Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72320 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28659 invoked from network); 6 Feb 2014 05:24:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Feb 2014 05:24:59 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.177 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.216.177 mail-qc0-f177.google.com Received: from [209.85.216.177] ([209.85.216.177:35591] helo=mail-qc0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4C/73-09398-8AC13F25 for ; Thu, 06 Feb 2014 00:24:56 -0500 Received: by mail-qc0-f177.google.com with SMTP id i8so2337943qcq.22 for ; Wed, 05 Feb 2014 21:24:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LOpAB2U8c+Pn/IVNcqVLU22ftBDKtUHrQoSXPYqSHzI=; b=VsSpQ5V1J169eqdsQ/P8kQ2qgQy7h6Y/Uc+dBjeEVuNdYAqRnzMaOqR8oUtliQyOLB BzN9OE1WAFCzXcW+Shzdx98p448LoK2Bb9Fm1J7VT/Bup3GXZ/Y9JJVSoGwm7sXRUAVq guAH1NjA0HWgqqQ6aINRf2qddIDXcg1FWD58P0qKliQ8zMAVO7goLw2gG/etwkn09T6x bLmsOwUqRfBxP+CSagIqcms9t25Q35rQDjOuPYlh2N6WKnUuA5pmlmW5sdb8xAlQnayB JpWJN6QL46R2ATKsxPR4F0GuHnCXkcRqOVpYk3NkDyTY1QVlwg8ztL6i0DXK1j6NQbbD vkzA== MIME-Version: 1.0 X-Received: by 10.229.127.72 with SMTP id f8mr6687074qcs.12.1391664293228; Wed, 05 Feb 2014 21:24:53 -0800 (PST) Received: by 10.140.18.129 with HTTP; Wed, 5 Feb 2014 21:24:53 -0800 (PST) In-Reply-To: <52F30E3B.1090302@oracle.com> References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <52F0139C.2060102@sugarcrm.com> <52F30E3B.1090302@oracle.com> Date: Thu, 6 Feb 2014 06:24:53 +0100 Message-ID: To: Christopher Jones Cc: Yasuo Ohgaki , "internals@lists.php.net" , =?UTF-8?Q?Rouven_We=C3=9Fling?= Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: pierre.php@gmail.com (Pierre Joye) On Thu, Feb 6, 2014 at 5:23 AM, Christopher Jones wrote: > > On 2/5/14 7:56 PM, Yasuo Ohgaki wrote: >> >> Hi all, >> >> Padraic gave me an another idea of additional mitigation for this. > > > What's the status of the RFC? Voting phase > It's listed as under voting but there > is deep discussion still ongoing. Yes, a request for peer review has been asked, that's why I asked a couple of security related contacts to take a look at the code. It cannot hurt. > The RFC is very short on technical > detail. It is also lacking an end-of-vote date. It is one week, so let add it :) > It's not clear what > the RFCs path forward is. (If this info is in a mail thread, but not > in the RFC then remember readers/voters should not have to trawl > internals mail to understand the proposal and its direction). > > Personally, I suggest the vote be closed/withdrawn with the assumption > the concept was accepted 15 to 1. Then work on the code until a > mutually acceptable and useful implementation is found. After that, a > quick vote can be made on the implementation. We do not have to over react here, it is, for a change, that there is clear concensus about the need or wish for this feature. It is not a trivial thing to implement but we have time to make it rock solid until final 5.6.0. Cheers, -- Pierre @pierrejoye | http://www.libgd.org