Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99722 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65824 invoked from network); 3 Jul 2017 17:21:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Jul 2017 17:21:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.128.178 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 209.85.128.178 mail-wr0-f178.google.com Received: from [209.85.128.178] ([209.85.128.178:36069] helo=mail-wr0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F0/67-15131-03D7A595 for ; Mon, 03 Jul 2017 13:21:54 -0400 Received: by mail-wr0-f178.google.com with SMTP id c11so237776795wrc.3 for ; Mon, 03 Jul 2017 10:21:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=golemon-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=OS3wdkUkx19HPiKWlUNGxL3inLbC+RL01qnFlAJk7ng=; b=ENC/tVPHpugUJuidFdVIuik+OVKhf6fvtmYcyrSDIOQquWkxoNr4ibyopI3MNQ5Skx px048ps9emljJbYpOsLrfXVhGi6NCcHVsmbQuttOJ0GiiZJfjAfJgUYA0jOz9i1pS8Js 8+MpmthhmTjAGN1ZkNcWQKqFzwTshyez9QNzxsqVndShgneI3zE+e4CSZlffNzzrwSWF n3DrdVszQJkT2cN4HSNYk457wx8HvKo74UtkNYapuf08EbzUq9sOrcl79nAJlAn8HKju 1mSBkTA7VQu4m0mMoUXX7WxbghlVVdHBFaO7WUy0YzQnzmdzI1cZoOuZRK0hjAvin318 1I8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=OS3wdkUkx19HPiKWlUNGxL3inLbC+RL01qnFlAJk7ng=; b=qEVhZ3YeXO2kPXZ5qQcJeBndreMtU9XHt5iZGDRrRviMiYZW/2jVufwwYRVbIEGPqX B88VUeovUZyTXHH6KRzAlIm/DjM6SCLLhiFZ9dTfzi+yfUKfRFP1g9j/79FFn9PHacyC 3CSunLcoXLgqM85ZgoZK4j92u31UrKtBPnjznvLCLsDB2sXkzZOlTYrjqxIXqLAGw8NC A8xfk2liuh381jYaLT47y2d6Arxx7yaa1vmZcH3FmHbSZOvEfowBmYp3MUVnbrO8Ma9L DqWr2jrGIxL9ySV1fMuCI6YyPGZ3kJ/DU2m3s0Uuo2qcB9N0or7gX3NLfGeaGhgTQgfD V+Ig== X-Gm-Message-State: AKS2vOweWIC79oRGuqTndDEkoceFEN09QGhb9oBihcIyZyEgDGPyPOfw uCiwuN8MGp+gjn3zcnRRv3R9YoKKZChoVa0= X-Received: by 10.223.170.75 with SMTP id q11mr36482591wrd.72.1499102509489; Mon, 03 Jul 2017 10:21:49 -0700 (PDT) MIME-Version: 1.0 Sender: php@golemon.com Received: by 10.223.169.139 with HTTP; Mon, 3 Jul 2017 10:21:48 -0700 (PDT) X-Originating-IP: [206.252.215.26] In-Reply-To: References: Date: Mon, 3 Jul 2017 13:21:48 -0400 X-Google-Sender-Auth: PaAyO4lI06lk-mLe3BD57AbKSTw Message-ID: To: Anatol Belski Cc: Niklas Keller , Jakub Zelenka , PHP Internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: pollita@php.net (Sara Golemon) On Mon, Jul 3, 2017 at 12:49 PM, Anatol Belski wrote: > About how to proceed - I'd say the issue is clear and either way > should be fixed. The RFC chooses the explicit strength approach. > What I'm a bit concerned about is, that there's no implementation > by this time, neither for 7.2 nor for lower. Given there are indeed > just last moments before the feature freeze, for 7.2 it depends on RMs. > I've told Niklas on Twitter, but I'll repeat here for the record. I fully expect a rush of last-minute RFCs "urgently" needing an extension of the feature freeze deadline. These come every new release as people are shocked to discover that timetables exist. IMO any RFC which does not have a merged implementation by July 20th* should assume it's not making it into 7.2, however RFCs will be taken on a case-by-case basis while in the beta period. As to this one: It certainly seems important that we don't let users blindly ignore terrible certificates. That's a false sense of security, and is arguably worse than no security at all. I expect to allow this RFC as far out as beta2 ASSUMING the implementation is sensible enough to get a passing vote from internals. If it moves things along smoother/quicker, I would suggest to constrain this discussion as though it were ONLY targeting 7.2, and we can have a separate discussion about how/when it should be back-ported to 7.1 and 7.0 since this change does represent a (theoretical**) BC break. -Sara * Yes, this includes ext/sodium, and I'm less inclined to extend lee-way to that for a number of reasons. ** Legitimately signed sites should not actually be a problem, AIUI.