Hi, On Jan 11, 2016 4:12 PM, "Rouven Weßling" <m...@rouvenwessling.de> wrote: > > > > On 11 Jan 2016, at 07:57, Scott Arciszewski <sc...@paragonie.com> wrote: > > > > Does adding Argon2 as a possible choice for password_hash() + > > password_verify() need an RFC? Or can I just submit a pull request? > > The original RFC (https://wiki.php.net/rfc/password_hash) contained the following text: > > > I'd propose the following policy for updating the default hashing algorithm in future releases of PHP. > > > > * Any new algorithm must be in core for at least 1 full release of PHP prior to becoming default. So if scrypt is added in 5.5.5, it wouldn't be eligible for default until 5.7 (since 5.6 would be the full release). But if jcrypt (making it up) was added in 5.6.0, it would also be eligible for default at 5.7.0. > > * The default should only change on a full release (5.6.0, 6.0.0, etc) and not on a revision release. The only exception to this is in an emergency when a critical security flaw is found in the current default. > > * For a normal (non-emergency) change in default, an RFC shall be issued for the update of the default algorithm, following normal RFC rules. > > So technically I don’t think it would be necessary to have an RFC to add another algorithm, though I think it might be nice as this is certainly a place where things shouldn’t be changed willy nilly. > > > It won't be changing the default in 7.1, and IIRC this sort of change > > was already agreed upon as part of the original password_hash() RFC. > > I’m not really qualified to discuss the merits of the algorithm but a couple of questions: > > * Is there already a crypt scheme for Argon2? Or are there any efforts to define one? It would good if PHP wouldn’t be an island.
https://github.com/P-H-C/phc-winner-argon2 The reference implementation. If anything we should use it. I am not sure if we should bundle the library tho'. > * Back in July, when it won the PHC, it wasn’t deemed production ready as they wanted to make a few tweaks. Is that completed? > * Are you proposing to use Argon2d or Argon2i? > > Lastly, I think it would be a good start to implement Argon2 in ext-hash. > > Best regards > Rouven > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >
