rfc:distrust-sha1-certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rfc:distrust-sha1-certificates [2016/11/25 11:37]
kelunik created
rfc:distrust-sha1-certificates [2017/09/22 13:28]
Line 1: Line 1:
-====== PHP RFC: Distrust SHA-1 Certificates ====== 
-  * Version: 0.1 
-  * Date: 2016-11-25 
-  * Author: Niklas Keller <me@kelunik.com> 
-  * Status: Draft 
-  * First Published at: http://wiki.php.net/rfc/distrust-sha1-certificates 
  
-===== Introduction ===== 
- 
-As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced (see references) to deprecate and remove SHA-1. [[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf|NIST recommends that SHA-1 should no longer be used for digital signatures]]. Starting with Java 9, [[http://openjdk.java.net/jeps/288|Java will also no longer accept SHA-1 starting 2017-01-01 by default]]. [[http://php.net/manual/en/context.ssl.php|PHP does not even provide a context option]], yet. 
- 
-===== Proposal ===== 
- 
-This RFC proposes to add a new context option that defines the accepted hash functions. This context option defaults to accepting SHA-1 and SHA-256 in PHP 5.6, 7.0 and 7.1. Starting with PHP 7.2, this will default to SHA-256 only. 
- 
-===== Backward Incompatible Changes ===== 
- 
-SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This change already happens to be almost a year late, as PHP 7.2 is expected to be released near 2017-12-01. This change is justified by the new CA/B rules, browser changes and thus industry standards. 
- 
-===== Proposed PHP Version(s) ===== 
- 
-PHP 5.6, 7.0, 7.1 and 7.2. Only 7.2 defaults to the new behavior. 
- 
-===== RFC Impact ===== 
- 
-==== New Constants ==== 
- 
-TBD. 
- 
-===== Future Scope ===== 
- 
-Once SHA-256 should be become obsolete, the default can be adjusted accordingly. 
- 
-===== Proposed Voting Choices ===== 
- 
-Requires a 2/3 majority. 
- 
-===== Patches and Tests ===== 
- 
-TBD. 
- 
-===== Implementation ===== 
- 
-TBD. 
- 
-===== References ===== 
- 
- - https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html 
- - https://cabforum.org/pipermail/public/2015-October/006121.html 
- - https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/ 
- - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf 
- - http://openjdk.java.net/jeps/288 
- 
-===== Rejected Features ===== 
-Keep this updated with features that were discussed on the mail lists. 
rfc/distrust-sha1-certificates.txt · Last modified: 2017/09/22 13:28 (external edit)