Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94781
Return-Path: <charlesportwoodii@ethreal.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67216 invoked from network); 1 Aug 2016 20:16:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Aug 2016 20:16:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=charlesportwoodii@ethreal.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=charlesportwoodii@ethreal.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ethreal.net designates 209.85.218.45 as permitted sender)
X-PHP-List-Original-Sender: charlesportwoodii@ethreal.net
X-Host-Fingerprint: 209.85.218.45 mail-oi0-f45.google.com  
Received: from [209.85.218.45] ([209.85.218.45:33271] helo=mail-oi0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 39/D1-56789-61EAF975 for <internals@lists.php.net>; Mon, 01 Aug 2016 16:16:22 -0400
Received: by mail-oi0-f45.google.com with SMTP id j185so207829721oih.0
        for <internals@lists.php.net>; Mon, 01 Aug 2016 13:16:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ethreal.net; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to;
        bh=uSo4ZtV5WOdXwjnYCxxYHYX7wu9udzdfyOmQuZPlLU0=;
        b=UvDnOvmFN9bm20EzRwZrl7MOGDBjsPv7W2vePSCQe8UZTRqAEFJ6/PR3oN85tuOGgO
         x4rLmmXTJardIbnxpHiRAAGcDUj3VJwq6u3KpUTo8xfnKFa1CH8wMEVxpGQ5WpnK8aYz
         tJ4sRuBQwL0eJ//vIdvb3jroBYikknw07bNGw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=erianna.com; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to;
        bh=uSo4ZtV5WOdXwjnYCxxYHYX7wu9udzdfyOmQuZPlLU0=;
        b=epgRZ5JOBM81SajaiemEg977diHsqYmONGPQQBe8AflTNmYEC2a01XdHj2VLimwta0
         6rfza8wIcDlQ/aCccfoKom+HQfUMpwiPKqARMPrYRYyanR3fiVKmCzPn1uU1vgRnFf0q
         LkjnHs/BoR3K2NPku3CnDXzpB2XWnIV0x8ZTM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to;
        bh=uSo4ZtV5WOdXwjnYCxxYHYX7wu9udzdfyOmQuZPlLU0=;
        b=PGzpC0CzCRLFRiePoaOkSZUB3zg/TrXtnd/XgHJClP/GpJadT0ZKHiFjTKolcqwpXA
         5Ue2lMiQKOLjBSjMsD1qxbceQlkw/x0qVmN46ztajb9zUrQFcg0x3KOJJ3NydxPFgjZa
         XnG/aqzBKD7sQeSDJQfGMEeQa6yU2iYBjzBrL1Ll06W3ty4R6phroHmbGwTKrk/EBUzt
         838TnEJDkekS4jZ9Z1wX0n6rontZGu0v3nNkKqzVTCqoYVXKJR+xu0E0NS2pP50kXIT3
         SrneQp8t7X97WqAnQP+toULXQepuIcHiYzhEYhrTcoj/rX74y6N5QX5ENzvHyS4Fwilu
         oM0g==
X-Gm-Message-State: AEkoousckx2sSHrP39kK2ubDM+X3lxOZKPxGI8Nr1DG6IJuVJxFSmT+Sosi+szFxBGZnOGOfJmWeqw60GkIOQg==
X-Received: by 10.157.27.225 with SMTP id v30mr36769139otv.107.1470082577516;
 Mon, 01 Aug 2016 13:16:17 -0700 (PDT)
MIME-Version: 1.0
Sender: charlesportwoodii@ethreal.net
Received: by 10.182.55.3 with HTTP; Mon, 1 Aug 2016 13:15:57 -0700 (PDT)
X-Originating-IP: [38.140.54.114]
In-Reply-To: <CAGC=tRmeaN1cb69UoqfT+xnP2bh+FiB8WQBz7CNLJHskP4xkHQ@mail.gmail.com>
References: <CAGC=tRmcnkXrexBK=urT7=yp37UnZCNLkxgGZEW4Noi=_o-3cw@mail.gmail.com>
 <CANaX5neZJUx+8XgWX_s-0AxiZkLRO5XyzCKRXQVneBzB9G1m4w@mail.gmail.com>
 <CANaX5ndRYworBZ2AV_poiqB7FH6cZVh0anyN9j0G-YJsB6fcBA@mail.gmail.com> <CAGC=tRmeaN1cb69UoqfT+xnP2bh+FiB8WQBz7CNLJHskP4xkHQ@mail.gmail.com>
Date: Mon, 1 Aug 2016 15:15:57 -0500
X-Google-Sender-Auth: 171_B9VCSJkryQDXG4TlJ6geFGo
Message-ID: <CAGC=tR=AH4A4v4AqapHtieaQdgBOcrR+b-gNgcjFh=RY4UyhKA@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11494faed2e08d0539084597
Subject: Re: [PHP-DEV] [RFC][VOTE]: Argon2 Password Hash
From: charlesportwoodii@erianna.com ("Charles R. Portwood II")

