Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90483
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 2572 invoked from network); 11 Jan 2016 12:27:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2016 12:27:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.51 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.218.51 mail-oi0-f51.google.com  
Received: from [209.85.218.51] ([209.85.218.51:35252] helo=mail-oi0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C8/B4-64385-ABF93965 for <internals@lists.php.net>; Mon, 11 Jan 2016 07:27:39 -0500
Received: by mail-oi0-f51.google.com with SMTP id p187so32076977oia.2
        for <internals@lists.php.net>; Mon, 11 Jan 2016 04:27:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=bhbB2tOtynvCpa2Mlg1seczarUv3kNnZmMb26KbdxVg=;
        b=r9tvVPBroFjOEHJqfJRg4NMdtnuJJuPtk5QyIz2kdCKmVa0FCweR+xOgxYJ3MyCDGq
         +FwlGRhPuc5HPWwbhGz3ix/Z+vrBpCE9EkRIfpJ9y956DLPYtjO36LvTPnUulhBmjwJk
         af4Zg4KgTGesy08z7pu04IQDg5nQ5gakNVKo7Lsfkf/jk2FniE9NdvpHS05H+QqWipqd
         rdaKx+dLSLkoPJAWE4M625rvnqjy9QRyQGvEiaG7QVGxFLd34dZkx4ap9TmavjIVKPLw
         fuB9+V9ig6XwpJyTbBE6syHrDcsSuEfT1eqk5t3EeFbTbYk+8wynWZQu1ZldTLt3aH8m
         Ei3g==
MIME-Version: 1.0
X-Received: by 10.202.203.198 with SMTP id b189mr81746865oig.39.1452515256091;
 Mon, 11 Jan 2016 04:27:36 -0800 (PST)
Received: by 10.202.95.68 with HTTP; Mon, 11 Jan 2016 04:27:34 -0800 (PST)
Received: by 10.202.95.68 with HTTP; Mon, 11 Jan 2016 04:27:34 -0800 (PST)
In-Reply-To: <B55302DA-9269-425B-80C5-059C6EB2C5FC@rouvenwessling.de>
References: <CAKws9z1L7uvBCESKk5espVxYyFtDCMhWuMTTjM5EPciRsk8_zA@mail.gmail.com>
	<B55302DA-9269-425B-80C5-059C6EB2C5FC@rouvenwessling.de>
Date: Mon, 11 Jan 2016 19:27:34 +0700
Message-ID: <CAEZPtU6TXmEMTjnX2B=OwR6cDRrdGQuEaMAxw6DdhOWczohUiw@mail.gmail.com>
To: =?UTF-8?Q?Rouven_We=C3=9Fling?= <me@rouvenwessling.de>
Cc: Scott Arciszewski <scott@paragonie.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1137d93adeca3c05290e0fa5
Subject: Re: [PHP-DEV] PHP 7.1 - Argon2
From: pierre.php@gmail.com (Pierre Joye)

--001a1137d93adeca3c05290e0fa5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,
On Jan 11, 2016 4:12 PM, "Rouven We=C3=9Fling" <me@rouvenwessling.de> wrote=
:
>
>
> > On 11 Jan 2016, at 07:57, Scott Arciszewski <scott@paragonie.com> wrote=
:
> >
> > Does adding Argon2 as a possible choice for password_hash() +
> > password_verify() need an RFC? Or can I just submit a pull request?
>
> The original RFC (https://wiki.php.net/rfc/password_hash) contained the
following text:
>
> > I'd propose the following policy for updating the default hashing
algorithm in future releases of PHP.
> >
> > * Any new algorithm must be in core for at least 1 full release of PHP
prior to becoming default. So if scrypt is added in 5.5.5, it wouldn't be
eligible for default until 5.7 (since 5.6 would be the full release). But
if jcrypt (making it up) was added in 5.6.0, it would also be eligible for
default at 5.7.0.
> > * The default should only change on a full release (5.6.0, 6.0.0, etc)
and not on a revision release. The only exception to this is in an
emergency when a critical security flaw is found in the current default.
> > * For a normal (non-emergency) change in default, an RFC shall be
issued for the update of the default algorithm, following normal RFC rules.
>
> So technically I don=E2=80=99t think it would be necessary to have an RFC=
 to add
another algorithm, though I think it might be nice as this is certainly a
place where things shouldn=E2=80=99t be changed willy nilly.
>
> > It won't be changing the default in 7.1, and IIRC this sort of change
> > was already agreed upon as part of the original password_hash() RFC.
>
> I=E2=80=99m not really qualified to discuss the merits of the algorithm b=
ut a
couple of questions:
>
> * Is there already a crypt scheme for Argon2? Or are there any efforts to
define one? It would good if PHP wouldn=E2=80=99t be an island.

https://github.com/P-H-C/phc-winner-argon2

The reference implementation. If anything we should use it.

I am not sure if we should bundle the library tho'.

> * Back in July, when it won the PHC, it wasn=E2=80=99t deemed production =
ready as
they wanted to make a few tweaks. Is that completed?
> * Are you proposing to use Argon2d or Argon2i?
>
> Lastly, I think it would be a good start to implement Argon2 in ext-hash.
>
> Best regards
> Rouven
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

--001a1137d93adeca3c05290e0fa5--