On Mon, Aug 1, 2016 at 10:46 AM, Charles R. Portwood II <
charlesportwoodii@erianna.com> wrote:
Hello,
The RFC for introducing Argon2 as an alternative hashing algorithm for
the
password_* functions is now open. The RFC is available at
https://wiki.php.net/rfc/argon2_password_hash
.
Voting is open for 1 week, and will close on August 8th with a 50%+1
majority required to pass. If either of those need to be adjusted please
let me know.
Hi Charles,
I don't think we should be voting on "mak[ing] PASSWORD_ARGON2 the
default password hashing algorithm in 7.4" yet — the potential is there
per the original ext/password RFC, and should require a new vote for 7.4 at
the appropriate time (e.g. post-7.3).
Voting for this now without wide deployment (and PHP would likely be the
largest potential deployment) that can battle-test this is premature.
While I support the addition of this to PHP 7.2, I can't vote for it
because of the 7.4 clause.
Feel free to ignore this as it's late to add it:
-
argon2d shouldn't be supported, argon2i only. The goal of ext/password
is simplicity, and sane defaults. Support for argon2d is unnecessary, and
shouldn't be added.
-
Compile time flag should probably be --with-password-argon2, similar to
say --with-pdo-mysql, as it's a sub-feature and not standalone. (Though,
IIRC, --with-pdo-mysql will implicitly add --enable-pdo).
Thanks,
I'm open to both of those suggestions. Argon2d was included just to be in
line with the Argon2 spec. I can imagine a scenario where someone would be
okay with an Argon2d hash, but I agree the password_hash API implies
simplicity and PASSWORD_ARGON2D could introduce complexity/confusion.
On 1 August 2016 at 18:46, Charles R. Portwood II <
charlesportwoodii@erianna.com> wrote:
Hello,
The RFC for introducing Argon2 as an alternative hashing algorithm for the
password_* functions is now open. The RFC is available at
https://wiki.php.net/rfc/argon2_password_hash.
Voting is open for 1 week, and will close on August 8th with a 50%+1
majority required to pass. If either of those need to be adjusted please
let me know.
To clarify, the vote appears to be a single vote for "include in 7.2 and
make default in 7.4" - is this correct?
If so, I think it would it be better to reduce the scope - include in 7.2,
with a view to holding a discussion/vote on making it default nearer the
time 7.4 comes around. It seems a little premature for voting on things
that won't even start happening for a couple of years, and there's always
the possibility that something may change between now and then (e.g. some
better default is decided on and/or some vuln is discovered in
bcrypt/Argon2 that changes the considerations).
Thanks, Chris
The RFC proposal is for induction in 7.2, and default in 7.4. You're not
the only one to bring this up though.
This is my first RFC, so if I misunderstood something I apologize. I
suspect though that this may be a sticking point and may required the RFC
to be restarted so that defaults aren't set for this RFC.
What would the best way to go about this since voting already started? Wait
to see the results? Pull the RFC myself then re-open it with the 7.4
comments removed? Or wait for the vote to run it's course then restart it
on the 15th, a week after the original close date?
Thanks,
Charles R. Portwood II