--001a11494faed2e08d0539084597
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Mon, Aug 1, 2016 at 2:41 PM, Davey Shafik <davey@php.net> wrote:

> On Mon, Aug 1, 2016 at 12:35 PM, Davey Shafik <davey@php.net> wrote:
>
>> On Mon, Aug 1, 2016 at 10:46 AM, Charles R. Portwood II <
>> charlesportwoodii@erianna.com> wrote:
>>
>>> Hello,
>>>>
>>>>
>>> The RFC for introducing Argon2 as an alternative hashing algorithm for
>>> the
>>>
>>>> password_* functions is now open. The RFC is available at
>>>
>>>> https://wiki.php.net/rfc/argon2_password_hash
>>>
>>>
>>>
>>>
>>> .
>>>
>>>>
>>> Voting is open for 1 week, and will close on August 8th with a 50%+1
>>>
>>>> majority required to pass. If either of those need to be adjusted plea=
se
>>> let me know.
>>>
>>
>> Hi Charles,
>>
>> I don't think we should be voting on "mak[ing] PASSWORD_ARGON2 the
>> default password hashing algorithm in 7.4" yet =E2=80=94 the _potential_=
 is there
>> per the original ext/password RFC, and should require a new vote for 7.4=
 at
>> the appropriate time (e.g. post-7.3).
>>
>> Voting for this now without wide deployment (and PHP would likely be the
>> largest potential deployment) that can battle-test this is premature.
>>
>> While I support the addition of this to PHP 7.2, I can't vote for it
>> because of the 7.4 clause.
>>
>
> Feel free to ignore this as it's late to add it:
>
> 1) argon2d shouldn't be supported, argon2i only. The goal of ext/password
> is simplicity, and sane defaults. Support for argon2d is unnecessary, and
> shouldn't be added.
>
> 2) Compile time flag should probably be --with-password-argon2, similar t=
o
> say --with-pdo-mysql, as it's a sub-feature and not standalone. (Though,
> IIRC, --with-pdo-mysql will implicitly add --enable-pdo).
>
> Thanks,
>
> - Davey
>
>
I'm open to both of those suggestions. Argon2d was included just to be in
line with the Argon2 spec. I can imagine a scenario where someone would be
okay with an Argon2d hash, but I agree the password_hash API implies
simplicity and PASSWORD_ARGON2D could introduce complexity/confusion.


On Mon, Aug 1, 2016 at 2:59 PM, Chris Wright <daverandom@php.net> wrote:

> On 1 August 2016 at 18:46, Charles R. Portwood II <
> charlesportwoodii@erianna.com> wrote:
>
>> Hello,
>>>
>>>
>> The RFC for introducing Argon2 as an alternative hashing algorithm for t=
he
>>
>>> password_* functions is now open. The RFC is available at
>>
>>> https://wiki.php.net/rfc/argon2_password_hash.
>>
>>>
>> Voting is open for 1 week, and will close on August 8th with a 50%+1
>>
>>> majority required to pass. If either of those need to be adjusted pleas=
e
>> let me know.
>>
>
> To clarify, the vote appears to be a single vote for "include in 7.2 *and=
*
> make default in 7.4" - is this correct?
>
> If so, I think it would it be better to reduce the scope - include in 7.2=
,
> with a view to holding a discussion/vote on making it default nearer the
> time 7.4 comes around. It seems a little premature for voting on things
> that won't even start happening for a couple of years, and there's always
> the possibility that something may change between now and then (e.g. some
> better default is decided on and/or some vuln is discovered in
> bcrypt/Argon2 that changes the considerations).
>
> Thanks, Chris
>

The RFC proposal is for induction in 7.2, and default in 7.4. You're not
the only one to bring this up though.


This is my first RFC, so if I misunderstood something I apologize. I
suspect though that this may be a sticking point and may required the RFC
to be restarted so that defaults aren't set for this RFC.

What would the best way to go about this since voting already started? Wait
to see the results? Pull the RFC myself then re-open it with the 7.4
comments removed? Or wait for the vote to run it's course then restart it
on the 15th, a week after the original close date?

Thanks,
*Charles R. Portwood II*

--001a11494faed2e08d0539084597--