Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61082 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79974 invoked from network); 3 Jul 2012 12:38:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Jul 2012 12:38:10 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.42 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.42 mail-qa0-f42.google.com Received: from [209.85.216.42] ([209.85.216.42:63442] helo=mail-qa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4F/A6-42839-2B7E2FF4 for ; Tue, 03 Jul 2012 08:38:10 -0400 Received: by qafi31 with SMTP id i31so2782400qaf.8 for ; Tue, 03 Jul 2012 05:38:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kb3VUufE7pG0wKFgwd7hUB+32buZG6XQH6T5Yg5kHuk=; b=o6EL4c7v4ICsxuBS8pUzIHFjP+fay4z9b2YLWmSNYMHpuejK5kZqOEmY/h7ggf+wji zm93bBG5kpGqVGA7qbTw8ztEmKhHNMdJu8MbFHps2GIQ7FDOx7+MIYkN2u8htMjI+Y94 T2A2sSRLiiVyWd0sImdPKVFbiODh+ItC2rFTjqposCytYRZY4ISJ+bscYX72HjueMRyK 7smiZ5ImhoMdEGIbq8s4PXmVz9xyQ2XvURSuAb8hI1y5BExFnI0FVyOwsOw7b23U8sks y+fIcydHd8vMD4BcB40D5FiAen5dGmockVQiIj4Koj3XZTrAy/o2/WrwBMV7oys72gCX TjRQ== MIME-Version: 1.0 Received: by 10.229.112.31 with SMTP id u31mr8786997qcp.31.1341319088025; Tue, 03 Jul 2012 05:38:08 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Tue, 3 Jul 2012 05:38:07 -0700 (PDT) In-Reply-To: References: Date: Tue, 3 Jul 2012 08:38:07 -0400 Message-ID: To: Pierre Joye Cc: Gustavo Lopes , Simon Schick , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) Pierre, >> I know you didn't like PASSWORD_MOST_SECURE. So what about keeping >> PASSWORD_DEFAULT as a moving target, documented, and just making the >> second parameter (algo) to password_hash required? That way users >> could choose between PASSWORD_BCRYPT and PASSWORD_DEFAULT. >> >> That way, over time, PASSWORD_DEFAULT could be updated, and it would >> be documented that it would change. But it would require them to >> understand that it could change... >> >> Would that satisfy your issues? > > Yes. > > Using this constant name and clearly document its changing nature is > fine. The argument being required fully solves my worry about optional > argument with changing default value. I've implemented this in my branch. I've also updated the RFC to indicate such (we may want to expand it a little bit, but it should suffice for now). I've also added a bit to the RFC about a policy for updating the default constant over time. (Indicating for a non-security release, changing the default must be done via an RFC, how long the algorithm must be available before being eligible for default, etc). > Thanks for your efforts and work! Absolutely! Thanks, Anthony