rfc:distrust-sha1-certificates
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:distrust-sha1-certificates [2016/11/26 15:32] – Add implementation details kelunik | rfc:distrust-sha1-certificates [2017/09/22 13:28] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Distrust SHA-1 Certificates ====== | ====== PHP RFC: Distrust SHA-1 Certificates ====== | ||
- | * Version: 0.1 | + | * Version: 0.3 |
* Date: 2016-11-25 | * Date: 2016-11-25 | ||
+ | * Last Update: 2017-05-29 | ||
* Author: Niklas Keller < | * Author: Niklas Keller < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced (see references) to deprecate and remove SHA-1. [[http:// | + | As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced (see references) to deprecate and remove SHA-1. [[http:// |
- | ===== Proposal ===== | + | Meanwhile, PHP doesn' |
- | This RFC proposes to add a new ''" | + | As of 23rd of February 2017, [[https:// |
- | ==== Default for 5.6, 7.0 and 7.1 ==== | + | ===== Proposal ===== |
- | <code php> | + | This RFC proposes to introduce a new '' |
- | "RSA+SHA1: | + | |
- | " | + | |
- | " | + | |
- | " | + | |
- | " | + | |
- | </ | + | |
- | + | ||
- | ==== Default | + | |
- | + | ||
- | <code php> | + | |
- | " | + | |
- | " | + | |
- | " | + | |
- | " | + | |
- | </ | + | |
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
- | SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This change already happens to be almost a year late, as PHP 7.2 is expected to be released near 2017-12-01. This change | + | MD5 certificates won't be accepted any longer. |
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
- | PHP 5.6, 7.0, 7.1 and 7.2. Only 7.2 defaults | + | All supported versions should be updated to restrict the usage of MD5 certificates. All versions except |
===== RFC Impact ===== | ===== RFC Impact ===== | ||
- | None expected. | + | Browsers |
===== Future Scope ===== | ===== Future Scope ===== | ||
- | Once SHA-2 should be become obsolete, the default can be adjusted accordingly. | + | The default can be increased later should the need arise. |
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== | ||
Line 69: | Line 55: | ||
* http:// | * http:// | ||
* http:// | * http:// | ||
- | |||
- | ===== Rejected Features ===== | ||
- | Keep this updated with features that were discussed on the mail lists. |
rfc/distrust-sha1-certificates.1480174359.txt.gz · Last modified: 2017/09/22 13:28 (external edit)