On Tue, Sep 19, 2023 at 7:45 AM Yoav Weiss <yoavwe...@chromium.org> wrote:
> > > On Tue, Sep 19, 2023 at 1:35 AM 'Jeffrey Yasskin' via blink-dev < > blink-dev@chromium.org> wrote: > >> On Mon, Sep 18, 2023 at 4:11 PM David Adrian <dadr...@google.com> wrote: >> >>> > This should probably be an "Intent to Deprecate and Remove" rather >>> than an "Intent to Ship". >>> >>> You're absolutely right that it should be, unfortunately that's not the >>> subject Chrome Status generated. I'll file an issue. >>> >> >> Oops, yes, you did everything right here. There's already >> https://github.com/GoogleChrome/chromium-dashboard/issues/2749 about >> changing this subject line, and now >> https://github.com/GoogleChrome/chromium-dashboard/issues/3346 to align >> the Chrome Status UI with the launching-features page. >> >> > The RFC's introduction at >>> https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a >>> pretty good explainer for why we should remove SHA-1 signatures. >>> >>> Agreed. Noting in general, there is a large process mismatch between TLS >>> launches and the Blink launch process, as discussed in >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/CmlXjQeNWDI/m/r-AUe0OqAQAJ. >>> That's why this Intent looks a little different. >>> >> > I wouldn't categorize it as a large process mismatch. But that's an > orthogonal discussion. > > >> >>> As for the launch itself, I'll note it's been at 10% on Finch for a >>> couple weeks and everything looks gray, so we should be safe to ramp up to >>> 100%. The only thing of note was a correlation with an unrelated crash >>> in Blink >>> <https://bugs.chromium.org/p/chromium/issues/detail?id=1479083#c2>, >>> since the deprecation rollout was fairly large. It only showed at 10%, not >>> 1%. >>> >> How would we know of breakage in those 10%? Would that look like users filing issues? Something else? >>> On Mon, Sep 18, 2023 at 3:53 PM Jeffrey Yasskin <jyass...@google.com> >>> wrote: >>> >>>> This should probably be an "Intent to Deprecate and Remove" >>>> <https://www.chromium.org/blink/launching-features/#feature-deprecations> >>>> rather than an "Intent to Ship". I'll let an API owner say if there's a >>>> reason to re-send it; probably there isn't. >>>> >>>> On Mon, Sep 18, 2023 at 3:47 PM 'David Adrian' via blink-dev < >>>> blink-dev@chromium.org> wrote: >>>> >>>>> Contact emailsdadr...@google.com >>>>> >>>>> ExplainerNone >>>>> >>>> >>>> The RFC's introduction at >>>> https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a >>>> pretty good explainer for why we should remove SHA-1 signatures. >>>> >>>> >>>>> Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html >>>>> >>>>> Summary >>>>> >>>>> Chrome is removing support for signature algorithms using SHA-1 for >>>>> server signatures during the TLS handshake. This does not affect SHA-1 >>>>> support in server certificates, which was already removed, or in client >>>>> certificates, which continues to be supported. SHA-1 can be temporarily >>>>> re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled >>>>> enterprise policy. This policy will be removed in Chrome 123. >>>>> >>>>> >>>>> Blink componentInternals>Network>SSL >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> >>>>> >>>>> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl >>>>> <https://chromestatus.com/features#tags:ssl>, sha1 >>>>> <https://chromestatus.com/features#tags:sha1> >>>>> >>>>> TAG reviewNone >>>>> >>>>> TAG review statusNot applicable >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> At most 0.02% of page loads use the SHA1 fallback. However, we cannot >>>>> disambiguate between a flaky first connection, and actually requiring >>>>> SHA1. >>>>> We expect the actual amount is lower. >>>>> >>>> > Are we thinking that 0.02% is a loose upper bound? Is that correct? > Any way to sample a few sites to validate that assumption? > Also, are those 0.02% driven by origins? Specific user platforms? Something else? > > >> >>>>> >>>>> *Gecko*: Positive ( >>>>> https://github.com/mozilla/standards-positions/issues/812) >>>>> >>>>> *WebKit*: Positive ( >>>>> https://github.com/WebKit/standards-positions/issues/196) >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> None >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> n/a, this happens pre-devtools >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ?No >>>>> >>>>> Flag name on chrome://flagsuse-sha1-server-handshakes >>>>> >>>>> Finch feature nameDisableSHA1ServerSignature >>>>> >>>>> Requires code in //chrome?False >>>>> >>>>> Tracking bug >>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=658905 >>>>> >>>>> Launch bughttps://launch.corp.google.com/launch/4233200 >>>>> >>>>> Estimated milestones >>>>> Shipping on desktop 117 >>>>> OriginTrial desktop last 116 >>>>> OriginTrial desktop first 115 >>>>> DevTrial on desktop 115 >>>>> Shipping on Android 117 >>>>> OriginTrial Android last 116 >>>>> OriginTrial Android first 115 >>>>> DevTrial on Android 115 >>>>> OriginTrial webView last 116 >>>>> OriginTrial webView first 115 >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> None >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/4832850040324096 >>>>> >>>>> Links to previous Intent discussionsIntent to Experiment: >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JZz%3De_TRVwumqgTj-A7543BR7JLBUR_GzVN_oOWhKVvg%40mail.gmail.com >>>>> >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANh-dXnM7SzAOh2y6hcuezDpo-yCW%3DtNg0%3D1ErEMCFN%3DSSpsQQ%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANh-dXnM7SzAOh2y6hcuezDpo-yCW%3DtNg0%3D1ErEMCFN%3DSSpsQQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVPG6np80msDXGDyzqOMA6E-7mtqFQpDSw8w5m3X%3DEKOg%40mail.gmail.com.