On Jan 5, 2012, at 6:56 AM, Tom Worster wrote:
> On 12/29/11 2:03 PM, "Philip Olson" wrote:
>
>> Hi Tom,
>>
>> I fully support a one-method-to-rule-them-all for generating random
>> sauce. Long ago I created an incomplete RFC on the subject, but please
>> feel free to ignore and create a new/b
>
>
> Thanks, Philip.
>
> How do I apply for a wiki account and RFC authoring privileges? (I googled
> but did not find.)
one can register for a wiki account (you already did that AFAIK), wiki
karma is handed out on request through php-webmaster@ (I cc-ed the list
now), usually Hannes manage that
On 12/29/11 2:03 PM, "Philip Olson" wrote:
>Hi Tom,
>
>I fully support a one-method-to-rule-them-all for generating random
>sauce. Long ago I created an incomplete RFC on the subject, but please
>feel free to ignore and create a new/better one. There are a couple of
>old related RFC entries, actu
On 12/29/11 2:42 PM, "Pierre Joye" wrote:
>On Thu, Dec 29, 2011 at 2:12 PM, Tom Worster wrote:
>
>> Fair points but not germane to my main argument: I proposed that the
>>base
>> PHP API should allow the PHP programmer uniform access to the system's
>>CS
>> random byte source, which is CryptDevR
On Thu, Dec 29, 2011 at 2:12 PM, Tom Worster wrote:
> Fair points but not germane to my main argument: I proposed that the base
> PHP API should allow the PHP programmer uniform access to the system's CS
> random byte source, which is CryptDevRandom on Windows. My proposal was
> countered by poin
> As a noob here, what should I do next in order to pursue my objective? Is
> this what the PHP RFC is for?
Hi Tom,
I fully support a one-method-to-rule-them-all for generating random sauce. Long
ago I created an incomplete RFC on the subject, but please feel free to ignore
and create a new/b
On 12/28/11 4:36 PM, "Anthony Ferrara" wrote:
>Tom,
>First off, /dev/random doesn't report anything. If the entropy pool
>is depleted, it will block until it has enough entropy to fufil the
>request.
On Linux, yes. Not on BSD or OSX. I don't know about others.
> That may seem good, but it's
Tom,
First off, /dev/random doesn't report anything. If the entropy pool
is depleted, it will block until it has enough entropy to fufil the
request. That may seem good, but it's a HUGE DOS vulnerability if you
are using them for non CS applications (which the VAST majority of PHP
applications fa
Hi Anthony,
Thanks again for your time responding.
On 12/21/11 2:35 PM, "Anthony Ferrara" wrote:
>Tom,
>
>> I think it nicely demonstrates a degree of sophistication that should
>> not be expected from typical PHP usrs.
>
>Which is why it should be available in a library of some form. Could
>
Thanks for your input Pierre,
On 12/21/11 2:25 PM, "Pierre Joye" wrote:
>hi,
>
>Some short comments:
>
>On Wed, Dec 21, 2011 at 4:31 PM, Tom Worster wrote:
>
>> PHP does not in general allow access to the underlying system¹s
>> entropy source. I think it would be a good idea if it did.
>
>It d
Tom,
> I think it nicely demonstrates a degree of sophistication that should
> not be expected from typical PHP usrs.
Which is why it should be available in a library of some form. Could
it be in core? Absolutely. Does it need to be? Nope...
> [I don't think mixing mt_rand() + rand() + uniqi
hi,
Some short comments:
On Wed, Dec 21, 2011 at 4:31 PM, Tom Worster wrote:
> PHP does not in general allow access to the underlying system¹s
> entropy source. I think it would be a good idea if it did.
It does on unix using the almost generally available random and
urandom. On Windows you ca
On 12/21/11 12:07 PM, "Kiall Mac Innes" wrote:
>On Wed, Dec 21, 2011 at 3:31 PM, Tom Worster wrote:
>>
>> 1. /dev/random and /dev/urandom are unavailable on Windows and
>> cannot be fopen()¹ed in safe mode on *nix/nux
>
>Safe mode has been deprecated for two and a half years.. Adding features
>t
Hi Anthony,
Thank your for your reply. I inserted some comments below.
On 12/21/11 11:19 AM, "Anthony Ferrara" wrote:
>2. I was unable to do it.
>
>I did it fine.
>
>https://github.com/ircmaxell/PHP-CryptLib/tree/master/lib/CryptLib/Random
I think it nicely demonstrates a degree of sophisticat
On Wed, Dec 21, 2011 at 3:31 PM, Tom Worster wrote:
>
> 1. /dev/random and /dev/urandom are unavailable on Windows and
> cannot be fopen()¹ed in safe mode on *nix/nux
Safe mode has been deprecated for two and a half years.. Adding features to
work around its limitations is (IMO) a bad idea..
Can'
Tom,
First off, very detailed post! However, there are a few things I'd
disagree with.
1. Salts for crypt() purposes need to be cryptographically secure
random numbers.
This is not true. The only requirement is that a salt be reasonably
unique (meaning that the chance of using the same one is
Hi, I'm new to this list so please tolerate my unfamiliarity with
protocol.
PHP does not in general allow access to the underlying system¹s
entropy source. I think it would be a good idea if it did.
It is routine for web developers to write code in PHP that stores
passwords in database tables or
17 matches
Mail list logo
