Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99738 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38648 invoked from network); 4 Jul 2017 11:18:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jul 2017 11:18:53 -0000 Authentication-Results: pb1.pair.com header.from=weltling@outlook.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=weltling@outlook.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain outlook.de designates 40.92.66.95 as permitted sender) X-PHP-List-Original-Sender: weltling@outlook.de X-Host-Fingerprint: 40.92.66.95 mail-oln040092066095.outbound.protection.outlook.com Received: from [40.92.66.95] ([40.92.66.95:2323] helo=EUR01-VE1-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/4F-15131-B997B595 for ; Tue, 04 Jul 2017 07:18:52 -0400 Received: from VE1EUR01FT004.eop-EUR01.prod.protection.outlook.com (10.152.2.54) by VE1EUR01HT171.eop-EUR01.prod.protection.outlook.com (10.152.3.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1199.9; Tue, 4 Jul 2017 11:18:47 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com (10.152.2.59) by VE1EUR01FT004.mail.protection.outlook.com (10.152.2.101) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1220.9 via Frontend Transport; Tue, 4 Jul 2017 11:18:47 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com ([fe80::c8fa:ce46:453e:533f]) by HE1PR02MB1052.eurprd02.prod.outlook.com ([fe80::c8fa:ce46:453e:533f%13]) with mapi id 15.01.1220.018; Tue, 4 Jul 2017 11:18:47 +0000 To: Sara Golemon CC: Niklas Keller , Jakub Zelenka , "PHP Internals" Thread-Topic: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates Thread-Index: AQHS2GqKEaSg03F/NE+c0FfXh7TanaILu7+AgAAEbgCAAZUEgIA09mUAgAAs6TCAABhfAIABCevA Date: Tue, 4 Jul 2017 11:18:47 +0000 Message-ID: References: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: php.net; dkim=none (message not signed) header.d=none;php.net; dmarc=none action=none header.from=outlook.de; x-incomingtopheadermarker: OriginalChecksum:7474E608E9B63589B02F3647B45CB29B47375270A55C1D627370D1B5A0651DD4;UpperCasedChecksum:052AC7481440434E49CA343E3CDDC736323CC41CAC04A26EC33C3D1953FD37DA;SizeAsReceived:7914;Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [53tpsT9LkGfkw5HweXisG7KZqBsrnHcp] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;VE1EUR01HT171;7:Ol73EqrbW2zXMlhvGtVisqrPRfxUeYttWSWDdLX9pQuZGUrlNeigywsW6u6q5osGhOY+XOOQ846BXSKRIVFcnHSGIq3Ru3PCb23uU2oJb9su20Cr3Upe72+Yr/YCQzWBEzqxgIk6OdxFfqTfxHvHnU+jNzWieJcvhditPAjey8n+5zcLL9ggCkkdM922VAbEOL407Y052UbvTHQAMw1Ggwmt5pTibwO/nwSGNItDleLqbKvYtKECJKmtHYLdCBXolGPMc5VwxeDZ5JvXWn1XdHGkap8usmSwMMCQSii7OJxVCMCX9LXocRaZT2VAXnbGkTPjlI6UbJYWAu4Xm3lR6DvSDcxL3yb0Zpbt558gUrHNyqPawQIOlZ8qYDyRPXD5u0NCTDP//zJkssqtN/6paPBPyzcu7anhY+MYBuimHeIAO+2OKsGWWiwPrDhSOV5bDBwnW/1Zi70Wu80KWgJNn6KxRyjrsiMDO0W+jM+PHA+Lqwdy4k2aEAyLftUuUSocjUFm8I3jd2AC57NwP4Km46tQxmVCXCdiYJhjGahfwqY6cf/PYUjix3BVXFBO5ivXHofHnKyvS+VDPqfX15r1fNDGZjF2KasmfXtmEBQ3TspfV1x0G78Wb1IWZr19f1CsMZO9dgYqqJK3+dJuG/vinXy3RvHvmLzEiNBu4Y733KVtlCOs4lGXSkDB8UQznrvbqciqeYYTHqUflIEV/UxPd5fYckxu7DjU0DAOGURzDZCzVYA34xSzjhFyhfIre5jYp3gyGfmpVEYt3N3OYep+tA== x-incomingheadercount: 46 x-eopattributedmessage: 0 x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:VE1EUR01HT171;H:HE1PR02MB1052.eurprd02.prod.outlook.com;FPR:;SPF:None;LANG:en; x-ms-office365-filtering-correlation-id: 0dc17634-4404-49b4-3281-08d4c2ce70f1 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1601125374)(1603101448)(1701031045)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:VE1EUR01HT171; x-ms-traffictypediagnostic: VE1EUR01HT171: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);SRVR:VE1EUR01HT171;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:VE1EUR01HT171; x-forefront-prvs: 0358535363 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jul 2017 11:18:47.8739 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT171 Subject: RE: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: weltling@outlook.de (Anatol Belski) Hi Sara, > -----Original Message----- > From: php@golemon.com [mailto:php@golemon.com] On Behalf Of Sara > Golemon > Sent: Monday, July 3, 2017 7:22 PM > To: Anatol Belski > Cc: Niklas Keller ; Jakub Zelenka ; PHP > Internals > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates >=20 > On Mon, Jul 3, 2017 at 12:49 PM, Anatol Belski wrot= e: > > About how to proceed - I'd say the issue is clear and either way > > should be fixed. The RFC chooses the explicit strength approach. > > What I'm a bit concerned about is, that there's no implementation by > > this time, neither for 7.2 nor for lower. Given there are indeed just > > last moments before the feature freeze, for 7.2 it depends on RMs. > > > I've told Niklas on Twitter, but I'll repeat here for the record. I full= y expect a > rush of last-minute RFCs "urgently" needing an extension of the feature f= reeze > deadline. These come every new release as people are shocked to discover= that > timetables exist. >=20 With issues like this - d'accord. The early pre-release seems to be traditi= onally a peak time. > IMO any RFC which does not have a merged implementation by July 20th* > should assume it's not making it into 7.2, however RFCs will be taken on = a case- > by-case basis while in the beta period. As to this one: It certainly see= ms > important that we don't let users blindly ignore terrible certificates. = That's a > false sense of security, and is arguably worse than no security at all. >=20 > I expect to allow this RFC as far out as beta2 ASSUMING the implementatio= n is > sensible enough to get a passing vote from internals. >=20 > If it moves things along smoother/quicker, I would suggest to constrain t= his > discussion as though it were ONLY targeting 7.2, and we can have a separa= te > discussion about how/when it should be back-ported to 7.1 and 7.0 since t= his > change does represent a (theoretical**) BC break. >=20 IMO for better compatibility, both "new" and "backport" should be seen toge= ther. It's clear a fix should come ASAP, but I'd see no reason to rush with= out a good consideration. That's why I was asking right about the code, as = that's the most essential part. It is true, that some breaches are even all= owed for security reasons, as per Ferenc, so we need to evaluate it by the = matters of fact. Thanks Anatol