On Tue, Sep 19, 2023 at 7:45 AM Yoav Weiss <yoavwe...@chromium.org> wrote:

>
>
> On Tue, Sep 19, 2023 at 1:35 AM 'Jeffrey Yasskin' via blink-dev <
> blink-dev@chromium.org> wrote:
>
>> On Mon, Sep 18, 2023 at 4:11 PM David Adrian <dadr...@google.com> wrote:
>>
>>> > This should probably be an "Intent to Deprecate and Remove" rather
>>> than an "Intent to Ship".
>>>
>>> You're absolutely right that it should be, unfortunately that's not the
>>> subject Chrome Status generated. I'll file an issue.
>>>
>>
>> Oops, yes, you did everything right here. There's already
>> https://github.com/GoogleChrome/chromium-dashboard/issues/2749 about
>> changing this subject line, and now
>> https://github.com/GoogleChrome/chromium-dashboard/issues/3346 to align
>> the Chrome Status UI with the launching-features page.
>>
>> > The RFC's introduction at
>>> https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a
>>> pretty good explainer for why we should remove SHA-1 signatures.
>>>
>>> Agreed. Noting in general, there is a large process mismatch between TLS
>>> launches and the Blink launch process, as discussed in
>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/CmlXjQeNWDI/m/r-AUe0OqAQAJ.
>>> That's why this Intent looks a little different.
>>>
>>
> I wouldn't categorize it as a large process mismatch. But that's an
> orthogonal discussion.
>
>
>>
>>> As for the launch itself, I'll note it's been at 10% on Finch for a
>>> couple weeks and everything looks gray, so we should be safe to ramp up to
>>> 100%. The only thing of note was a correlation with an unrelated crash
>>> in Blink
>>> <https://bugs.chromium.org/p/chromium/issues/detail?id=1479083#c2>,
>>> since the deprecation rollout was fairly large. It only showed at 10%, not
>>> 1%.
>>>
>>
 How would we know of breakage in those 10%? Would that look like users
filing issues? Something else?


>>> On Mon, Sep 18, 2023 at 3:53 PM Jeffrey Yasskin <jyass...@google.com>
>>> wrote:
>>>
>>>> This should probably be an "Intent to Deprecate and Remove"
>>>> <https://www.chromium.org/blink/launching-features/#feature-deprecations>
>>>> rather than an "Intent to Ship". I'll let an API owner say if there's a
>>>> reason to re-send it; probably there isn't.
>>>>
>>>> On Mon, Sep 18, 2023 at 3:47 PM 'David Adrian' via blink-dev <
>>>> blink-dev@chromium.org> wrote:
>>>>
>>>>> Contact emailsdadr...@google.com
>>>>>
>>>>> ExplainerNone
>>>>>
>>>>
>>>> The RFC's introduction at
>>>> https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a
>>>> pretty good explainer for why we should remove SHA-1 signatures.
>>>>
>>>>
>>>>> Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html
>>>>>
>>>>> Summary
>>>>>
>>>>> Chrome is removing support for signature algorithms using SHA-1 for
>>>>> server signatures during the TLS handshake. This does not affect SHA-1
>>>>> support in server certificates, which was already removed, or in client
>>>>> certificates, which continues to be supported. SHA-1 can be temporarily
>>>>> re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled
>>>>> enterprise policy. This policy will be removed in Chrome 123.
>>>>>
>>>>>
>>>>> Blink componentInternals>Network>SSL
>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL>
>>>>>
>>>>> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl
>>>>> <https://chromestatus.com/features#tags:ssl>, sha1
>>>>> <https://chromestatus.com/features#tags:sha1>
>>>>>
>>>>> TAG reviewNone
>>>>>
>>>>> TAG review statusNot applicable
>>>>>
>>>>> Risks
>>>>>
>>>>>
>>>>> Interoperability and Compatibility
>>>>>
>>>>> At most 0.02% of page loads use the SHA1 fallback. However, we cannot
>>>>> disambiguate between a flaky first connection, and actually requiring 
>>>>> SHA1.
>>>>> We expect the actual amount is lower.
>>>>>
>>>>
> Are we thinking that 0.02% is a loose upper bound? Is that correct?
> Any way to sample a few sites to validate that assumption?
>

Also, are those 0.02% driven by origins? Specific user platforms? Something
else?


>
>
>>
>>>>>
>>>>> *Gecko*: Positive (
>>>>> https://github.com/mozilla/standards-positions/issues/812)
>>>>>
>>>>> *WebKit*: Positive (
>>>>> https://github.com/WebKit/standards-positions/issues/196)
>>>>>
>>>>> *Web developers*: No signals
>>>>>
>>>>> *Other signals*:
>>>>>
>>>>> WebView application risks
>>>>>
>>>>> Does this intent deprecate or change behavior of existing APIs, such
>>>>> that it has potentially high risk for Android WebView-based applications?
>>>>>
>>>>> None
>>>>>
>>>>>
>>>>> Debuggability
>>>>>
>>>>> n/a, this happens pre-devtools
>>>>>
>>>>>
>>>>> Will this feature be supported on all six Blink platforms (Windows,
>>>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes
>>>>>
>>>>> Is this feature fully tested by web-platform-tests
>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
>>>>> ?No
>>>>>
>>>>> Flag name on chrome://flagsuse-sha1-server-handshakes
>>>>>
>>>>> Finch feature nameDisableSHA1ServerSignature
>>>>>
>>>>> Requires code in //chrome?False
>>>>>
>>>>> Tracking bug
>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=658905
>>>>>
>>>>> Launch bughttps://launch.corp.google.com/launch/4233200
>>>>>
>>>>> Estimated milestones
>>>>> Shipping on desktop 117
>>>>> OriginTrial desktop last 116
>>>>> OriginTrial desktop first 115
>>>>> DevTrial on desktop 115
>>>>> Shipping on Android 117
>>>>> OriginTrial Android last 116
>>>>> OriginTrial Android first 115
>>>>> DevTrial on Android 115
>>>>> OriginTrial webView last 116
>>>>> OriginTrial webView first 115
>>>>>
>>>>> Anticipated spec changes
>>>>>
>>>>> Open questions about a feature may be a source of future web compat or
>>>>> interop issues. Please list open issues (e.g. links to known github issues
>>>>> in the project for the feature specification) whose resolution may
>>>>> introduce web compat/interop risk (e.g., changing to naming or structure 
>>>>> of
>>>>> the API in a non-backward-compatible way).
>>>>> None
>>>>>
>>>>> Link to entry on the Chrome Platform Status
>>>>> https://chromestatus.com/feature/4832850040324096
>>>>>
>>>>> Links to previous Intent discussionsIntent to Experiment:
>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JZz%3De_TRVwumqgTj-A7543BR7JLBUR_GzVN_oOWhKVvg%40mail.gmail.com
>>>>>
>>>>>
>>>>> This intent message was generated by Chrome Platform Status
>>>>> <https://chromestatus.com/>.
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "blink-dev" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to blink-dev+unsubscr...@chromium.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com
>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>> You received this message because you are subscribed to the Google Groups
>> "blink-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to blink-dev+unsubscr...@chromium.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANh-dXnM7SzAOh2y6hcuezDpo-yCW%3DtNg0%3D1ErEMCFN%3DSSpsQQ%40mail.gmail.com
>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANh-dXnM7SzAOh2y6hcuezDpo-yCW%3DtNg0%3D1ErEMCFN%3DSSpsQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVPG6np80msDXGDyzqOMA6E-7mtqFQpDSw8w5m3X%3DEKOg%40mail.gmail.com.

Reply via email to