Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72315 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19409 invoked from network); 6 Feb 2014 04:23:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Feb 2014 04:23:28 -0000 Authentication-Results: pb1.pair.com smtp.mail=christopher.jones@oracle.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=christopher.jones@oracle.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain oracle.com designates 156.151.31.81 as permitted sender) X-PHP-List-Original-Sender: christopher.jones@oracle.com X-Host-Fingerprint: 156.151.31.81 userp1040.oracle.com Received: from [156.151.31.81] ([156.151.31.81:42533] helo=userp1040.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D8/C1-09398-04E03F25 for ; Wed, 05 Feb 2014 23:23:28 -0500 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s164NOvi010839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 6 Feb 2014 04:23:25 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s164NNA7022322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Feb 2014 04:23:24 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s164NMon026717; Thu, 6 Feb 2014 04:23:23 GMT Received: from hubby.local (/50.184.131.10) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 05 Feb 2014 20:23:22 -0800 Message-ID: <52F30E3B.1090302@oracle.com> Date: Wed, 05 Feb 2014 20:23:23 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Yasuo Ohgaki , "internals@lists.php.net" , me@rouvenwessling.de References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <52F0139C.2060102@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: christopher.jones@oracle.com (Christopher Jones) On 2/5/14 7:56 PM, Yasuo Ohgaki wrote: > Hi all, > > Padraic gave me an another idea of additional mitigation for this. What's the status of the RFC? It's listed as under voting but there is deep discussion still ongoing. The RFC is very short on technical detail. It is also lacking an end-of-vote date. It's not clear what the RFCs path forward is. (If this info is in a mail thread, but not in the RFC then remember readers/voters should not have to trawl internals mail to understand the proposal and its direction). Personally, I suggest the vote be closed/withdrawn with the assumption the concept was accepted 15 to 1. Then work on the code until a mutually acceptable and useful implementation is found. After that, a quick vote can be made on the implementation. Chris -- christopher.jones@oracle.com http://twitter.com/ghrd Free PHP & Oracle book: http://www.oracle.com/technetwork/topics/php/underground-php-oracle-manual-098250.html