Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60995 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4704 invoked from network); 27 Jun 2012 13:00:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2012 13:00:08 -0000 Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.22 cause and error) X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt X-Host-Fingerprint: 193.136.128.22 smtp2.ist.utl.pt Linux 2.6 Received: from [193.136.128.22] ([193.136.128.22:32990] helo=smtp2.ist.utl.pt) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4D/37-02132-0D30BEF4 for ; Wed, 27 Jun 2012 09:00:02 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp2.ist.utl.pt (Postfix) with ESMTP id 7C04E70004A4; Wed, 27 Jun 2012 13:59:57 +0100 (WEST) X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt Received: from smtp2.ist.utl.pt ([127.0.0.1]) by localhost (smtp2.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025) with LMTP id QM-ys0b9MrJT; Wed, 27 Jun 2012 13:59:57 +0100 (WEST) Received: from mail2.ist.utl.pt (mail.ist.utl.pt [IPv6:2001:690:2100:1::8]) by smtp2.ist.utl.pt (Postfix) with ESMTP id B70C8700049A; Wed, 27 Jun 2012 13:59:56 +0100 (WEST) Received: from damnation (unknown [IPv6:2001:470:94a2:4:f060:d530:ee42:37e4]) (Authenticated sender: ist155741) by mail2.ist.utl.pt (Postfix) with ESMTPSA id AA9C9200A84F; Wed, 27 Jun 2012 13:59:55 +0100 (WEST) Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: "Pierre Joye" Cc: "Anthony Ferrara" , internals@lists.php.net References: Date: Wed, 27 Jun 2012 14:59:51 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Organization: =?utf-8?Q?N=C3=BAcleo_de_Eng=2E_Biom=C3=A9di?= =?utf-8?Q?ca_do_I=2ES=2ET=2E?= Message-ID: In-Reply-To: User-Agent: Opera Mail/12.01 (Linux) Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: glopes@nebm.ist.utl.pt ("Gustavo Lopes") Em Wed, 27 Jun 2012 14:43:35 +0200, Pierre Joye escreveu: > On Wed, Jun 27, 2012 at 2:32 PM, Gustavo Lopes > wrote: >> Em Wed, 27 Jun 2012 14:24:39 +0200, Anthony Ferrara >> escreveu: >> >> >> I don't see any advantage in adding complexity through another level of >> indirection. If people want control over the default their application >> uses, they can just use a constant they define. > > And people will have to, as I described it earlier, and see below. You described why people *may* have to, depending on the circumstances -- for instance, when interoperability in mixed environments is required. No one is saying that relying on a default value is appropriate in those circumstances, so this argument misses the mark. >> That said, I think the default algorithm should provide sufficient >> guarantees to enable it to be used in a forward compatible fashion. > > Back then MD5 alone was all nice and shiny. So no, it is not possible > to be forward compatible. If this API existed 10 or more years ago and used MD5 as a default, I don't see how it could not be used in a forward compatible manner back then -- seen from the outside there's nothing different about MD5 or other digest method except for different parameters (which can be stored together with the salt and the method in the result of password_hash()) and digest size. And, unsurprisingly, you have no justification on why it could not be made forward compatible. -- Gustavo Lopes