On Mon, Aug 1, 2016 at 3:27 PM, Charles R. Portwood II < charlesportwoo...@erianna.com> wrote:
> On Mon, Aug 1, 2016 at 3:16 PM, Davey Shafik <da...@php.net> wrote: > >> On Mon, Aug 1, 2016 at 1:13 PM, Charles R. Portwood II < >> charlesportwoo...@erianna.com> wrote: >> >>> >>> On Mon, Aug 1, 2016 at 2:41 PM, Davey Shafik <da...@php.net> wrote: >>> >>>> On Mon, Aug 1, 2016 at 12:35 PM, Davey Shafik <da...@php.net> wrote: >>>> >>>>> On Mon, Aug 1, 2016 at 10:46 AM, Charles R. Portwood II < >>>>> charlesportwoo...@erianna.com> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> The RFC for introducing Argon2 as an alternative hashing algorithm >>>>>> for the >>>>>> password_* functions is now open. The RFC is available at >>>>>> https://wiki.php.net/rfc/argon2_password_hash >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> . >>>>>> >>>>>> Voting is open for 1 week, and will close on August 8th with a 50%+1 >>>>>> majority required to pass. If either of those need to be adjusted >>>>>> please >>>>>> let me know. >>>>>> >>>>> >>>>> Hi Charles, >>>>> >>>>> I don't think we should be voting on "mak[ing] PASSWORD_ARGON2 the >>>>> default password hashing algorithm in 7.4" yet — the _potential_ is there >>>>> per the original ext/password RFC, and should require a new vote for 7.4 >>>>> at >>>>> the appropriate time (e.g. post-7.3). >>>>> >>>>> Voting for this now without wide deployment (and PHP would likely be >>>>> the largest potential deployment) that can battle-test this is premature. >>>>> >>>>> While I support the addition of this to PHP 7.2, I can't vote for it >>>>> because of the 7.4 clause. >>>>> >>>> >>>> Feel free to ignore this as it's late to add it: >>>> >>>> 1) argon2d shouldn't be supported, argon2i only. The goal of >>>> ext/password is simplicity, and sane defaults. Support for argon2d is >>>> unnecessary, and shouldn't be added. >>>> >>>> 2) Compile time flag should probably be --with-password-argon2, similar >>>> to say --with-pdo-mysql, as it's a sub-feature and not standalone. (Though, >>>> IIRC, --with-pdo-mysql will implicitly add --enable-pdo). >>>> >>>> Thanks, >>>> >>>> - Davey >>>> >>>> >>> I'm open to both of those suggestions. Argon2d was included just to be >>> in line with the Argon2 spec. I can imagine a scenario where someone would >>> be okay with an Argon2d hash, but I agree the password_hash API implies >>> simplicity and PASSWORD_ARGON2D could introduce complexity/confusion. >>> >>> >>> On Mon, Aug 1, 2016 at 2:59 PM, Chris Wright <daveran...@php.net> wrote: >>> >>>> On 1 August 2016 at 18:46, Charles R. Portwood II < >>>> charlesportwoo...@erianna.com> wrote: >>>> >>>>> Hello, >>>>> >>>>> The RFC for introducing Argon2 as an alternative hashing algorithm for >>>>> the >>>>> password_* functions is now open. The RFC is available at >>>>> https://wiki.php.net/rfc/argon2_password_hash. >>>>> >>>>> Voting is open for 1 week, and will close on August 8th with a 50%+1 >>>>> majority required to pass. If either of those need to be adjusted >>>>> please >>>>> let me know. >>>>> >>>> >>>> To clarify, the vote appears to be a single vote for "include in 7.2 >>>> *and* make default in 7.4" - is this correct? >>>> >>>> If so, I think it would it be better to reduce the scope - include in >>>> 7.2, with a view to holding a discussion/vote on making it default nearer >>>> the time 7.4 comes around. It seems a little premature for voting on things >>>> that won't even start happening for a couple of years, and there's always >>>> the possibility that something may change between now and then (e.g. some >>>> better default is decided on and/or some vuln is discovered in >>>> bcrypt/Argon2 that changes the considerations). >>>> >>>> Thanks, Chris >>>> >>> >>> The RFC proposal is for induction in 7.2, and default in 7.4. You're not >>> the only one to bring this up though. >>> >>> >>> This is my first RFC, so if I misunderstood something I apologize. I >>> suspect though that this may be a sticking point and may required the RFC >>> to be restarted so that defaults aren't set for this RFC. >>> >>> What would the best way to go about this since voting already started? >>> Wait to see the results? Pull the RFC myself then re-open it with the 7.4 >>> comments removed? Or wait for the vote to run it's course then restart it >>> on the 15th, a week after the original close date? >>> >> >> Just close it, make your changes, send an email about them, give it a >> couple of days if you feel it is necessary for further discussion (I don't >> think it is) and announce the vote again :) >> >> - Davey >> > > Davey, > > Okay. I'm going to close the vote out then since it's jumping the gun on > defaults, and this seems to be a more serious issue. > > Thanks, > *Charles R. Portwood II* > >
