rfc:distrust-sha1-certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
rfc:distrust-sha1-certificates [2017/05/29 10:54] – update to new mechanism kelunikrfc:distrust-sha1-certificates [2017/05/29 10:56] – fix another typo kelunik
Line 18: Line 18:
 ===== Proposal ===== ===== Proposal =====
  
-This RFC proposes to introduce a new ''"min_signature_bits"'' context option to restrict the accepted certificate message digests. The RFC proposes to set this option to ''128'' (accepting SHA2 and better) by default, allowing ''80'' (accepting also SHA1) to be set for legacy applications, but it is strongly advised doing so. This setting will be applied to all certificates that are not in the trust store.+This RFC proposes to introduce a new ''"min_signature_bits"'' context option to restrict the accepted certificate message digests. The RFC proposes to set this option to ''128'' (accepting SHA2 and better) by default, allowing ''80'' (accepting also SHA1) to be set for legacy applications, but this is strongly discouraged. This setting will be applied to all certificates that are not in the trust store.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-MD5 certificates won'any longer be accepted. SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This break is intentional and is in line with the CA/B rules and major browser policies.+MD5 certificates won't be accepted any longer. SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This break is intentional and is in line with the CA/B rules and major browser policies.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
Line 30: Line 30:
 ===== RFC Impact ===== ===== RFC Impact =====
  
-Browsers start on 2017-01-01 with no longer accepting SHA-1 certificates, tooImpact is expected to be rather low. People in need of SHA-1 certificates, e.g. for private CAs, can set the mentioned context option to ''80'' to get the previous behavior (except for MD5 not being accepted), but are strongly discouraged to do so. It is explicitly not possible to set this value lower than 80. There's no option to enable MD5.+Browsers started on 2017-01-01 with no longer accepting SHA-1 certificates. The impact is expected to be rather low. People in need of SHA-1 certificates, e.g. for private CAs, can set the mentioned context option to ''80'' to get the previous behavior (except for MD5 not being accepted), but are strongly discouraged to do so. It is explicitly not possible to set this value lower than 80. There's no option to enable MD5.
  
 ===== Future Scope ===== ===== Future Scope =====
rfc/distrust-sha1-certificates.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1