We plan to start in M115. Four milestones seems a bit long---this breakage likely either be immediately evident or a no-op. I was thinking M115 and M116, but we'll defer to your judgement.
On Tue, Jun 13, 2023 at 2:50 AM Mike West <[email protected]> wrote: > Per the conversation on the previous thread, carefully rolling this out to > measure breakage seems like the right path forward. Do you have a timeline > along which you'd like to run this experiment? M115-M118? > > -mike > > > On Thu, Jun 8, 2023 at 9:54 PM 'David Adrian' via blink-dev < > [email protected]> wrote: > >> Per request on the previous thread >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM>, >> converting the previous Ready for Trial to an Intent to Experiment / >> Request for Deprecation Trial. >> >> Due to the nature of the TLS stack, this experiment will be managed by >> Finch, rather than site opt-in. >> >> On Thu, Jun 8, 2023 at 1:52 PM David Adrian <[email protected]> wrote: >> >>> Contact [email protected] >>> [email protected] >>> >>> ExplainerNone >>> >>> Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html >>> >>> Summary >>> >>> Chrome is removing support for signature algorithms using SHA-1 for >>> server signatures during the TLS handshake. This does not affect SHA-1 >>> support in server certificates, which was already removed, or in client >>> certificates, which continues to be supported. >>> >>> >>> Blink componentInternals>Network>SSL >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> >>> >>> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl >>> <https://chromestatus.com/features#tags:ssl>, sha1 >>> <https://chromestatus.com/features#tags:sha1> >>> >>> TAG reviewNone >>> >>> TAG review statusNot applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> At most 0.02% of page loads use the SHA1 fallback. However, we cannot >>> disambiguate between a flaky first connection, and actually requiring SHA1. >>> We expect the actual amount is lower. >>> >>> >>> *Gecko*: No signal ( >>> https://github.com/mozilla/standards-positions/issues/812) >>> >>> *WebKit*: No signal ( >>> https://github.com/WebKit/standards-positions/issues/196) >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> None >>> >>> >>> Goals for experimentation >>> >>> Since this takes place before a document is loaded, sites cannot opt-in. >>> We plan on doing a 1% stable experiment and monitoring any increase in page >>> load failures and SSL failures. >>> >>> This experiment is managed via Finch, not as an Origin / Deprecation >>> Trial. >>> >>> Experiment Risks >>> Sites that are incapable of SHA2 signatures would fail to load. However, >>> we believe the actual set of sites that don't support SHA2 is very small. >>> Due to how negotiation works in TLS, we can't tell the difference between >>> "prefers SHA1 to SHA2, but has a flaky network" and "only supports SHA1". >>> In the worst case, this is 0.02% of TLS connections. In the best case, this >>> is 0%. >>> >>> Ongoing technical constraints >>> >>> None >>> >>> >>> Debuggability >>> >>> n/a, this happens pre-devtools >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)?Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?No >>> >>> Flag nameuse-sha1-server-handshakes >>> >>> Requires code in //chrome?False >>> >>> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=658905 >>> >>> Launch bughttps://launch.corp.google.com/launch/4233200 >>> >>> Estimated milestones >>> Shipping on desktop 117 >>> OriginTrial desktop last 116 >>> OriginTrial desktop first 115 >>> DevTrial on desktop 115 >>> Shipping on Android 117 >>> OriginTrial Android last 116 >>> OriginTrial Android first 115 >>> DevTrial on Android 115 >>> OriginTrial webView last 116 >>> OriginTrial webView first 115 >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/4832850040324096 >>> >>> Links to previous Intent discussions >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM >>> >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/rfPtQpqNixk/m/WF3a12okCgAJ >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LkdzFVgWn%3DEngqRQekuV%2B4rCQRWGcGjz4x5QJGpzgvig%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LkdzFVgWn%3DEngqRQekuV%2B4rCQRWGcGjz4x5QJGpzgvig%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BU_9G1KaT8y9PE9r9-%3Dgyr%3DkbA8368yr9r-O5EuuOgUg%40mail.gmail.com.
