Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70850
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 329 invoked from network); 23 Dec 2013 09:46:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Dec 2013 09:46:34 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.51 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.51 mail-la0-f51.google.com  
Received: from [209.85.215.51] ([209.85.215.51:57070] helo=mail-la0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 87/93-08405-97608B25 for <internals@lists.php.net>; Mon, 23 Dec 2013 04:46:33 -0500
Received: by mail-la0-f51.google.com with SMTP id ec20so2120631lab.24
        for <internals@lists.php.net>; Mon, 23 Dec 2013 01:46:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=nxy7x5zhidNUnoq6cHEcy/V8cVtZpCcVo6PiVkHCbA0=;
        b=o8sEQWAROn3pZAtrA0u8NlDv6MI6ETkbXC9xl0sFBsqrAOE8S6T2ejnkgZsF9F40G3
         px3zfEfg8CPjz4HaTYJURGTubrhTEJCl5CjkOWtqhcRVXFPywxGHv8g3uqS6zsAK8RHr
         9ANQ9uSIaN6h+lY9WE20vpcjKnLE2lFY/2t5byAY/zGS6XEroxbWJK8L+zfK3Is9SL2K
         KdbomF9KMfkj3iB/SN1KTgUpRl+KzYXP8xoq6LElf74cWooHauA8TmDEDztUXoT8RQPT
         D+OiOTSM4V7y88plUNDZhe4+oerfwqzqMZRSxPMMFXEtMdUmi+vTo1EkOyBVkxgGQp7U
         6OkQ==
X-Received: by 10.112.161.36 with SMTP id xp4mr341602lbb.38.1387791990307;
 Mon, 23 Dec 2013 01:46:30 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.6.68 with HTTP; Mon, 23 Dec 2013 01:45:50 -0800 (PST)
In-Reply-To: <52B7FDB2.9080702@php.net>
References: <3014595E-B155-47F6-AC7B-71083D89525D@rouvenwessling.de> <52B7FDB2.9080702@php.net>
Date: Mon, 23 Dec 2013 18:45:50 +0900
X-Google-Sender-Auth: kzpNwEdLGDrK4NLoWxO8aNW4PfM
Message-ID: <CAGa2bXZkhPDNcOR9z1_3_J7nyV=dwtZNktvsFCcxiXAqCOo9Pg@mail.gmail.com>
To: Joe Watkins <krakjoe@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>, =?UTF-8?Q?Rouven_We=C3=9Fling?= <me@rouvenwessling.de>
Content-Type: multipart/alternative; boundary=001a11c25e509ac33d04ee3080d1
Subject: Re: [PHP-DEV] Re: [RFC] Timing attack safe string comparison function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c25e509ac33d04ee3080d1
Content-Type: text/plain; charset=UTF-8

Hi Joe,

On Mon, Dec 23, 2013 at 6:09 PM, Joe Watkins <krakjoe@php.net> wrote:

>         It might have more traction if the function were named
> password_compare or hash_compare or something similar that gives everyone
> the idea that it is not simply a string comparison function but the correct
> way to verify in particular passwords/hashes or whatever. I'd be much more
> inclined to say that's a good idea, providing a full set of tools for
> password related foo.


Good name would help for sure.
+1

Since this is new function independent from any other feature and could use
fix
vulnerability in user code, it would be better if we add this to 5.5.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c25e509ac33d04ee3080d1--