Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90465 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41179 invoked from network); 10 Jan 2016 21:41:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Jan 2016 21:41:31 -0000 Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.215.49 cause and error) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.215.49 mail-lf0-f49.google.com Received: from [209.85.215.49] ([209.85.215.49:33861] helo=mail-lf0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1A/51-14657-800D2965 for ; Sun, 10 Jan 2016 16:41:29 -0500 Received: by mail-lf0-f49.google.com with SMTP id 17so1214936lfz.1 for ; Sun, 10 Jan 2016 13:41:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WX1nEYMMUlt5J6XVe+saAZVNWi23MbrSJnS0lSSUbIg=; b=E265Rfifoc0K6Tk4OO73bPDgBeAySoPK/UD5OAgsYF19gbJkXzVRxtdEMHKcLxCGzw DwX6BX8hbULFCJSJao7nEyBDI48xDGhEPB7lgTVl+3Vh2sMYDJ6S5Quh9E+OUN5EhFJ0 aN6XQLCklitCQhGht1NBH2ITmQDQXRNk3d+ertrIJ4/5Re3hce4/XcAns410vbcz3JMF OnTA0iaDuImR0ZIT/byWaA6kZ8BOGz+sLCkFHfn9ftekaMCB7lTXyi4A70JFMhgQsMRp lSNYFP5nCytWIycF9BTE7iJ8tAvQl22XVblBQGOzMEstLlow06w9XgpDuHRgKW4F0wTP TvdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=WX1nEYMMUlt5J6XVe+saAZVNWi23MbrSJnS0lSSUbIg=; b=OmB1I6k4YQzpggNJy4yB2d82cKqKh7tiENAycK+39YPmBmMfvsGLY0yoldon4p5JFW E2we+bRPSzvHeLctdgltFrqMK80MmbOy8vNo0lPyUP8tXCBfrSRBzguybWIoSBQFfabI IpUtw1NFAnOvXuZjC0OYZlQwxP13FnxcVVgb8PturvbwvIJX4IiDPMChSAvctUtM2MSE vi1uiFhpnJf/mlUG3LLX00ewfvHZ25qwmKzk2Ae+uEWZb62MWwaKPqoUvqRoyMdZoIza KtjkSM8Ee3lcX7KOEoz2WeDXubGd8ClU142pmLf8HM42Yflmsc/SEYjzwVyvBUzgJuSV kiQA== X-Gm-Message-State: ALoCoQnEpfA91ruW/pM7eBpzqhIe8sx8zcCII65pL7QG6SdQULEfp7UCCBYdHOXyzURoNB36MKgD8OVpaXZBr000B3I6u1tKfA== MIME-Version: 1.0 X-Received: by 10.25.65.5 with SMTP id o5mr33996476lfa.60.1452462085359; Sun, 10 Jan 2016 13:41:25 -0800 (PST) Received: by 10.114.160.13 with HTTP; Sun, 10 Jan 2016 13:41:25 -0800 (PST) In-Reply-To: <5692CDB6.5050905@gmail.com> References: <5692CDB6.5050905@gmail.com> Date: Sun, 10 Jan 2016 16:41:25 -0500 Message-ID: To: Rowan Collins Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] Libsodium From: scott@paragonie.com (Scott Arciszewski) On Sun, Jan 10, 2016 at 4:31 PM, Rowan Collins wrote: > On 07/01/2016 16:11, Scott Arciszewski wrote: >> >> I'm personally not going to bother pushing >> for a pluggable crypto API if the only option is to use OpenSSL and >> all its legacy cruft. > > > I think what people are suggesting is not that libsodium shouldn't be > supported under-the-hood, just that the fact you're using it shouldn't be > exposed to userland. A PDO-like encryption interface (which as I understand > it is not what you proposed in your other thread) would allow us to add > libsodium in such a way that a relatively painless migration path can be > created if it goes the way of mcrypt. So the pluggable API removes the need > for any of the sodium_* / Sodium::* / \Sodium\* functions. > > Regards, > > -- > Rowan Collins > [IMSoP] > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > Hi Rowan, > I think what people are suggesting is not that libsodium shouldn't be > supported under-the-hood, just that the fact you're using it shouldn't be > exposed to userland. These are separate concerns. Let's call them Sodium and SimpleSodium. With Sodium, power users gain the ability to write software that directly uses low-level primitives in PHP without requiring their users to install dependencies (i.e. from PECL). Halite 2.0.0 is going to ship with an API for Axolotl, which is the ratcheting protocol used by Signal (formerly TextSecure + RedPhone). Being able to offer Signal integration in SMS-based two factor authentication schemes is a very attractive proposition; even moreso if Sodium is a core extension. SimpleSodium is a driver for the simple cryptography wrapper. You can have SimpleSodium without Sodium, but if we don't get Sodium into core I will, personally, not be putting forth one more ounce of time or effort into helping the PHP core so who knows maybe not? Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises