> > I'll try to explain a bit more by examples. > Hi Yasuo,
It sounds to me like it is *possible* to currently use hash_hkdf() in a secure manner, but that you (and some others?) feel the arg order and default args are not conducive to safe/secure usage. Given that the function is live in the wild, massively changing the order of things and defaults is an instant red flag for myself, and I believe a lot of other people. To me this sounds more like an issue that could be relatively quickly improved by a documentation update that highlights how to securely use the function. Yes, if there are more secure defaults that would be nice, but that ship has sailed, and the function was on it. Just my 2 cents. Cheers Stephen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
