What deprecation/removal timelines did you have in mind? On Fri, Jul 8, 2022 at 6:31 PM Emily Stark <[email protected]> wrote:
> Contact [email protected] > > ExplainerNone > > Specificationhttps://datatracker.ietf.org/doc/rfc9163 > > Summary > > Expect-CT is an HTTP header that allowed websites to opt in to Certificate > Transparency enforcement before it was enforced by default. It also has > reporting functionality to help developers discover CT misconfigurations. > > > Blink componentInternals>Network>DomainSecurityPolicy > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3EDomainSecurityPolicy> > > Motivation > > Expect-CT was designed to help transition to universal Certificate > Transparency (CT) enforcement, by allowing high-value websites to opt in to > CT enforcement/reporting for better security before CT enforcement was > required (by Chrome) on all public websites. However, Expect-CT has now > outlived its usefulness. Chrome requires CT on all public websites now, so > there is no security value to Expect-CT anymore. Expect-CT was also > designed to help site owners discover CT-related misconfigurations; > however, now that CT is universally required, CT is generally configured in > websites' certificates by certificate authorities and virtually never > configured by individual site owners, thus Expect-CT has very limited value > as a misconfiguration/debugging tool anymore either. No other browser has > implemented Expect-CT so removing it is not an interoperability concern. > > > Initial public proposal > https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ > > TAG reviewn/a > > TAG review statusNot applicable > > Risks > > > Interoperability and Compatibility > > > No other browser has implemented Expect-CT or given signals that they > intend to (to my knowledge). Expect-CT is not user-visible so removing the > feature has no compatibility risk. Developers who are currently sending the > header should stop doing so just to save the bytes on the wire. > > While the header is served on a large percent of requests (~6%), this is > likely due to a small number of large providers that can be informed of the > deprecation via 1:1 outreach. > Are you planning to wait for usage to drop as a result of this outreach? Or are you fairly confident that removing will not break content due to some weird server side reliance on the header? > As described above, the header serves no security value any longer, > removing it will have no user-visible effects, and the header provides > extremely minimal debugging value to developers since developers are no > longer responsible for serving their own CT information (100.00% of > requests serve CT information directly embedded in the certificate, which > developers are not responsible for configuring). > > *Gecko*: No signal > > *WebKit*: No signal > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > > > Debuggability > > We'll add a console message informing developers that the header will/has > no effect and they should remove it. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?No > > Flag name > > Requires code in //chrome?False > > Estimated milestones > > No milestones specified > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6244547273687040 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUPfNL_F4e%2BB%2BPnNjVQo_0N%3DHjDVq%2BsdQWHyQ0AK8xcsA%40mail.gmail.com.
