Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90458 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26788 invoked from network); 10 Jan 2016 19:56:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Jan 2016 19:56:07 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.50 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.50 mail-wm0-f50.google.com Received: from [74.125.82.50] ([74.125.82.50:36548] helo=mail-wm0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 07/DE-14657-657B2965 for ; Sun, 10 Jan 2016 14:56:06 -0500 Received: by mail-wm0-f50.google.com with SMTP id l65so188951628wmf.1 for ; Sun, 10 Jan 2016 11:56:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=FkjZO3RQT1wrGOniw9EsNVAzH8YdvUSFdbvhp78a6qU=; b=jDaLxmJ7gXaE0VyZBCQSalLTZWxJ4OH4efIlYsmzBbluPmslFgSRyLDZe3GuKKePv9 Crfkb9nL8eiHbGm4AyQHFDRMr4Kra/K+rx3PYOzLHJ6wfhYjO/EjbTcbL/cCWpWqGAnx ebtfMrWWofw+1MQLofgFDrf0JzFs2vqf1OmUGzfxApiWkyuTKTR8Mipg4lIG6/rbWGUW fLlfY/PSr2Qm+kdu7G0iXJyHrfZTQ1eiofks7AdPeT5pDWV8CdtuT0Cb+ehEaNRM8Ec6 UIPZi1mQE1GoFbJ2hQ+ucsUJlX5/AI8MtGh8AjTjVbQrebShamUW1vHtFr1arySqWfPO LrEw== X-Received: by 10.194.79.37 with SMTP id g5mr32857851wjx.89.1452455763555; Sun, 10 Jan 2016 11:56:03 -0800 (PST) Received: from [192.168.1.189] ([2.31.24.87]) by smtp.googlemail.com with ESMTPSA id ko2sm65580276wjc.9.2016.01.10.11.56.02 for (version=TLSv1/SSLv3 cipher=OTHER); Sun, 10 Jan 2016 11:56:02 -0800 (PST) To: internals@lists.php.net References: Message-ID: <5692B742.5030303@gmail.com> Date: Sun, 10 Jan 2016 19:55:46 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] PHP 7.1 - Simple Cryptography Interface From: rowan.collins@gmail.com (Rowan Collins) On 10/01/2016 04:23, Scott Arciszewski wrote: > I'd like to make cryptography drop-dead simple in PHP 7.1 and > thereafter. The simplest thing to do is to provide a simple front-end > API, designed for human usability, that abstracts away the > complexities of cryptography engineering. I'm absolutely in favour of the sentiment behind this, but I'd like to clarify the exact audience and use-cases you are targeting. The severely limited set of proposed algorithms sounds great for someone who just wants to implement a single crypto scenario for internal use (although in that case things will need to be very well documented - as a non-expert, I would not know when to use seal() vs encrypt() vs aeadEncrypt() for instance). The custom "ciphertext message format" also implies that the intention is only to store these messages for use on another PHP system with the same configuration. However, some of the time the cryptography work people want to do is to interact with other systems. These might require selection of specific algorithms, which might not be the latest and greatest, but still need to be implemented somewhere. It would be odd if I wanted to implement, say, OAuth or XML-Sig, and there were no functions under \Php\Crypto\ to help me with that. Previous discussions have described something more like PDO, which is intended as a simplified abstraction toolkit, rather than a crypto-for-dummies. I think there's a case for both things, but it would be interesting to think about how they might be related. Regards, -- Rowan Collins [IMSoP]