Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96000 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54305 invoked from network); 14 Sep 2016 21:06:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Sep 2016 21:06:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:44210] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BF/99-21040-FEBB9D75 for ; Wed, 14 Sep 2016 17:06:57 -0400 Received: (qmail 93236 invoked by uid 89); 14 Sep 2016 21:06:51 -0000 Received: from unknown (HELO mail-qk0-f174.google.com) (yohgaki@ohgaki.net@209.85.220.174) by 0 with ESMTPA; 14 Sep 2016 21:06:51 -0000 Received: by mail-qk0-f174.google.com with SMTP id h8so27999005qka.1 for ; Wed, 14 Sep 2016 14:06:50 -0700 (PDT) X-Gm-Message-State: AE9vXwP4ASf0vRMtdySFhgOh8GeEMVmI1Dwh35KGMhSL43G9paUZf1FZ+rnG8Zas5GHO3JrWNCrvMiyZkntcnA== X-Received: by 10.55.159.77 with SMTP id i74mr5693718qke.60.1473887204677; Wed, 14 Sep 2016 14:06:44 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.84.168 with HTTP; Wed, 14 Sep 2016 14:06:04 -0700 (PDT) In-Reply-To: <87vaxyuz0n.fsf@lil.giraffy.jp> References: <878tuxenl4.fsf@lil.giraffy.jp> <87twdlcs2j.fsf@lil.giraffy.jp> <87h99lch13.fsf@lil.giraffy.jp> <877fagczci.fsf@lil.giraffy.jp> <87mvjcbfcb.fsf@lil.giraffy.jp> <877fagwc5o.fsf@lil.giraffy.jp> <87vaxyuz0n.fsf@lil.giraffy.jp> Date: Thu, 15 Sep 2016 06:06:04 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Kazuo Oishi Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Improve uniqid() uniqueness From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Kazuo, On Thu, Sep 15, 2016 at 3:17 AM, Kazuo Oishi wrote: >> I updated the RFC. >> 2nd parameter (more_entropy) is int now. >> >> - 0 for disable more entropy. >> (Compatible with current $more_entropy=FALSE) >> - 1 for 10 digits entropy. e.g. 1.23456789 >> (Compatible with current $more_entropy=TRUE) DEFAULT >> - 13 to 255 to number of entropy [0-v]{13,255} chars. >> e.g. 1234abcdefghi (13 = 65 bits) >> 65 bits entropy + timestamp will provide good enough uniqueness for >> most usage. >> >> More secure default may be future scope, but attack against misused >> code will be much harder by default as a bonus. >> >> Default could be more secure by using [0-v]+. >> Marco does not like "." in default output. >> >> I would like to choose default from discussion (or make some vote choices) > > Basically, I will not oppose if backward compatibility is kept (default > $number_of_entropy_chars = 0). I have no opinion about specifying > length of entropy chars. > > However, I don't think this new 2nd parameter design is good. > > - It is not natural (or straightforward) to specify 1 as > parameter named $number_of_entropy_chars, to use 10 digits > entropy ($more_entropy=TRUE compatible output). > > - Why number of new style entropy ([0-9a-v]+) starts with 13? > (Why not 2 or 11?) > > - Why max number of entropy is 255? (32^255 = 1275 bits) > (Ease of implementation?) > > And, what will happen when 2-12, greater than 255, or negative > value is specified? I'm going to propose more compatible fix that does not change length of entropy chars nor parameter type. Anyway, I was thinking to raise error for any invalid numbers. I'm going to propose A. Current format (digits and . e.g. 1.23456788) B. HEX format ([0-9a-f]{10}) I'll make these vote options. A is compatible with when $more_entropy=TRUE. B uses compatible chars without $more_entropy (=FALSE). Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net