On Tue, Sep 19, 2023 at 1:35 AM 'Jeffrey Yasskin' via blink-dev < blink-dev@chromium.org> wrote:
> On Mon, Sep 18, 2023 at 4:11 PM David Adrian <dadr...@google.com> wrote: > >> > This should probably be an "Intent to Deprecate and Remove" rather than >> an "Intent to Ship". >> >> You're absolutely right that it should be, unfortunately that's not the >> subject Chrome Status generated. I'll file an issue. >> > > Oops, yes, you did everything right here. There's already > https://github.com/GoogleChrome/chromium-dashboard/issues/2749 about > changing this subject line, and now > https://github.com/GoogleChrome/chromium-dashboard/issues/3346 to align > the Chrome Status UI with the launching-features page. > > > The RFC's introduction at >> https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a >> pretty good explainer for why we should remove SHA-1 signatures. >> >> Agreed. Noting in general, there is a large process mismatch between TLS >> launches and the Blink launch process, as discussed in >> https://groups.google.com/a/chromium.org/g/blink-dev/c/CmlXjQeNWDI/m/r-AUe0OqAQAJ. >> That's why this Intent looks a little different. >> > I wouldn't categorize it as a large process mismatch. But that's an orthogonal discussion. > >> As for the launch itself, I'll note it's been at 10% on Finch for a >> couple weeks and everything looks gray, so we should be safe to ramp up to >> 100%. The only thing of note was a correlation with an unrelated crash >> in Blink >> <https://bugs.chromium.org/p/chromium/issues/detail?id=1479083#c2>, >> since the deprecation rollout was fairly large. It only showed at 10%, not >> 1%. >> >> On Mon, Sep 18, 2023 at 3:53 PM Jeffrey Yasskin <jyass...@google.com> >> wrote: >> >>> This should probably be an "Intent to Deprecate and Remove" >>> <https://www.chromium.org/blink/launching-features/#feature-deprecations> >>> rather than an "Intent to Ship". I'll let an API owner say if there's a >>> reason to re-send it; probably there isn't. >>> >>> On Mon, Sep 18, 2023 at 3:47 PM 'David Adrian' via blink-dev < >>> blink-dev@chromium.org> wrote: >>> >>>> Contact emailsdadr...@google.com >>>> >>>> ExplainerNone >>>> >>> >>> The RFC's introduction at >>> https://www.rfc-editor.org/rfc/rfc9155.html#name-introduction is a >>> pretty good explainer for why we should remove SHA-1 signatures. >>> >>> >>>> Specificationhttps://www.rfc-editor.org/rfc/rfc9155.html >>>> >>>> Summary >>>> >>>> Chrome is removing support for signature algorithms using SHA-1 for >>>> server signatures during the TLS handshake. This does not affect SHA-1 >>>> support in server certificates, which was already removed, or in client >>>> certificates, which continues to be supported. SHA-1 can be temporarily >>>> re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled >>>> enterprise policy. This policy will be removed in Chrome 123. >>>> >>>> >>>> Blink componentInternals>Network>SSL >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> >>>> >>>> Search tagstls <https://chromestatus.com/features#tags:tls>, ssl >>>> <https://chromestatus.com/features#tags:ssl>, sha1 >>>> <https://chromestatus.com/features#tags:sha1> >>>> >>>> TAG reviewNone >>>> >>>> TAG review statusNot applicable >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> At most 0.02% of page loads use the SHA1 fallback. However, we cannot >>>> disambiguate between a flaky first connection, and actually requiring SHA1. >>>> We expect the actual amount is lower. >>>> >>> Are we thinking that 0.02% is a loose upper bound? Is that correct? Any way to sample a few sites to validate that assumption? > >>>> >>>> *Gecko*: Positive ( >>>> https://github.com/mozilla/standards-positions/issues/812) >>>> >>>> *WebKit*: Positive ( >>>> https://github.com/WebKit/standards-positions/issues/196) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> None >>>> >>>> >>>> Debuggability >>>> >>>> n/a, this happens pre-devtools >>>> >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?No >>>> >>>> Flag name on chrome://flagsuse-sha1-server-handshakes >>>> >>>> Finch feature nameDisableSHA1ServerSignature >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bug >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=658905 >>>> >>>> Launch bughttps://launch.corp.google.com/launch/4233200 >>>> >>>> Estimated milestones >>>> Shipping on desktop 117 >>>> OriginTrial desktop last 116 >>>> OriginTrial desktop first 115 >>>> DevTrial on desktop 115 >>>> Shipping on Android 117 >>>> OriginTrial Android last 116 >>>> OriginTrial Android first 115 >>>> DevTrial on Android 115 >>>> OriginTrial webView last 116 >>>> OriginTrial webView first 115 >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> None >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/4832850040324096 >>>> >>>> Links to previous Intent discussionsIntent to Experiment: >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42JZz%3De_TRVwumqgTj-A7543BR7JLBUR_GzVN_oOWhKVvg%40mail.gmail.com >>>> >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LiSGgfN1trVXfrmCW0Upk9r9GK4XYZQm5Y8RSzphn_DA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANh-dXnM7SzAOh2y6hcuezDpo-yCW%3DtNg0%3D1ErEMCFN%3DSSpsQQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANh-dXnM7SzAOh2y6hcuezDpo-yCW%3DtNg0%3D1ErEMCFN%3DSSpsQQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVJgRYUjxEYVt8bYAg6U24h8dJ8SmBtmFgFkcnuTQjOpQ%40mail.gmail.com.
