Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103321
Return-Path: <php@golemon.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78160 invoked from network); 16 Oct 2018 16:35:38 -0000
Received: from unknown (HELO mail-qk1-f173.google.com) (209.85.222.173)
  by pb1.pair.com with SMTP; 16 Oct 2018 16:35:38 -0000
Received: by mail-qk1-f173.google.com with SMTP id x8-v6so13991326qka.4
        for <internals@lists.php.net>; Tue, 16 Oct 2018 05:48:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=B+Wv2SWEI9a5lIf+jh/H9ium1LfBwumRyEBlv5IPaiU=;
        b=KbJrjEeTCw7+vMIHPYAlbHZbArqdssoeS8+RZ7sNAvcPw0EYAvpu33g5Ip2QuWoOVR
         Fw2HdU8KuHm80f9e2YdIbDZf1oFfl9lMgAE9UIQBELIR+/eI/ewk64AqfRRCKZmclrdX
         2c68DfRUVCJTCwwZz/2jqRtzzjg53J3WEAhiF72WEcYdDmZuMp8TiuNqQvbbQVDUJO52
         iEezKboTugFstFTyKzFVq5qXi5TrtitDbp8+zmKGCm/PdYirhkmRUdM3gFFnmP4XZDVU
         ae8wv3XdtlAolbM2v3Qm+JlJhN9+8p3V/vSZA8QHcXdCorU5Q0TsHxDM2W9LGLBYJfbQ
         N9/A==
X-Gm-Message-State: ABuFfog7x1EoPJacbbiSrUHDRAyN69VgK6XTDdOpcE55zrfFQLs0jkzf
	NDcGxrfry+wXGgC9cFuds0R0NId1bRb+b+DHFTq8CkyOZhlgQQ==
X-Google-Smtp-Source: ACcGV626qCr3+P7de7Bzd47XXfawUpMD+jfkEC+97/w1yMGQ6rpAvIGfLkgSIEWIR4Yr4ARwr9DV8JOGoPZ2tqGaU+0=
X-Received: by 2002:a37:67c7:: with SMTP id b190-v6mr20003437qkc.116.1539694125031;
 Tue, 16 Oct 2018 05:48:45 -0700 (PDT)
MIME-Version: 1.0
Date: Tue, 16 Oct 2018 07:48:33 -0500
Message-ID: <CAESVnVq-oQreEyNDQZPWJ+fxuXs_66WWBTywRii7AFEFjqxBNQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Password Digest Registry
From: pollita@php.net (Sara Golemon)

Opening https://wiki.php.net/rfc/password_registry for discussion.

It's all in the elevator pitch, but the TL;DR is to make
password_hash()/password_verify() into a more easily extensible API
for multiple hashing mechanisms.  Critically, this would allow us to
include new library dependent mechanisms (such as those found in
libsodium and libhydrogen) without actually forcing a library
dependency on the core build.

I don't consider the current internal API proposal fixed,
particularly, I'm not too keen on the algorithm identification.  What
I've presented is a callback for a mechanism to say "Yes, I can verify
that signature", but this means we must ask all mechanisms.  A more
direct means might involve "search for /^\$mechanismName\$/, but not
only is this already insuffcient for bcrypt (identified by $2y$), but
it'll probably be worse later on.  If anyone has better ideas here,
I'm totes open.

-Sara