Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94886
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17114 invoked from network); 6 Aug 2016 17:08:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Aug 2016 17:08:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 108.166.43.67 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 108.166.43.67 smtp67.ord1c.emailsrvr.com  
Received: from [108.166.43.67] ([108.166.43.67:54428] helo=smtp67.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D7/CA-33134-7A916A75 for <internals@lists.php.net>; Sat, 06 Aug 2016 13:08:56 -0400
Received: from smtp1.relay.ord1c.emailsrvr.com (localhost [127.0.0.1])
	by smtp1.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id EAE8820575;
	Sat,  6 Aug 2016 13:08:52 -0400 (EDT)
X-Auth-ID: fsb@thefsb.org
Received: by smtp1.relay.ord1c.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 40A2D20573;
	Sat,  6 Aug 2016 13:08:52 -0400 (EDT)
X-Sender-Id: fsb@thefsb.org
Received: from [10.0.1.2] (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1 with cipher DES-CBC3-SHA)
	by 0.0.0.0:465 (trex/5.7.1);
	Sat, 06 Aug 2016 13:08:52 -0400
User-Agent: Microsoft-MacOutlook/14.6.6.160626
Date: Sat, 06 Aug 2016 13:08:49 -0400
To: "Charles R. Portwood II" <charlesportwoodii@erianna.com>
CC: PHP internals <internals@lists.php.net>
Message-ID: <D3CB8D39.70BF8%fsb@thefsb.org>
Thread-Topic: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash
References: <CAGC=tRnpka_ym=f-xsskjeiPaqahsTEAxPq9=E8Z73KQKeRrHg@mail.gmail.com>
 <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org>
 <CAGC=tR=4v0KAkqnU1Q3Fr5AeM8o_PuJfP9rYQ_s4X3=Z9UUh=w@mail.gmail.com>
 <CAObuZdsq33=g4wG=FP0bOHnsE9N+PrCu3nGs7ZNAxx=rX4dJ+w@mail.gmail.com>
 <CAGC=tRkw3u0=ufjALKvF6YpahLE6H05T0vFBHyHPCM4aR1siCw@mail.gmail.com>
 <D3CA3C50.70BAD%fsb@thefsb.org>
 <CAGC=tRnKgD=r8pSc1KVPahC2Xx=BYDV+M=55eQ0GfMQSVgr97Q@mail.gmail.com>
In-Reply-To: <CAGC=tRnKgD=r8pSc1KVPahC2Xx=BYDV+M=55eQ0GfMQSVgr97Q@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash
From: fsb@thefsb.org (Tom Worster)

On 8/5/16, 2:20 PM, "Charles R. Portwood II"
<charlesportwoodii@ethreal.net on behalf of charlesportwoodii@erianna.com>
wrote:

>It breaks the API in the interim between this RFC and a potential future
>one. The $options parameter for both password_hash and
>password_needs_rehash is optional. Making it required for one algorithm
>but not another changes the API's for both methods. The expectations
>outlined in the original password_hash RFC make the third parameter for
>tuning the algorithm, not for making the algorithm work. Without default
>values, both password_hash and password_needs_rehash would fail unless
>the costs are provided.

OK. I misunderstood what qualifies as "broken". Looks most like most
people want to set default costs right away so I'll leave it here. As for
choosing the right default values for PHP, what are the criteria?

Tom