or WebKit shipped or considered this already? Are we
coordinating with them on this?
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
Debuggability
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name
We should stick this change behind a flag, if it isn't already. (This is
an I2P, so maybe you're getting to that :)).
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=658905
Launch bug
https://launch.corp.google.com/launch/4233200
Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/4832850040324096
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JGCECAtUFRX6S%2BVriRJrVAwGUUquad6xgDGfiji81ZHg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JGCECAtUFRX6S%2BVriRJrVAwGUUquad6xgDGfiji81ZHg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/cb31c62c-e49d-a61a-95cc-92a66ddaf86d%40chromium.org.
