Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94791 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90436 invoked from network); 2 Aug 2016 00:09:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2016 00:09:51 -0000 Authentication-Results: pb1.pair.com header.from=charlesportwoodii@ethreal.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=charlesportwoodii@ethreal.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ethreal.net designates 209.85.218.50 as permitted sender) X-PHP-List-Original-Sender: charlesportwoodii@ethreal.net X-Host-Fingerprint: 209.85.218.50 mail-oi0-f50.google.com Received: from [209.85.218.50] ([209.85.218.50:36054] helo=mail-oi0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9F/C0-20009-DC4EF975 for ; Mon, 01 Aug 2016 20:09:50 -0400 Received: by mail-oi0-f50.google.com with SMTP id w18so215191206oiw.3 for ; Mon, 01 Aug 2016 17:09:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethreal.net; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=GdqIFTWgkI0c/oV7CJE2D4fSQo7SWe03Fu1yCbabjuU=; b=n8+hoMoQpDhy6i00sXG0dTKSaG3tFeNP6HBMkcXj1s7TFMG540BM4StesFKg3gDDmy dyH9LL1Z3qhzo9XZqMJitdjvE8GYtM2TXsRjaqqdSoqRVCR/8T4sbzii9Qngqq1Ccx2n pZgM4janx3HvVhv0SLWLNAXjEqjpmdprx9Xh8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erianna.com; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=GdqIFTWgkI0c/oV7CJE2D4fSQo7SWe03Fu1yCbabjuU=; b=NOPv2ozNWsVO8Y5b9seeZovUrLgAAkc+P+d4bgSbdi7haA2I3plEwUsUyzNY11GF4o gu6HDrtKh7FKSrwbRmsQWKJpVI1HxbYIURFID5K4T7xvLz9Mabc877PzuKkzqJHZiwz2 HGpHk5sT3OWIHFybyysigwA4wwOi9YwmgvaYI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=GdqIFTWgkI0c/oV7CJE2D4fSQo7SWe03Fu1yCbabjuU=; b=KK3NliVqOcePsGGmIC+W69Ed8W/OKuDbtE62q7qSyw52sEXVdt3py+birv1HnUPnr/ akPUEn/bCwQQUWVWJIeIKbhS2KP3GmPuaM/3G6mTNulcMU43QeFeaJ98gosbS/r3em/r Nv932x8dyvNeYD8Li5yM+uQKolyFL79C+/c5Xfvj+5eWqZxKfNwpaI8X33p2Cw2LPq2C wy5Jm7Ah+fAfq8hp9WmlcfWovpIv0gVDwWN1u3TxBOwYtQ0T7jF74g73Gbwotwjcn6Px ScBqJ4lUCfR4evI1RVpuxOfLO2ueeoCj8pbgahxO0dxmUTSpdXPmSiNJdYPmdPh83cE/ eBYg== X-Gm-Message-State: AEkoouth90btQijSmxqkUgN/XSdAZvBgZrbYY8vOrJhUargqro6uoufF5tZYl0ijTTbtH2kIOhFexVzmNHzH1A== X-Received: by 10.157.11.131 with SMTP id 3mr3300038oth.82.1470096586450; Mon, 01 Aug 2016 17:09:46 -0700 (PDT) MIME-Version: 1.0 Sender: charlesportwoodii@ethreal.net Received: by 10.182.55.3 with HTTP; Mon, 1 Aug 2016 17:09:26 -0700 (PDT) X-Originating-IP: [2601:246:100:db51:6012:bfba:b1ba:4cc2] In-Reply-To: References: Date: Mon, 1 Aug 2016 19:09:26 -0500 X-Google-Sender-Auth: 0Se8qkl-P-CE3nnKuCehmwYqgKg Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary=001a113ec970d2407c05390b8887 Subject: Re: [PHP-DEV] [RFC][VOTE]: Argon2 Password Hash From: charlesportwoodii@erianna.com ("Charles R. Portwood II") --001a113ec970d2407c05390b8887 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, Aug 1, 2016 at 3:27 PM, Charles R. Portwood II < charlesportwoodii@erianna.com> wrote: > On Mon, Aug 1, 2016 at 3:16 PM, Davey Shafik wrote: > >> On Mon, Aug 1, 2016 at 1:13 PM, Charles R. Portwood II < >> charlesportwoodii@erianna.com> wrote: >> >>> >>> On Mon, Aug 1, 2016 at 2:41 PM, Davey Shafik wrote: >>> >>>> On Mon, Aug 1, 2016 at 12:35 PM, Davey Shafik wrote: >>>> >>>>> On Mon, Aug 1, 2016 at 10:46 AM, Charles R. Portwood II < >>>>> charlesportwoodii@erianna.com> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> The RFC for introducing Argon2 as an alternative hashing algorithm >>>>>> for the >>>>>> password_* functions is now open. The RFC is available at >>>>>> https://wiki.php.net/rfc/argon2_password_hash >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> . >>>>>> >>>>>> Voting is open for 1 week, and will close on August 8th with a 50%+1 >>>>>> majority required to pass. If either of those need to be adjusted >>>>>> please >>>>>> let me