Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99284
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80017 invoked from network); 30 May 2017 20:26:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 May 2017 20:26:33 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.173 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.173 mail-yb0-f173.google.com  
Received: from [209.85.213.173] ([209.85.213.173:36438] helo=mail-yb0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 83/26-43873-775DD295 for <internals@lists.php.net>; Tue, 30 May 2017 16:26:31 -0400
Received: by mail-yb0-f173.google.com with SMTP id 130so23282937ybl.3
        for <internals@lists.php.net>; Tue, 30 May 2017 13:26:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=Jq4hy7LiBHeU2An916x2OKqK+O9kYTxMTvDSmKrAOQo=;
        b=iNG2G1/a9XIgUEL2SjotLrXbHLCGtX8djzz8ahlGuXUTSQHAgN2XwAObjwMftWCecI
         wA4Arvt2A4CVT7667Ur/X39ZuaMSxw5sbHaxy2io6kGWWGvuG0acB/Foa/DjmWA+hikO
         b/Rpi2j3Xeqiy2WxezP4BTXxPxvx3+50dA7mBdelKgBBh7zYRn6d7QyKk+zcdfIkR9Q3
         V+HTaWzfnanQMhfQDvhIvE7+5jH2CsDI/d2jyhR3Es1Boab4MBSWkY9XA00IqB9k407Y
         a7hyNfWX6a3lwOV+0rLGdFaFi0zzlA08cnfUXf1wFfMWGRJD2HItz9LLEbdeYEf2pKpt
         KaSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=Jq4hy7LiBHeU2An916x2OKqK+O9kYTxMTvDSmKrAOQo=;
        b=PuQVrgI1Pyd6GXr8ALaJKA3JIwUZBG13yv30OxuP4zDe1YNjv6VFybEpocBGIzmhnc
         ywpoimshS3EhqEpRmogHwCcKxIcrNdqLlc6fRM6TyNpaotquQdXMxA75Q1yppDCxOexx
         Woy/Do2V6mICZlQAMdBi1pslNsItK3bfVYLijvvPPCJsTeAnmtmBeLDQemdAZXHV3Daz
         EJstAmvuMivE4C9ycqlgHJsJ24VH5dNqnkuqdI0xYgKubGE6v0Z+SwG09T9XPSW2LKYK
         upig8q/rPh3KshvFx9VU10/Ie8B/0n+IxTObSR+j0eWRQMLcpXoaYfXIBJH/dkbLwcHC
         rV/A==
X-Gm-Message-State: AODbwcCH6aF4ITYMvKbFIl0+II8vlCDEer1DbvvznFbwy81uQjY4cmWN
	GX1kTjKYdiUJlCPMJQcSIt/oI2DF3Q==
X-Received: by 10.37.111.212 with SMTP id k203mr5648824ybc.10.1496175988173;
 Tue, 30 May 2017 13:26:28 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.129.85.81 with HTTP; Tue, 30 May 2017 13:26:27 -0700 (PDT)
In-Reply-To: <CANUQDChVGuF1rrG3+AVTT+pp0nEmDw7MXyGGX7nVbQ42Kpgytw@mail.gmail.com>
References: <CANUQDCiUYNwH_tkZyS_cbWVa1X=4CAA3_14VD+fYjAXk-JU=1g@mail.gmail.com>
 <CANUQDChzB7EYyx8QOPgDC2TPR7n-h-dK43tHDfTZ=ocHPLHSOQ@mail.gmail.com>
 <CAEKnhAH8eGzcUsWODc75_L1kq4OtF2bvR7qJkijWWSVoY7c_mQ@mail.gmail.com> <CANUQDChVGuF1rrG3+AVTT+pp0nEmDw7MXyGGX7nVbQ42Kpgytw@mail.gmail.com>
Date: Tue, 30 May 2017 21:26:27 +0100
X-Google-Sender-Auth: 8BllSYMLrbhhA2yY_ZkKXOEw_po
Message-ID: <CAEKnhAH78Uey_Tp43UY+AVaADi-ckvtBW9EqsuKTj8iDfK+AGQ@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a11489d184bfc150550c39e5e"
Subject: Re: [RFC] Distrust SHA-1 Certificates
From: bukka@php.net (Jakub Zelenka)

--001a11489d184bfc150550c39e5e
Content-Type: text/plain; charset="UTF-8"

On Mon, May 29, 2017 at 9:16 PM, Niklas Keller <me@kelunik.com> wrote:

> 2017-05-29 22:00 GMT+02:00 Jakub Zelenka <bukka@php.net>:
>
>> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller <me@kelunik.com> wrote:
>>
>>> Morning Internals,
>>>
>>> I have updated the RFC to use a "min_signature_bits" setting instead.
>>>
>>>
>> Wouldn't be better use security levels instead as it is in OpenSSL? Of
>> course I mean just for sig level to not re-implement everything. Basically
>> having sig_level or something like that...
>>
>
> As we can't use the OpenSSL implementation directly, I don't see any
> reason to use arbitrary integers there which you have to look up again.
> Maybe we should fine a totally different way.
>
>
Well we are going to implement security levels at some point  anyway as it
is the primary way how to control security strength in OpenSSL 1.1+ so
people will need to look it up anyway. It is also much easier to use than
directly setting security bits IMHO. It might also allow us to simplify
implementation in the future (for example if it gets separated to its own
verify param in the future, we could use that). Also we will be able to
just completely skip that if the main security level is already on that
level or higher (it would be already covered by that).

Please mind that this is an openssl extension so we should prefer the API
offered by the library and not trying to invent our own solutions.

Cheers

Jakub

--001a11489d184bfc150550c39e5e--