Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90477 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83005 invoked from network); 11 Jan 2016 09:12:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2016 09:12:50 -0000 Authentication-Results: pb1.pair.com header.from=me@rouvenwessling.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@rouvenwessling.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain rouvenwessling.de from 80.241.60.212 cause and error) X-PHP-List-Original-Sender: me@rouvenwessling.de X-Host-Fingerprint: 80.241.60.212 mx1.mailbox.org Received: from [80.241.60.212] ([80.241.60.212:47083] helo=mx1.mailbox.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 94/E1-64385-E0273965 for ; Mon, 11 Jan 2016 04:12:48 -0500 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.mailbox.org (Postfix) with ESMTPS id DF84C40452; Mon, 11 Jan 2016 10:12:43 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id 3Mk0C2FVbSUl; Mon, 11 Jan 2016 10:12:42 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) In-Reply-To: Date: Mon, 11 Jan 2016 10:12:40 +0100 Cc: PHP Internals Content-Transfer-Encoding: quoted-printable Message-ID: References: To: Scott Arciszewski X-Mailer: Apple Mail (2.3096.5) Subject: Re: [PHP-DEV] PHP 7.1 - Argon2 From: me@rouvenwessling.de (=?utf-8?Q?Rouven_We=C3=9Fling?=) > On 11 Jan 2016, at 07:57, Scott Arciszewski = wrote: >=20 > Does adding Argon2 as a possible choice for password_hash() + > password_verify() need an RFC? Or can I just submit a pull request? The original RFC (https://wiki.php.net/rfc/password_hash) contained the = following text: > I'd propose the following policy for updating the default hashing = algorithm in future releases of PHP. >=20 > * Any new algorithm must be in core for at least 1 full release of PHP = prior to becoming default. So if scrypt is added in 5.5.5, it wouldn't = be eligible for default until 5.7 (since 5.6 would be the full release). = But if jcrypt (making it up) was added in 5.6.0, it would also be = eligible for default at 5.7.0. > * The default should only change on a full release (5.6.0, 6.0.0, etc) = and not on a revision release. The only exception to this is in an = emergency when a critical security flaw is found in the current default. > * For a normal (non-emergency) change in default, an RFC shall be = issued for the update of the default algorithm, following normal RFC = rules. So technically I don=E2=80=99t think it would be necessary to have an = RFC to add another algorithm, though I think it might be nice as this is = certainly a place where things shouldn=E2=80=99t be changed willy nilly.=20= > It won't be changing the default in 7.1, and IIRC this sort of change > was already agreed upon as part of the original password_hash() RFC. I=E2=80=99m not really qualified to discuss the merits of the algorithm = but a couple of questions: * Is there already a crypt scheme for Argon2? Or are there any efforts = to define one? It would good if PHP wouldn=E2=80=99t be an island. * Back in July, when it won the PHC, it wasn=E2=80=99t deemed production = ready as they wanted to make a few tweaks. Is that completed? * Are you proposing to use Argon2d or Argon2i? Lastly, I think it would be a good start to implement Argon2 in = ext-hash. Best regards Rouven=