Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87592
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15423 invoked from network); 4 Aug 2015 07:23:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Aug 2015 07:23:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.46 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.46 mail-pa0-f46.google.com  
Received: from [209.85.220.46] ([209.85.220.46:36246] helo=mail-pa0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6D/34-11948-D6860C55 for <internals@lists.php.net>; Tue, 04 Aug 2015 03:23:26 -0400
Received: by pacgq8 with SMTP id gq8so1477212pac.3
        for <internals@lists.php.net>; Tue, 04 Aug 2015 00:23:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-type:content-transfer-encoding;
        bh=zrwEPPfVj5unsqaRGyUTwpL3flDkyt0PKdL+c3DUKBA=;
        b=Lrd+VYfZzT0jnfMiPDiCwYSMp8YGWGt9ixMTv5TzsMLH6HR68OFFYWA2aMjC5CMZP3
         aulC6eRGeR10VFyufWHFvmzzwCjlE4hJ9fS8EZD0DvUQgwsSNJKx+jfC3pxG8pLHSBu9
         OYjS7gcEsIPY6LgnivJZdS5PSXO5GNkoGo2RX5PP1NnQBju8iT9tXa++Tt06n5wKKVF5
         j4Q4EIROOu4i8DdYF8xmjbv5tZ8kXef/QZ7T+bXITL00I122afOxV2tPzlkBmShx/6pP
         /PSCj0oYoETTFFYRBMUgtKVG+3I+WcO86/ST6xsWMUVp6LG5UnP/c8ctOAWB0FjNlNyD
         kBjA==
X-Received: by 10.66.119.239 with SMTP id kx15mr4917846pab.156.1438673002928;
        Tue, 04 Aug 2015 00:23:22 -0700 (PDT)
Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48])
        by smtp.gmail.com with ESMTPSA id 2sm269607pdw.22.2015.08.04.00.23.21
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 04 Aug 2015 00:23:22 -0700 (PDT)
To: Scott Arciszewski <scott@paragonie.com>,
 PHP Internals <internals@lists.php.net>
References: <CAKws9z1fatmSR2YLaeBn0zVv-s3iwCj7OUKjW949QC0L_VndpA@mail.gmail.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <55C0685E.2070202@gmail.com>
Date: Tue, 4 Aug 2015 00:23:10 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0)
 Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CAKws9z1fatmSR2YLaeBn0zVv-s3iwCj7OUKjW949QC0L_VndpA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 7.1 Cryptography Projects
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> 1. Pluggable Cryptography Frontend
> 
> Work is currently underway for a PHP prototype for this idea
> originally suggested by ircmaxell, that will basically be like PDO for
> cryptography. Our current project name, subject to change, is PHP
> Crypto Objects (PCO).

It would be nice to see full RFC (or other extensively documented
proposal) about this. I like the idea, though I wonder isn't mcrypt
essentially doing the same? It would be nice to see the description of
the added value provided over mcrypt, openssl, etc. extensions.

> 2. Cache-timing-safe character encoding functions
> 
> Alternatives for existing functions that should function like their
> unsafe counterparts, but without branches or data-based index lookups.
> 
> * hex2bin() -> hex2bin_ts()
> * bin2hex() -> bin2hex_ts()
> * base64_encode() -> base64_encode_ts()
> * base64_decode() -> base64_decode_ts()

Why specifically these functions? It would be nice to hear rationale for
this.

> * Improving the OpenSSL API, or at least the documentation

Improving documentation is always a worthy goal!

> * Adding streaming encryption/decryption support to OpenSSL

Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.

> What I need from you is guidance on what features or changes you want
> to see in 7.1 and which can be put off until later (or never proposed
> as an RFC at all).
> 
> Seriously, all I need is your opinion and whether or not you'd like to
> see any of these happen. If you have specific implementation details
> you'd like to discuss or requests, of course those are welcome too. :D

I think it'd be nice to see more details on the proposal. I.e.
"improving OpenSSL API" - how? PCO - great, but what API would it offer
and how that API is better than what we have now? The idea of making
crypto easier is great, but if we want to make specific plans as of
which features we want, we need more detailed proposals I think.

-- 
Stas Malyshev
smalyshev@gmail.com