Per the conversation on the previous thread, carefully rolling this out to measure breakage seems like the right path forward. Do you have a timeline along which you'd like to run this experiment? M115-M118?
-mike On Thu, Jun 8, 2023 at 9:54 PM 'David Adrian' via blink-dev < [email protected]> wrote: > Per request on the previous thread > <https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM>, > converting the previous Ready for Trial to an Intent to Experiment / > Request for Deprecation Trial. > > Due to the nature of the TLS stack, this experiment will be managed by > Finch, rather than site opt-in. > > On Thu, Jun 8, 2023 at 1:52 PM David Adrian <[email protected]> wrote: > >> Contact [email protected] >> [email protected] >> >> ExplainerNone >> >> Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html >> >> Summary >> >> Chrome is removing support for signature algorithms using SHA-1 for >> server signatures during the TLS handshake. This does not affect SHA-1 >> support in server certificates, which was already removed, or in client >> certificates, which continues to be supported. >> >> >> Blink componentInternals>Network>SSL >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> >> >> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl >> <https://chromestatus.com/features#tags:ssl>, sha1 >> <https://chromestatus.com/features#tags:sha1> >> >> TAG reviewNone >> >> TAG review statusNot applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> At most 0.02% of page loads use the SHA1 fallback. However, we cannot >> disambiguate between a flaky first connection, and actually requiring SHA1. >> We expect the actual amount is lower. >> >> >> *Gecko*: No signal ( >> https://github.com/mozilla/standards-positions/issues/812) >> >> *WebKit*: No signal ( >> https://github.com/WebKit/standards-positions/issues/196) >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Goals for experimentation >> >> Since this takes place before a document is loaded, sites cannot opt-in. >> We plan on doing a 1% stable experiment and monitoring any increase in page >> load failures and SSL failures. >> >> This experiment is managed via Finch, not as an Origin / Deprecation >> Trial. >> >> Experiment Risks >> Sites that are incapable of SHA2 signatures would fail to load. However, >> we believe the actual set of sites that don't support SHA2 is very small. >> Due to how negotiation works in TLS, we can't tell the difference between >> "prefers SHA1 to SHA2, but has a flaky network" and "only supports SHA1". >> In the worst case, this is 0.02% of TLS connections. In the best case, this >> is 0%. >> >> Ongoing technical constraints >> >> None >> >> >> Debuggability >> >> n/a, this happens pre-devtools >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)?Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?No >> >> Flag nameuse-sha1-server-handshakes >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=658905 >> >> Launch bughttps://launch.corp.google.com/launch/4233200 >> >> Estimated milestones >> Shipping on desktop 117 >> OriginTrial desktop last 116 >> OriginTrial desktop first 115 >> DevTrial on desktop 115 >> Shipping on Android 117 >> OriginTrial Android last 116 >> OriginTrial Android first 115 >> DevTrial on Android 115 >> OriginTrial webView last 116 >> OriginTrial webView first 115 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/4832850040324096 >> >> Links to previous Intent discussions >> https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM >> >> https://groups.google.com/a/chromium.org/g/blink-dev/c/rfPtQpqNixk/m/WF3a12okCgAJ >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LkdzFVgWn%3DEngqRQekuV%2B4rCQRWGcGjz4x5QJGpzgvig%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LkdzFVgWn%3DEngqRQekuV%2B4rCQRWGcGjz4x5QJGpzgvig%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdMuzsbs5VK_BcPNUMgi9hB0QsJsqhYdYOaCCsaE8tGLg%40mail.gmail.com.
