Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99238
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61594 invoked from network); 29 May 2017 20:17:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2017 20:17:44 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.162 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.162 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.162] ([81.169.146.162:27910] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CD/27-34073-7E18C295 for <internals@lists.php.net>; Mon, 29 May 2017 16:17:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1496089061;
	l=2376; s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=lsTfjrWOozT2imUTwxqEk1L4bTGDKLwA9cFguW9HzoY=;
	b=mdlMcgm2OoyHiRWyfjEcS5r2kNiAJU68je3rYrpO0dypwQt44JKPVlDrUYPCGbG2cp
	XD4Qt6p4o6zwM6f1RziFVSkk3kch0JD+0ZA8c7NP+4Ir2xx9wsaUZSzbA7yjgKYjz1+J
	QSERNuoqxPIJJ7/YbRlz488KTx5hWDWIuJ258=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqX93Q==
X-RZG-CLASS-ID: mo00
Received: by mail-oi0-f45.google.com with SMTP id h4so88998826oib.3
        for <internals@lists.php.net>; Mon, 29 May 2017 13:17:41 -0700 (PDT)
X-Gm-Message-State: AODbwcDOrs807tfr+NYt+kQAWtmwO6qp10OVLDPCkNoPvNU3GLDGsYzr
	weulAi4gRQXj4vnTTvdElJCr7qfrVg==
X-Received: by 10.157.60.119 with SMTP id j52mr2721856ote.31.1496089060336;
 Mon, 29 May 2017 13:17:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.176.133 with HTTP; Mon, 29 May 2017 13:17:40 -0700 (PDT)
In-Reply-To: <74a2f26d06af16041d2f31123264b733@gmail.com>
References: <CANUQDCiUYNwH_tkZyS_cbWVa1X=4CAA3_14VD+fYjAXk-JU=1g@mail.gmail.com>
 <CANUQDChzB7EYyx8QOPgDC2TPR7n-h-dK43tHDfTZ=ocHPLHSOQ@mail.gmail.com> <74a2f26d06af16041d2f31123264b733@gmail.com>
Date: Mon, 29 May 2017 22:17:40 +0200
X-Gmail-Original-Message-ID: <CANUQDCh9cnXEgUfnmu-Eo5TgbcxwzrR4xOxLe0c3jABMinUwQw@mail.gmail.com>
Message-ID: <CANUQDCh9cnXEgUfnmu-Eo5TgbcxwzrR4xOxLe0c3jABMinUwQw@mail.gmail.com>
To: =?UTF-8?Q?Lauri_Kentt=C3=A4?= <lauri.kentta@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, Jakub Zelenka <bukka@php.net>
Content-Type: multipart/alternative; boundary="001a11c00fe2fe92410550af608d"
Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
From: me@kelunik.com (Niklas Keller)

--001a11c00fe2fe92410550af608d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

2017-05-29 16:03 GMT+02:00 Lauri Kentt=C3=A4 <lauri.kentta@gmail.com>:

> On 2017-05-29 13:58, Niklas Keller wrote:
>
>> I have updated the RFC to use a "min_signature_bits" setting instead.
>>
>
> At least that name is misleading. Most PHP users would probably wonder wh=
y
> a setting of 128 does not allow the 160-bit hash from SHA-1 or the 512-bi=
t
> RSA. So the name should be more like "min_cryptographic_strength" (possib=
ly
> prefixed with "signature_") to make it clear that this is not really abou=
t
> the bits in signature.
>
> I'm not totally convinced about this bit approach in general. What happen=
s
> if SHA-2 is suddenly broken and people move to SHA-3 of the same length?
>

I'm open to better suggestions.

Regards, Niklas

--001a11c00fe2fe92410550af608d--