Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94692
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53518 invoked from network); 25 Jul 2016 01:53:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Jul 2016 01:53:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:38659] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 81/E5-05797-01175975 for <internals@lists.php.net>; Sun, 24 Jul 2016 21:53:23 -0400
Received: (qmail 114390 invoked by uid 89); 25 Jul 2016 01:53:16 -0000
Received: from unknown (HELO mail-qt0-f179.google.com) (yohgaki@ohgaki.net@209.85.216.179)
  by 0 with ESMTPA; 25 Jul 2016 01:53:16 -0000
Received: by mail-qt0-f179.google.com with SMTP id 52so89730290qtq.3
        for <internals@lists.php.net>; Sun, 24 Jul 2016 18:53:16 -0700 (PDT)
X-Gm-Message-State: AEkoouvp8tq4yJUTT2/kvZDCuSXTPC6ebTRm1UaUR+McJebbsFuC0noxgtX6gI96aKCgjNFZbYF+0A9qj7W+Bw==
X-Received: by 10.237.39.34 with SMTP id n31mr18526543qtd.55.1469411590608;
 Sun, 24 Jul 2016 18:53:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Sun, 24 Jul 2016 18:52:31 -0700 (PDT)
In-Reply-To: <CAGa2bXbnE5hwGksOb6-_1Q0aas63hyLOf6GTse+VPELA9bM=4w@mail.gmail.com>
References: <CAGa2bXZn5HiOD6LsotYDmUJKhGxxpp0xTsMSE2bp5HO0fsCmtA@mail.gmail.com>
 <CANaX5nccP6LBVow1oaO6jzU0PRjaruRSjdhiZ8kb=071gpiUTA@mail.gmail.com> <CAGa2bXbnE5hwGksOb6-_1Q0aas63hyLOf6GTse+VPELA9bM=4w@mail.gmail.com>
Date: Mon, 25 Jul 2016 10:52:31 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZaogaW41F71cAHAaaPKm6BY6waW1Pajp6G0Bmr524g7w@mail.gmail.com>
Message-ID: <CAGa2bXZaogaW41F71cAHAaaPKm6BY6waW1Pajp6G0Bmr524g7w@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Cc: Davey Shafik <davey@php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Session ID without hashing - Reopened
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

I would like to ask the default session ID string preference.

Details of guessing an active session ID is described in previous mail.
Please refer it for details.

On Sun, Jul 24, 2016 at 4:57 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> I don't mind pausing vote to have consensus on how many bits for
> session ID string is preferred.

Current default is 128 bits with 32 chars. (Hex string which has 4
bits per char)
Pros: Compatible with current default.
Cons: Weaker than proposed default

Proposed default is 240 bits with 48 chars. (Special form which has 5
bits per char)
Pros: Stronger than current default.
Cons: Incompatible with current default.

128 bits would be strong enough with CSPRNG, while 240 bits would be
preferred as precaution.
Which default would you prefer?

I would like to restart vote based on the result.

Thank you!

--
Yasuo Ohgaki
yohgaki@ohgaki.net