Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95864
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53612 invoked from network); 9 Sep 2016 13:36:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 13:36:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.155 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 67.192.241.155 smtp155.dfw.emailsrvr.com  
Received: from [67.192.241.155] ([67.192.241.155:50223] helo=smtp155.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7F/81-46544-6DAB2D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 09:36:23 -0400
Received: from smtp28.relay.dfw1a.emailsrvr.com (localhost [127.0.0.1])
	by smtp28.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 7DC01201BE;
	Fri,  9 Sep 2016 09:36:20 -0400 (EDT)
X-Auth-ID: fsb@thefsb.org
Received: by smtp28.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 2D566201C9;
	Fri,  9 Sep 2016 09:36:20 -0400 (EDT)
X-Sender-Id: fsb@thefsb.org
Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA)
	by 0.0.0.0:587 (trex/5.7.7);
	Fri, 09 Sep 2016 09:36:20 -0400
To: Nikita Popov <nikita.ppv@gmail.com>, Yasuo Ohgaki <yohgaki@ohgaki.net>
References: <CAGa2bXaM8q0mwhkz+XL6jbBaVLHDZ_-Jfj0aOPUq+te=fV=wow@mail.gmail.com>
 <CAF+90c-Yz1oynU+xarw9vwMSXuQGMW4enkXydiZj4aJ5RdTyaQ@mail.gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <80619c16-100f-e542-643d-f412e53d601e@thefsb.org>
Date: Fri, 9 Sep 2016 09:36:19 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAF+90c-Yz1oynU+xarw9vwMSXuQGMW4enkXydiZj4aJ5RdTyaQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Make uniqid() more unique
From: fsb@thefsb.org (Tom Worster)

On 9/9/16 6:12 AM, Nikita Popov wrote:
>
> The problem with "fixing" this function to be cryptographically
> unpredictable (rather than just unique, for a limited definition of unique)
> is that it will necessarily change the size of the output, on which there
> may be assumptions. A 128 bit random value is 22 chars in base64, which is
> a good bit larger than the current uniqid() output.
>
> I agree with Niklas, this function should simply be deprecated.

It is already in the sin bin, with that warning that steers users to 
safer options, so it makes more sense to deprecate than to reform.

Tom