Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61100
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38758 invoked from network); 3 Jul 2012 21:24:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2012 21:24:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com  
Received: from [209.85.216.170] ([209.85.216.170:48080] helo=mail-qc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1E/77-30242-22363FF4 for <internals@lists.php.net>; Tue, 03 Jul 2012 17:24:51 -0400
Received: by qcmt36 with SMTP id t36so4354790qcm.29
        for <internals@lists.php.net>; Tue, 03 Jul 2012 14:24:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=9yjjYWD7inf3IY9CcMcHcsOJlWKoNomRlJ8p6fYHOhI=;
        b=kKQIcTc9FSTpj8vkG18q1T39mDETik6x4XBn+2lz2ERINFt2fGlJCP+o1oudI5VhQk
         BqNipaxTh7lVMDlS2E4jO8MwSwt9cdVcUarkPxOZUi+v6T0cVOH0kq62CmUJr8DinCl8
         AfMN9l8YkINGSECsQeAweijjlnO8H5f4bu38tZ3TsyH5yaWefs7xAI2boV+GQ8LFb1HS
         6O/v32Oy8jkUa9FnovXwxsZNxmTxA6ea2taKrfT0wsbkC1kenhYJsfzMAw4cN4w0v9Fn
         nSdvd26LSmQRHuIT8yv8vZHpUb+gCd0waUs7pqTdJPPqOG63/kJVH3z8qV43Fjvq+aXb
         B5lg==
MIME-Version: 1.0
Received: by 10.229.135.129 with SMTP id n1mr9768263qct.32.1341350688043; Tue,
 03 Jul 2012 14:24:48 -0700 (PDT)
Received: by 10.229.232.11 with HTTP; Tue, 3 Jul 2012 14:24:47 -0700 (PDT)
In-Reply-To: <ca8026ff6ee7a84a3fc1fc53252e37b7.squirrel@www.l-i-e.com>
References: <CAAyV7nH6FCZUqrirJ0uOApuwR64Cky3cVnRfbrcjkZrpOKiN6w@mail.gmail.com>
	<e20a4ae344a2a5842ff244368138b4e4.squirrel@www.l-i-e.com>
	<CAAyV7nEN=nph0n_vs=wttd3v=SaN28Vur6nwLO5iYJFsVGi8aQ@mail.gmail.com>
	<ca8026ff6ee7a84a3fc1fc53252e37b7.squirrel@www.l-i-e.com>
Date: Tue, 3 Jul 2012 17:24:47 -0400
Message-ID: <CAAyV7nFkAfzR1dAA2ooYOkU8FbEmYu5V_1E+oeBb87jNaVz3mA@mail.gmail.com>
To: Richard Lynch <ceo@l-i-e.com>, internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API
From: ircmaxell@gmail.com (Anthony Ferrara)

Richard,

> There is also the case of an app that simple shouldn't run with the
> single default, but could pick and choose suitable algorithm from a
> list of defaults, while still honoring whatever is in the .ini file
> instead of going rogue with some other algorithm.

I disagree there. I think that's up to the application to decide. A
list of defaults does nothing but needlessly complicate the
implementation. How is the hash function supposed to determine which
of the list of defaults to use? Let the application layer choose, and
pass it in. The current PASSWORD_DEFAULT lives for the sole reason
that it auto-updates to indicate the most secure algorithm available.

Anthony