On Mon, Aug 1, 2016 at 2:41 PM, Davey Shafik <da...@php.net> wrote:

> On Mon, Aug 1, 2016 at 12:35 PM, Davey Shafik <da...@php.net> wrote:
>
>> On Mon, Aug 1, 2016 at 10:46 AM, Charles R. Portwood II <
>> charlesportwoo...@erianna.com> wrote:
>>
>>> Hello,
>>>>
>>>>
>>> The RFC for introducing Argon2 as an alternative hashing algorithm for
>>> the
>>>
>>>> password_* functions is now open. The RFC is available at
>>>
>>>> https://wiki.php.net/rfc/argon2_password_hash
>>>
>>>
>>>
>>>
>>> .
>>>
>>>>
>>> Voting is open for 1 week, and will close on August 8th with a 50%+1
>>>
>>>> majority required to pass. If either of those need to be adjusted please
>>> let me know.
>>>
>>
>> Hi Charles,
>>
>> I don't think we should be voting on "mak[ing] PASSWORD_ARGON2 the
>> default password hashing algorithm in 7.4" yet — the _potential_ is there
>> per the original ext/password RFC, and should require a new vote for 7.4 at
>> the appropriate time (e.g. post-7.3).
>>
>> Voting for this now without wide deployment (and PHP would likely be the
>> largest potential deployment) that can battle-test this is premature.
>>
>> While I support the addition of this to PHP 7.2, I can't vote for it
>> because of the 7.4 clause.
>>
>
> Feel free to ignore this as it's late to add it:
>
> 1) argon2d shouldn't be supported, argon2i only. The goal of ext/password
> is simplicity, and sane defaults. Support for argon2d is unnecessary, and
> shouldn't be added.
>
> 2) Compile time flag should probably be --with-password-argon2, similar to
> say --with-pdo-mysql, as it's a sub-feature and not standalone. (Though,
> IIRC, --with-pdo-mysql will implicitly add --enable-pdo).
>
> Thanks,
>
> - Davey
>
>
I'm open to both of those suggestions. Argon2d was included just to be in
line with the Argon2 spec. I can imagine a scenario where someone would be
okay with an Argon2d hash, but I agree the password_hash API implies
simplicity and PASSWORD_ARGON2D could introduce complexity/confusion.


On Mon, Aug 1, 2016 at 2:59 PM, Chris Wright <daveran...@php.net> wrote:

> On 1 August 2016 at 18:46, Charles R. Portwood II <
> charlesportwoo...@erianna.com> wrote:
>
>> Hello,
>>>
>>>
>> The RFC for introducing Argon2 as an alternative hashing algorithm for the
>>
>>> password_* functions is now open. The RFC is available at
>>
>>> https://wiki.php.net/rfc/argon2_password_hash.
>>
>>>
>> Voting is open for 1 week, and will close on August 8th with a 50%+1
>>
>>> majority required to pass. If either of those need to be adjusted please
>> let me know.
>>
>
> To clarify, the vote appears to be a single vote for "include in 7.2 *and*
> make default in 7.4" - is this correct?
>
> If so, I think it would it be better to reduce the scope - include in 7.2,
> with a view to holding a discussion/vote on making it default nearer the
> time 7.4 comes around. It seems a little premature for voting on things
> that won't even start happening for a couple of years, and there's always
> the possibility that something may change between now and then (e.g. some
> better default is decided on and/or some vuln is discovered in
> bcrypt/Argon2 that changes the considerations).
>
> Thanks, Chris
>

The RFC proposal is for induction in 7.2, and default in 7.4. You're not
the only one to bring this up though.


This is my first RFC, so if I misunderstood something I apologize. I
suspect though that this may be a sticking point and may required the RFC
to be restarted so that defaults aren't set for this RFC.

What would the best way to go about this since voting already started? Wait
to see the results? Pull the RFC myself then re-open it with the 7.4
comments removed? Or wait for the vote to run it's course then restart it
on the 15th, a week after the original close date?

Thanks,
*Charles R. Portwood II*

Reply via email to