know. >>>>>> >>>>> >>>>> Hi Charles, >>>>> >>>>> I don't think we should be voting on "mak[ing] PASSWORD_ARGON2 the >>>>> default password hashing algorithm in 7.4" yet =E2=80=94 the _potenti= al_ is there >>>>> per the original ext/password RFC, and should require a new vote for = 7.4 at >>>>> the appropriate time (e.g. post-7.3). >>>>> >>>>> Voting for this now without wide deployment (and PHP would likely be >>>>> the largest potential deployment) that can battle-test this is premat= ure. >>>>> >>>>> While I support the addition of this to PHP 7.2, I can't vote for it >>>>> because of the 7.4 clause. >>>>> >>>> >>>> Feel free to ignore this as it's late to add it: >>>> >>>> 1) argon2d shouldn't be supported, argon2i only. The goal of >>>> ext/password is simplicity, and sane defaults. Support for argon2d is >>>> unnecessary, and shouldn't be added. >>>> >>>> 2) Compile time flag should probably be --with-password-argon2, simila= r >>>> to say --with-pdo-mysql, as it's a sub-feature and not standalone. (Th= ough, >>>> IIRC, --with-pdo-mysql will implicitly add --enable-pdo). >>>> >>>> Thanks, >>>> >>>> - Davey >>>> >>>> >>> I'm open to both of those suggestions. Argon2d was included just to be >>> in line with the Argon2 spec. I can imagine a scenario where someone wo= uld >>> be okay with an Argon2d hash, but I agree the password_hash API implies >>> simplicity and PASSWORD_ARGON2D could introduce complexity/confusion. >>> >>> >>> On Mon, Aug 1, 2016 at 2:59 PM, Chris Wright wrote= : >>> >>>> On 1 August 2016 at 18:46, Charles R. Portwood II < >>>> charlesportwoodii@erianna.com> wrote: >>>> >>>>> Hello, >>>>> >>>>> The RFC for introducing Argon2 as an alternative hashing algorithm fo= r >>>>> the >>>>> password_* functions is now open. The RFC is available at >>>>> https://wiki.php.net/rfc/argon2_password_hash. >>>>> >>>>> Voting is open for 1 week, and will close on August 8th with a 50%+1 >>>>> majority required to pass. If either of those need to be adjusted >>>>> please >>>>> let me know. >>>>> >>>> >>>> To clarify, the vote appears to be a single vote for "include in 7.2 >>>> *and* make default in 7.4" - is this correct? >>>> >>>> If so, I think it would it be better to reduce the scope - include in >>>> 7.2, with a view to holding a discussion/vote on making it default nea= rer >>>> the time 7.4 comes around. It seems a little premature for voting on t= hings >>>> that won't even start happening for a couple of years, and there's alw= ays >>>> the possibility that something may change between now and then (e.g. s= ome >>>> better default is decided on and/or some vuln is discovered in >>>> bcrypt/Argon2 that changes the considerations). >>>> >>>> Thanks, Chris >>>> >>> >>> The RFC proposal is for induction in 7.2, and default in 7.4. You're no= t >>> the only one to bring this up though. >>> >>> >>> This is my first RFC, so if I misunderstood something I apologize. I >>> suspect though that this may be a sticking point and may required the R= FC >>> to be restarted so that defaults aren't set for this RFC. >>> >>> What would the best way to go about this since voting already started? >>> Wait to see the results? Pull the RFC myself then re-open it with the 7= .4 >>> comments removed? Or wait for the vote to run it's course then restart = it >>> on the 15th, a week after the original close date? >>> >> >> Just close it, make your changes, send an email about them, give it a >> couple of days if you feel it is necessary for further discussion (I don= 't >> think it is) and announce the vote again :) >> >> - Davey >> > > Davey, > > Okay. I'm going to close the vote out then since it's jumping the gun on > defaults, and this seems to be a more serious issue. > > Thanks, > *Charles R. Portwood II* > > --001a113ec970d2407c05390b8887--