On Jan 5, 2012, at 6:56 AM, Tom Worster wrote:
> On 12/29/11 2:03 PM, "Philip Olson" wrote:
>
>> Hi Tom,
>>
>> I fully support a one-method-to-rule-them-all for generating random
>> sauce. Long ago I created an incomplete RFC on the subject, but please
>> feel free to ignore and create a new/b
>
>
> Thanks, Philip.
>
> How do I apply for a wiki account and RFC authoring privileges? (I googled
> but did not find.)
one can register for a wiki account (you already did that AFAIK), wiki
karma is handed out on request through php-webmaster@ (I cc-ed the list
now), usually Hannes manage that
On 12/29/11 2:03 PM, "Philip Olson" wrote:
>Hi Tom,
>
>I fully support a one-method-to-rule-them-all for generating random
>sauce. Long ago I created an incomplete RFC on the subject, but please
>feel free to ignore and create a new/better one. There are a couple of
>old related RFC entries, actu
On 12/29/11 2:42 PM, "Pierre Joye" wrote:
>On Thu, Dec 29, 2011 at 2:12 PM, Tom Worster wrote:
>
>> Fair points but not germane to my main argument: I proposed that the
>>base
>> PHP API should allow the PHP programmer uniform access to the system's
>>CS
>> random byte source, which is CryptDevR
On Thu, Dec 29, 2011 at 2:12 PM, Tom Worster wrote:
> Fair points but not germane to my main argument: I proposed that the base
> PHP API should allow the PHP programmer uniform access to the system's CS
> random byte source, which is CryptDevRandom on Windows. My proposal was
> countered by poin
> As a noob here, what should I do next in order to pursue my objective? Is
> this what the PHP RFC is for?
Hi Tom,
I fully support a one-method-to-rule-them-all for generating random sauce. Long
ago I created an incomplete RFC on the subject, but please feel free to ignore
and create a new/b
On 12/28/11 4:36 PM, "Anthony Ferrara" wrote:
>Tom,
>First off, /dev/random doesn't report anything. If the entropy pool
>is depleted, it will block until it has enough entropy to fufil the
>request.
On Linux, yes. Not on BSD or OSX. I don't know about others.
> That may seem good, but it's
Tom,
First off, /dev/random doesn't report anything. If the entropy pool
is depleted, it will block until it has enough entropy to fufil the
request. That may seem good, but it's a HUGE DOS vulnerability if you
are using them for non CS applications (which the VAST majority of PHP
applications fa
Hi Anthony,
Thanks again for your time responding.
On 12/21/11 2:35 PM, "Anthony Ferrara" wrote:
>Tom,
>
>> I think it nicely demonstrates a degree of sophistication that should
>> not be expected from typical PHP usrs.
>
>Which is why it should be available in a library of some form. Could
>
Thanks for your input Pierre,
On 12/21/11 2:25 PM, "Pierre Joye" wrote:
>hi,
>
>Some short comments:
>
>On Wed, Dec 21, 2011 at 4:31 PM, Tom Worster wrote:
>
>> PHP does not in general allow access to the underlying system¹s
>> entropy source. I think it would be a good idea if it did.
>
>It d
Tom,
> I think it nicely demonstrates a degree of sophistication that should
> not be expected from typical PHP usrs.
Which is why it should be available in a library of some form. Could
it be in core? Absolutely. Does it need to be? Nope...
> [I don't think mixing mt_rand() + rand() + uniqi
hi,
Some short comments:
On Wed, Dec 21, 2011 at 4:31 PM, Tom Worster wrote:
> PHP does not in general allow access to the underlying system¹s
> entropy source. I think it would be a good idea if it did.
It does on unix using the almost generally available random and
urandom. On Windows you ca
On 12/21/11 12:07 PM, "Kiall Mac Innes" wrote:
>On Wed, Dec 21, 2011 at 3:31 PM, Tom Worster wrote:
>>
>> 1. /dev/random and /dev/urandom are unavailable on Windows and
>> cannot be fopen()¹ed in safe mode on *nix/nux
>
>Safe mode has been deprecated for two and a half years.. Adding features
>t
Hi Anthony,
Thank your for your reply. I inserted some comments below.
On 12/21/11 11:19 AM, "Anthony Ferrara" wrote:
>2. I was unable to do it.
>
>I did it fine.
>
>https://github.com/ircmaxell/PHP-CryptLib/tree/master/lib/CryptLib/Random
I think it nicely demonstrates a degree of sophisticat
On Wed, Dec 21, 2011 at 3:31 PM, Tom Worster wrote:
>
> 1. /dev/random and /dev/urandom are unavailable on Windows and
> cannot be fopen()¹ed in safe mode on *nix/nux
Safe mode has been deprecated for two and a half years.. Adding features to
work around its limitations is (IMO) a bad idea..
Can'
Tom,
First off, very detailed post! However, there are a few things I'd
disagree with.
1. Salts for crypt() purposes need to be cryptographically secure
random numbers.
This is not true. The only requirement is that a salt be reasonably
unique (meaning that the chance of using the same one is
16 matches
Mail list logo
