Morning, This RFC was left open for 5 days past the end of voting as declared on the RFC.
I have closed the vote, and moved it out of voting section on RFC index. Cheers Joe On Sat, Apr 1, 2017 at 3:50 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi all, > > - insecure signature (it ignores strong RFC 5689 recommendation) > s/RFC 5689/RFC 5869/ > > On Sat, Apr 1, 2017 at 11:27 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > > > > Given that the function is live in the wild, massively changing the order > >> of things and defaults is an instant red flag for myself, and I believe > a > >> lot of other people. > >> > > > > Aside from it should not be merged into PHP 7.1 in the first place. > > There are only 2 (or 3) bug fix versions released. Fixing mistake ASAP is > > better. IMHO. > > > > > > To me this sounds more like an issue that could be relatively quickly > >> improved by a documentation update that highlights how to securely use > the > >> function. > >> > > > > While documentation may work, it seems silly for me to write, > > > > Even if "salt" is the last optional parameter, users must set > > appropriate "salt" whenever it is possible for maximum key security. > > > > Another possible resolution could be reverting hash_hkdf() merge from 7.1 > branch. > Basic hash_hkdf() operation could be done by hash_hmac() easily. > > The merge should have had PHP RFC. > Reverting hash_hkdf() merge may work better. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net >
