Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124594 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 4E0C51A00B7 for ; Thu, 25 Jul 2024 22:00:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1721944949; bh=+/6wqKUmE5OM+jck+HRtPojMrcK5GiU67BZvuF0ZYJE=; h=Subject:From:To:Date:In-Reply-To:References:From; b=KNFj9bdg4c7cJz8nPSzUZtv/WZv6dEZXJwtWeZoPtEhIQoANUuZPvf92bODzQJV5R Qmx4fyS5F1+aKthJZdSjhSkVEMcA0Z+700i8RVJpZV4wen8lc7C1zT103qfbFLNPCP 46j04U6ki8cZvKGDMF+qWajmxu0261az4/eVvhoIWnGtdmYLkGmZTA8ZnhCawLbGOg MPVbBJ2nXwzAu4Berb53U3xpzOPLv07BKfIL0xONo2E79ZSCko51dHJfuXVIiEtRWW 20A6dw0mSOpeYYGreKN7nLGV3koAe571WmDT4W6NKuMjexzklDW3QDelVuS9N7Y4Aa OuR7X8GJ1FoPA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 7C62618007A for ; Thu, 25 Jul 2024 22:02:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from ageofdream.com (ageofdream.com [45.33.21.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 25 Jul 2024 22:02:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ageofdream.com; s=ageofdream; t=1721944851; bh=+/6wqKUmE5OM+jck+HRtPojMrcK5GiU67BZvuF0ZYJE=; h=Subject:From:To:Date:In-Reply-To:References:From; b=p2qga8d/IZNTM8qqnpUB/cohE3oObE7bpZLCRZI9PcKBUaznzJdDpN6l9aRzuEODj wYwZnZzc47xS7XHiuZ7kjK5H8oRrW6MgS5WMb+yxfEybt+EaxjXMinPaAchQEbiT5B KZ/RyVPhrnu8oPzwoYMsuiAozI8x+84Eep4MQoltSuaMUOX3LkGzmeycZh7KSoZhU0 5rP/x4IxnMLvjnULoXFzOEvGssxLOdG2mFpz2yE9idFWHfvfKmtZSM0tWYg5E/w0CX I3QQUSc6dVnjWJcg6V11AEj0BR+8VS0gwEfM26ktLbnEDyGgVf0963kjpVUwXUl171 qYFlLM+zKGR6A== Received: from [192.168.1.7] (231.subnet-69-85-112.ellijay.com [69.85.112.231]) by ageofdream.com (Postfix) with ESMTPSA id DF7EF27991 for ; Thu, 25 Jul 2024 18:00:51 -0400 (EDT) Message-ID: <9041cba85d6439682bb44fcb29210c944dbe3911.camel@ageofdream.com> Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: internals@lists.php.net Date: Thu, 25 Jul 2024 18:00:51 -0400 In-Reply-To: References: <1a88918e-e808-d778-45e1-53797660e093@php.net> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 From: lists@ageofdream.com (Nick Lockheart) On Thu, 2024-07-25 at 22:34 +0100, Rowan Tommins [IMSoP] wrote: > On 24/07/2024 23:01, Morgan wrote: > > And they would still be available as hash("md5") and hash("sha1"); > > the=20 > > only reason they're called out as their own distinct functions > > today=20 > > is historical inertia.=20 >=20 >=20 > I don't agree that the reasons for including standalone functions are > "historical". The RFC itself gives a good reason for having such > functions: >=20 > =C2=A0> Unfortunately these cryptographically secure hash functions are > only=20 > available by means of the generic hash() function ... making using > them=20 > more verbose and thus seemingly more complicated >=20 >=20 > Rather than force people to use functions that we acknowledge are > hard=20 > to use, surely the logical thing is to make the "right" code *easy* > to use? >=20 > Which means if we want people to use SHA-256, let's add a sha256()=20 > function to make it easy. >=20 >=20 > This is what password_hash() and password_verify() did right: the=20 > functionality was already there in crypt(), but it's hard to use, and > harder to use correctly. Providing clearer functions, even though > they=20 > do the same thing, helps new developers "fall into the pit of > success". >=20 > The hash() function isn't quite as confusing as crypt(), but > according=20 > to the manual, it currently supports 60 different algorithms, most of > which I have never heard of. I'm aware that "sha256" is better than=20 > "sha1", but should I be aiming higher, and using "sha384", or maybe > one=20 > of the four flavours of "sha3"? Then there's the fun-sounding=20 > "whirlpool", the faintly rude-sounding "snefru", and a bewildering=20 > fifteen flavours of "haval". >=20 > A new user being told "don't use sha1(), use hash() and pick from > this=20 > list" is more likely to say "ah, there's=C2=A0sha1, jolly good" than spen= d > an=20 > afternoon reading cryptography journals. There's no pit of success to > fall into. >=20 >=20 > Regards, >=20 That's a good point. What if there were crypto functions that worked like password_hash() in that they had one generic function name, but magically used the new/better "best practice" algorithms as time went by without the need to update any calling code? Maybe there should be three generic-named functions: fast_hash() // not secure, makes UIDs quickly secure_hash() // uses best practice one-way hash algo secure_crypt() // uses best practice reversible encryption. Then the developer signals their *intent* by choosing a function name, and the algorithm magically works underneath (perhaps with the option of an ini override to make those functions work in different environments).