Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:97913
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11911 invoked from network); 21 Jan 2017 14:45:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jan 2017 14:45:29 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.219 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.219 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.219] ([81.169.146.219:24170] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3B/BE-00729-50473885 for <internals@lists.php.net>; Sat, 21 Jan 2017 09:45:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1485009923;
	l=2988; s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=3HH2UpRav0OKFPQHrp/6XUvATL3WgAxyyQNqFOG1qYc=;
	b=KNY4LDBl6m+bZw6TnDFy7HyZ1zNL0gyBo/+mZZmDq1rqb37km6mMHCg/TiDX2BJ+7Y
	mf0/Z23fAPwlho3TxD7PfqnzLBs8+qT/QC1PY5HpVG3lmOxAEDqhKOBvjFNN7pcqDpn0
	Ax1DVd0X7DZsV30jy9ySVbNxjqJmlS2HE+mLM=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNJBqDwsRY=
X-RZG-CLASS-ID: mo00
Received: from mail-qt0-f181.google.com ([209.85.216.181])
	by smtp.strato.de (RZmta 39.11 AUTH)
	with ESMTPSA id i0b118t0LEjMMsH
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Sat, 21 Jan 2017 15:45:22 +0100 (CET)
Received: by mail-qt0-f181.google.com with SMTP id x49so69862048qtc.2
        for <internals@lists.php.net>; Sat, 21 Jan 2017 06:45:22 -0800 (PST)
X-Gm-Message-State: AIkVDXKY2CiWzeVaR3maTmZwPKCffjKUaw2gpjvzzvfV61mSLjjEvOXz+FVAYBsKCs8WQ5qptF2sjZF1wO7BEw==
X-Received: by 10.237.35.179 with SMTP id j48mr16142140qtc.290.1485009922318;
 Sat, 21 Jan 2017 06:45:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.144.132 with HTTP; Sat, 21 Jan 2017 06:45:21 -0800 (PST)
In-Reply-To: <CAGa2bXbpoA2z8qpjWs_SidOoFyU0uEqJr2oAvyW3KCEu1zKr1Q@mail.gmail.com>
References: <CAGa2bXZ9EzWHDTBg_ZHGW4KdjiFK4tpE7aMCVTZD5n+UZ2vEWA@mail.gmail.com>
 <CANUQDCicMppoLU9k6gGj47Xk2PLOxdvA=Nb-y_CsXmXKCA_How@mail.gmail.com> <CAGa2bXbpoA2z8qpjWs_SidOoFyU0uEqJr2oAvyW3KCEu1zKr1Q@mail.gmail.com>
Date: Sat, 21 Jan 2017 15:45:21 +0100
X-Gmail-Original-Message-ID: <CANUQDCh5dC2-wNvOEkGd-cCNbhbb8nYuVLBTYZmupg2-2Qa0dg@mail.gmail.com>
Message-ID: <CANUQDCh5dC2-wNvOEkGd-cCNbhbb8nYuVLBTYZmupg2-2Qa0dg@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>, Leigh <leight@gmail.com>
Content-Type: multipart/alternative; boundary=001a113771bae86df105469bd0f0
Subject: Re: [PHP-DEV] Use decent entropy for uniqid($prefix, TRUE)
From: me@kelunik.com (Niklas Keller)

--001a113771bae86df105469bd0f0
Content-Type: text/plain; charset=UTF-8

>
> I really don't see any pros for caring about failing CSPRNG and fallback
> to weak behavior.
>
> 1) BC is extremely unlikely. Basically, no BC on healthy hardware/OS.
> 2) Then things failed, programs should fail properly. i.e. Shouldn't
> fallback to weaker/problematic code.
>

Failing closed on a missing CSPRNG isn't really important for uniqid().
There's no guarantee that uniqid() produces ungessable output. It tries to
guarantee uniqueness and fails at the single one job it has for distributed
systems. I still think it's better to just leave it as is and deprecate it,
maybe while moving a UUID ext to core.

Regards, Niklas


> Broken CSPRNG is like BUS error, i.e. hardware error, why should we care
> so much about it?
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
>

--001a113771bae86df105469bd0f0--