> This should probably be an "Intent to Deprecate and Remove" rather than an "Intent to Ship".
You're absolutely right that it should be, unfortunately that's not the subject Chrome Status generated. I'll file an issue. > The RFC's introduction at https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a pretty good explainer for why we should remove SHA-1 signatures. Agreed. Noting in general, there is a large process mismatch between TLS launches and the Blink launch process, as discussed in https://groups.google.com/a/chromium.org/g/blink-dev/c/CmlXjQeNWDI/m/r-AUe0OqAQAJ. That's why this Intent looks a little different. As for the launch itself, I'll note it's been at 10% on Finch for a couple weeks and everything looks gray, so we should be safe to ramp up to 100%. The only thing of note was a correlation with an unrelated crash in Blink <https://bugs.chromium.org/p/chromium/issues/detail?id=1479083#c2>, since the deprecation rollout was fairly large. It only showed at 10%, not 1%. On Mon, Sep 18, 2023 at 3:53 PM Jeffrey Yasskin <jyass...@google.com> wrote: > This should probably be an "Intent to Deprecate and Remove" > <https://www.chromium.org/blink/launching-features/#feature-deprecations> > rather than an "Intent to Ship". I'll let an API owner say if there's a > reason to re-send it; probably there isn't. > > On Mon, Sep 18, 2023 at 3:47 PM 'David Adrian' via blink-dev < > blink-dev@chromium.org> wrote: > >> Contact emailsdadr...@google.com >> >> ExplainerNone >> > > The RFC's introduction at > https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a pretty > good explainer for why we should remove SHA-1 signatures. > > >> Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html >> >> Summary >> >> Chrome is removing support for signature algorithms using SHA-1 for >> server signatures during the TLS handshake. This does not affect SHA-1 >> support in server certificates, which was already removed, or in client >> certificates, which continues to be supported. SHA-1 can be temporarily >> re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled >> enterprise policy. This policy will be removed in Chrome 123. >> >> >> Blink componentInternals>Network>SSL >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> >> >> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl >> <https://chromestatus.com/features#tags:ssl>, sha1 >> <https://chromestatus.com/features#tags:sha1> >> >> TAG reviewNone >> >> TAG review statusNot applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> At most 0.02% of page loads use the SHA1 fallback. However, we cannot >> disambiguate between a flaky first connection, and actually requiring SHA1. >> We expect the actual amount is lower. >> >> >> *Gecko*: Positive ( >> https://github.com/mozilla/standards-positions/issues/812) >> >> *WebKit*: Positive ( >> https://github.com/WebKit/standards-positions/issues/196) >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> n/a, this happens pre-devtools >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)?Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?No >> >> Flag name on chrome://flagsuse-sha1-server-handshakes >> >> Finch feature nameDisableSHA1ServerSignature >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=658905 >> >> Launch bughttps://launch.corp.google.com/launch/4233200 >> >> Estimated milestones >> Shipping on desktop 117 >> OriginTrial desktop last 116 >> OriginTrial desktop first 115 >> DevTrial on desktop 115 >> Shipping on Android 117 >> OriginTrial Android last 116 >> OriginTrial Android first 115 >> DevTrial on Android 115 >> OriginTrial webView last 116 >> OriginTrial webView first 115 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> None >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/4832850040324096 >> >> Links to previous Intent discussionsIntent to Experiment: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JZz%3De_TRVwumqgTj-A7543BR7JLBUR_GzVN_oOWhKVvg%40mail.gmail.com >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KWdeLwE1gP7RDjcf9K3he1GwemyYuSQD-RmF_ER61-qQ%40mail.gmail.com.
