Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94867
Return-Path: <charlesportwoodii@ethreal.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36607 invoked from network); 5 Aug 2016 18:21:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2016 18:21:21 -0000
Authentication-Results: pb1.pair.com smtp.mail=charlesportwoodii@ethreal.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=charlesportwoodii@ethreal.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ethreal.net designates 209.85.218.50 as permitted sender)
X-PHP-List-Original-Sender: charlesportwoodii@ethreal.net
X-Host-Fingerprint: 209.85.218.50 mail-oi0-f50.google.com  
Received: from [209.85.218.50] ([209.85.218.50:33942] helo=mail-oi0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2D/CF-33134-029D4A75 for <internals@lists.php.net>; Fri, 05 Aug 2016 14:21:20 -0400
Received: by mail-oi0-f50.google.com with SMTP id l203so40253641oib.1
        for <internals@lists.php.net>; Fri, 05 Aug 2016 11:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ethreal.net; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=ESIc/3ncfVfZyLnghLweNMzQsg4EaSwKwA3aVa6EycQ=;
        b=afNnvmO4PficW2NUUI783MhjmuryJxlhMStUwIld+0YKlYqdSi5BQMzk0kp0wqJuM5
         JQV+yr0ncRfD9QeBm25+AWE2sjJTuchHhpfdQaAapxx7TNYPhEjUi9u4hUOiArP65+U+
         4SAHaskfh9+K9hIjqby8DG1zxSHEL2ov5Dxus=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=erianna.com; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=ESIc/3ncfVfZyLnghLweNMzQsg4EaSwKwA3aVa6EycQ=;
        b=cgD2m6YAHw3/LQxIzXgsd+o+nUA+n4/wPoJ3R0KgDalqqs/SvCXzkp+iKmNRypyTTm
         hQEgC0uzwy/wCcVd9Lqkuce89SBHGLTKtg+im+xiTUkPIUv/aPqWShjlu5V8lZvEPjF7
         graNaGQhNm2rXYmSRFqtCumlOJ+mxZD3PE3e4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=ESIc/3ncfVfZyLnghLweNMzQsg4EaSwKwA3aVa6EycQ=;
        b=luTGjk14EC0aJYzX6PnV1t4kkSpiUxzZ81E8AOUjHFcXVHKIXzoZopjLLJCSpwBB//
         sHj8l3wqRJB8gCSjFOYe3GGscs4g1k7k3T7+/rMuz6CAv3fh3W+rwtq+fLkzO6ccKMuW
         cyGGrJkYx2/mapiwprfVbE88ZkR8aRAFsUPcBStveyvZsRJsbDelNsqn5hjHgEVb4CsQ
         Iu3RODILisnGDn40c3nDKXX6kJF9VQFnGmr8E8FQcBtJG6DTmRI5ccrGSadbWsqfylIY
         66cdvam9B84EFkDD9zt2CIFkFLs0W6O6bP9z6yKgK5s22JYcAmDOatUY8w6rDmA93eS+
         O5fA==
X-Gm-Message-State: AEkoous+tWRUHh6RduvjXZpGwVwGlRNG0IJxvzhY1Hv6Gy82v1S+3MjNE5FMTd4uPVniaF3DTBf2HV/5uNHOgA==
X-Received: by 10.157.27.225 with SMTP id v30mr50987173otv.107.1470421277917;
 Fri, 05 Aug 2016 11:21:17 -0700 (PDT)
MIME-Version: 1.0
Sender: charlesportwoodii@ethreal.net
Received: by 10.182.191.72 with HTTP; Fri, 5 Aug 2016 11:20:57 -0700 (PDT)
X-Originating-IP: [38.140.54.114]
In-Reply-To: <D3CA3C50.70BAD%fsb@thefsb.org>
References: <CAGC=tRnpka_ym=f-xsskjeiPaqahsTEAxPq9=E8Z73KQKeRrHg@mail.gmail.com>
 <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org> <CAGC=tR=4v0KAkqnU1Q3Fr5AeM8o_PuJfP9rYQ_s4X3=Z9UUh=w@mail.gmail.com>
 <CAObuZdsq33=g4wG=FP0bOHnsE9N+PrCu3nGs7ZNAxx=rX4dJ+w@mail.gmail.com>
 <CAGC=tRkw3u0=ufjALKvF6YpahLE6H05T0vFBHyHPCM4aR1siCw@mail.gmail.com> <D3CA3C50.70BAD%fsb@thefsb.org>
Date: Fri, 5 Aug 2016 13:20:57 -0500
X-Google-Sender-Auth: H-rhxu5KoaFdkgxjQWmI8WfMaro
Message-ID: <CAGC=tRnKgD=r8pSc1KVPahC2Xx=BYDV+M=55eQ0GfMQSVgr97Q@mail.gmail.com>
To: Tom Worster <fsb@thefsb.org>
Cc: Ryan Pallas <derokorian@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11494faef0eaef053957211f
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash
From: charlesportwoodii@erianna.com ("Charles R. Portwood II")

--001a11494faef0eaef053957211f
Content-Type: text/plain; charset=UTF-8

On Fri, Aug 5, 2016 at 12:12 PM, Tom Worster <fsb@thefsb.org> wrote:
>
> I can understand an argument that it's too much to expect a user to
> provide an options array when using Argon2. But I don't understand how my
> suggestion breaks BC. In my idea, a future RFC would propose default cost
> constants. Changing PASSWORD_DEFAULT to PASSWORD_ARGON2I depends on those
> constants so they would need to be defined before changing
> PASSWORD_DEFAULT or at the same time. So...
>
> password_hash('password', PASSWORD_DEFAULT) will always work.
>
> password_hash('password', PASSWORD_ARGON2I) works as soon as Argon2 is
> introduced in your proposal, but has to wait for another future RFC in my
> suggested change.
>
> password_hash('password', PASSWORD_ARGON2I, [costs]) will always work.
>
> How does a BC break happen?
>
> Tom
>

Hi Tom,

It breaks the API in the interim between this RFC and a potential future
one. The $options parameter for both password_hash and
password_needs_rehash is optional. Making it required for one algorithm but
not another changes the API's for both methods. The expectations outlined
in the original password_hash RFC make the third parameter for tuning the
algorithm, not for making the algorithm work. Without default values, both
password_hash and password_needs_rehash would fail unless the costs are
provided.

Hi Niklas,

People knowing the reference library will probably recognize `memory_cost`
> and `time_cost`, but this is a simple API targeted on a large audience.
> Most users of it won't know the reference library's internals.


If that's going to be easier for people I'm all for it.

--001a11494faef0eaef053957211f--