On 10/01/2016 04:23, Scott Arciszewski wrote:
I'd like to make cryptography drop-dead simple in PHP 7.1 and thereafter. The simplest thing to do is to provide a simple front-end API, designed for human usability, that abstracts away the complexities of cryptography engineering.
I'm absolutely in favour of the sentiment behind this, but I'd like to clarify the exact audience and use-cases you are targeting.
The severely limited set of proposed algorithms sounds great for someone who just wants to implement a single crypto scenario for internal use (although in that case things will need to be very well documented - as a non-expert, I would not know when to use seal() vs encrypt() vs aeadEncrypt() for instance). The custom "ciphertext message format" also implies that the intention is only to store these messages for use on another PHP system with the same configuration.
However, some of the time the cryptography work people want to do is to interact with other systems. These might require selection of specific algorithms, which might not be the latest and greatest, but still need to be implemented somewhere. It would be odd if I wanted to implement, say, OAuth or XML-Sig, and there were no functions under \Php\Crypto\ to help me with that.
Previous discussions have described something more like PDO, which is intended as a simplified abstraction toolkit, rather than a crypto-for-dummies. I think there's a case for both things, but it would be interesting to think about how they might be related.
Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
