Forbid SHA-1 digests as part of RFC 9904 changes#3069
Conversation
gbrodman
force-pushed
the
9904
branch
3 times, most recently
from
3196c22 to
52a2031
Compare
CydeWeys
left a comment
CydeWeys
left a comment
There was a problem hiding this comment.
@CydeWeys made 2 comments.
Reviewable status: 0 of 25 files reviewed, 2 unresolved discussions (waiting on gbrodman).
core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java line 379 at r1 (raw file):
} public static boolean algorithmIsInvalid(int alg) {
Curious as to why this was inverted?
core/src/main/java/google/registry/tools/DigestType.java line 32 at r1 (raw file):
*/ public enum DigestType { // Algorithm number 1 is SHA-1 and is deliberately NOT SUPPORTED.
We need to lock this change behind a FeatureFlag and send out notification 30 days ahead of time.
gbrodman
left a comment
gbrodman
left a comment
There was a problem hiding this comment.
@gbrodman made 2 comments.
Reviewable status: 0 of 25 files reviewed, 2 unresolved discussions (waiting on CydeWeys).
core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java line 379 at r1 (raw file):
Previously, CydeWeys (Ben McIlwain) wrote…
Curious as to why this was inverted?
Suggested by IDEA, because all calls to it were immediately inverted.
core/src/main/java/google/registry/tools/DigestType.java line 32 at r1 (raw file):
Previously, CydeWeys (Ben McIlwain) wrote…
We need to lock this change behind a
FeatureFlagand send out notification 30 days ahead of time.
Done. We'll use the same feature flag for the algorithms too.
We can't change digest types that are already in the database but that's fine (since we just store them as integers). But we forbid them as part of domain creates/updates.
2 participants
We can't change digest types that are already in the database but that's fine (since we just store them as integers). But we forbid them as part of domain creates/updates.
This change is