Opening https://wiki.php.net/rfc/password_registry for discussion.
It's all in the elevator pitch, but the TL;DR is to make password_hash()/password_verify() into a more easily extensible API for multiple hashing mechanisms. Critically, this would allow us to include new library dependent mechanisms (such as those found in libsodium and libhydrogen) without actually forcing a library dependency on the core build. I don't consider the current internal API proposal fixed, particularly, I'm not too keen on the algorithm identification. What I've presented is a callback for a mechanism to say "Yes, I can verify that signature", but this means we must ask all mechanisms. A more direct means might involve "search for /^\$mechanismName\$/, but not only is this already insuffcient for bcrypt (identified by $2y$), but it'll probably be worse later on. If anyone has better ideas here, I'm totes open. -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
