Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90479
Return-Path: <t.carnage@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94203 invoked from network); 11 Jan 2016 11:43:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2016 11:43:44 -0000
Authentication-Results: pb1.pair.com header.from=t.carnage@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=t.carnage@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.50 as permitted sender)
X-PHP-List-Original-Sender: t.carnage@gmail.com
X-Host-Fingerprint: 74.125.82.50 mail-wm0-f50.google.com  
Received: from [74.125.82.50] ([74.125.82.50:33940] helo=mail-wm0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 39/23-64385-C6593965 for <internals@lists.php.net>; Mon, 11 Jan 2016 06:43:41 -0500
Received: by mail-wm0-f50.google.com with SMTP id u188so210765915wmu.1
        for <internals@lists.php.net>; Mon, 11 Jan 2016 03:43:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=4XaHEPCn5kVUCqqKFhQYn/OPwBHdTfC7MAtgUio20Eo=;
        b=KOBbXKGDCjNeeQeuOFtb8QCTglDxRxlMSBa+WVfND9DM15mA1pWBMnEaLJJzdeLPXM
         3G6MEbmD9TEHh0KWZKOq1dQNuG57ixukFt+3INZdJ6XY+Vfnj4nOzL4jwids3lfdiRmZ
         D6fqjLiVRwsWD7nyMzKe69JD18lGv3+CBM88D0GAVCx6a42gQt+hkEFGCd30J+lzayl8
         GPt9R81c96VSAR5XpoBXFtQICBwnYiQtkM4Cjxo52alS/YidnYQ9PdRUnd4vzqqeO7TQ
         0HiIT5+mSPOJiWEqT38W0R/uD3pHD+B4aRVcQebil5ZCgT3X56ukq600WN2I7RS8czf4
         ukew==
MIME-Version: 1.0
X-Received: by 10.194.201.134 with SMTP id ka6mr135780954wjc.116.1452512617956;
 Mon, 11 Jan 2016 03:43:37 -0800 (PST)
Received: by 10.194.3.71 with HTTP; Mon, 11 Jan 2016 03:43:37 -0800 (PST)
In-Reply-To: <B55302DA-9269-425B-80C5-059C6EB2C5FC@rouvenwessling.de>
References: <CAKws9z1L7uvBCESKk5espVxYyFtDCMhWuMTTjM5EPciRsk8_zA@mail.gmail.com>
	<B55302DA-9269-425B-80C5-059C6EB2C5FC@rouvenwessling.de>
Date: Mon, 11 Jan 2016 11:43:37 +0000
Message-ID: <CABHuAWy+NqSzwYRCUrFjqAMBUmWKPV6onK5w3JER+HfDNzFADg@mail.gmail.com>
To: =?UTF-8?Q?Rouven_We=C3=9Fling?= <me@rouvenwessling.de>
Cc: Scott Arciszewski <scott@paragonie.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7ba97e64a00f8b05290d7242
Subject: Re: [PHP-DEV] PHP 7.1 - Argon2
From: t.carnage@gmail.com (Chris Riley)

--047d7ba97e64a00f8b05290d7242
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11 January 2016 at 09:12, Rouven We=C3=9Fling <me@rouvenwessling.de> wro=
te:

>
> > On 11 Jan 2016, at 07:57, Scott Arciszewski <scott@paragonie.com> wrote=
:
> >
> > Does adding Argon2 as a possible choice for password_hash() +
> > password_verify() need an RFC? Or can I just submit a pull request?
>
> The original RFC (https://wiki.php.net/rfc/password_hash) contained the
> following text:
>
> > I'd propose the following policy for updating the default hashing
> algorithm in future releases of PHP.
> >
> > * Any new algorithm must be in core for at least 1 full release of PHP
> prior to becoming default. So if scrypt is added in 5.5.5, it wouldn't be
> eligible for default until 5.7 (since 5.6 would be the full release). But
> if jcrypt (making it up) was added in 5.6.0, it would also be eligible fo=
r
> default at 5.7.0.
> > * The default should only change on a full release (5.6.0, 6.0.0, etc)
> and not on a revision release. The only exception to this is in an
> emergency when a critical security flaw is found in the current default.
> > * For a normal (non-emergency) change in default, an RFC shall be issue=
d
> for the update of the default algorithm, following normal RFC rules.
>
> So technically I don=E2=80=99t think it would be necessary to have an RFC=
 to add
> another algorithm, though I think it might be nice as this is certainly a
> place where things shouldn=E2=80=99t be changed willy nilly.
>
> > It won't be changing the default in 7.1, and IIRC this sort of change
> > was already agreed upon as part of the original password_hash() RFC.
>
> I=E2=80=99m not really qualified to discuss the merits of the algorithm b=
ut a
> couple of questions:
>
> * Is there already a crypt scheme for Argon2? Or are there any efforts to
> define one? It would good if PHP wouldn=E2=80=99t be an island.
> * Back in July, when it won the PHC, it wasn=E2=80=99t deemed production =
ready as
> they wanted to make a few tweaks. Is that completed?
> * Are you proposing to use Argon2d or Argon2i?
>
> Lastly, I think it would be a good start to implement Argon2 in ext-hash.
>
> Best regards
> Rouven
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
I was considering the same for adding scrypt; however there (isn't|wasn't|I
couldn't find) a crypt scheme for it and having a custom algorithm
identifier for php seemed like a bad idea.

~C

--047d7ba97e64a00f8b05290d7242--