On Mon, January 18, 2016 7:20 pm, Eric Mill wrote: > I was suggesting not deciding a year ahead of time that enterprise apathy > will be too overwhelmingly powerful to even try pushing on, in the > specific > case of SHA-1 deprecation.
Chrome has already decided this, as has (in effect) Microsoft. > Is there an enterprise command line flag for MD5 support in Internet > Explorer? :) There is. KB2862973 only applied to roots in the Microsoft program - not enterprise roots. There's also flags to set the strong encryption settings. > There isn't in Chrome, and here's the bug thread where the > Chrome team denied fervent requests by someone behind an enterprise > firewall to add MD5 support in behind a command line flag: That's not a decision we would repeat today. It's a decision we made only because the issues didn't surface until we hit stable, so any fix would have taken us 6 months (based on the then scheduled 8 week release iteration) But even if we launched at 2017 for everything, we'd have a flag, and it'd likely last for 18 months. But that's still TBD, and me reading tea leaves. > How weak does SHA-1 have to get before that balance changes? Is it totally > dependent on existing enterprise adoption rates, and ambient > non-disruptive > user warnings? Even if it's totally broken, I think the risk proposition is still questionable, given how exploiting a chosen-prefix works. > Maybe that's something other browsers could work on publishing too? I think such telemetry (from Firefox and Chrome) will be horribly misleading for this case. Our opt-in rate of metrics for enterprises are so low that any conclusions would be grossly misleading. We've certainly seen this with MD5 and SHA-1 measurements. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
