Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61001 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24067 invoked from network); 27 Jun 2012 16:13:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2012 16:13:22 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.53 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.213.53 mail-yw0-f53.google.com Received: from [209.85.213.53] ([209.85.213.53:58394] helo=mail-yw0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A3/20-22531-1213BEF4 for ; Wed, 27 Jun 2012 12:13:21 -0400 Received: by yhp26 with SMTP id 26so1458087yhp.12 for ; Wed, 27 Jun 2012 09:13:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=80EjagoM1AJCuIPuFB6gcxdq0en8v76vwGOCfNUrMRw=; b=iTh7hlQoA+/WbbS//k4BbQ3180tiEl2Vn7qhQu58hwrqwtIddo1VZxIyBy28+wrRzv v7Yb8jy9lb5PI2/UugR+cyKOCa7lrt1yRIRJThN1XbxVxsdHp4Qq0TOC40/yXM8ymPGt kxhbqhea2At1ApC2G5oj4jrBPlHzwvvnW3kvBj02y202/TfMJiWyboMQwXTEovUPHGUj KZ4cLjXAwDWyx+IKsrioeiJXCPJ7VsrtWb5driyKQFz25IAuL2k1E7ySq3KOcc3WgZPz ZXdwYrAZD3OHiu8pBSPqmPVvZUUCiO5ZoHsO9JeU/zC1F1VvmnS4vTN7hyMecl5Lh6NZ 2U0w== MIME-Version: 1.0 Received: by 10.236.187.37 with SMTP id x25mr23258546yhm.48.1340813597781; Wed, 27 Jun 2012 09:13:17 -0700 (PDT) Received: by 10.147.113.7 with HTTP; Wed, 27 Jun 2012 09:13:17 -0700 (PDT) In-Reply-To: References: Date: Wed, 27 Jun 2012 18:13:17 +0200 Message-ID: To: Gustavo Lopes Cc: Anthony Ferrara , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: pierre.php@gmail.com (Pierre Joye) hi, On Wed, Jun 27, 2012 at 2:59 PM, Gustavo Lopes wrote: > You described why people *may* have to, depending on the circumstances -- > for instance, when interoperability in mixed environments is required. No > one is saying that relying on a default value is appropriate in those > circumstances, so this argument misses the mark. No, it is exactly one example out of many where changing values are a real pain to deal with over the years. We should not have one. > If this API existed 10 or more years ago and used MD5 as a default, I don't > see how it could not be used in a forward compatible manner back then -- > seen from the outside there's nothing different about MD5 or other digest > method except for different parameters (which can be stored together with > the salt and the method in the result of password_hash()) and digest size. > And, unsurprisingly, you have no justification on why it could not be made > forward compatible. Changing default value forces code change if you have to keep a given hash, for one obvious side effect. If you disagree or does not like the idea, that's all fine, but you can't really say that it is not an argument (nothing to justify, this is a draft and it is being discussed). Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org