Hello Adrien, I need a value that can be protected against dumps by mistake or malevolence, also through serialization by mistake and malevolence. However, I need to keep a way of serializing the protected data through ciphering.
See: https://gist.github.com/gplanchat/9939898a1ca852fffcd7a651d188c5ed#opaque-and-ciphered-data-object-interfaces I would like to keep the following possible: $opaque = new OpaqueText('Value to protect'); $encrypted = $crypto->encrypt($opaque); // the returned CipheredInterface object can be serialized serialize($encrypted); Where $crypto is an object implementing the CipherInterface described in my ADR, it will encrypt object of type OpaqueInterface. In the ADR, a CipheredInterface is an opaque object that can be serialized, where the OpaqueInterface cannot be serialized. In both cases, those are opaque objects that cannot be dumped. Grégory Le mardi 11 juin 2024 à 05:11:07 UTC+2, Adrien Crivelli a écrit : > Why do you think SensitiveParameterValue "is not sufficient alone" ? What > do you need more than a value that cannot be dumped by mistake ? > > On Monday 10 June 2024 at 19:56:49 UTC+7 Grégory Planchat wrote: > >> Hello Tim and Adrien, >> >> Thank you for your answers. >> >> I am thinking now a PSR is maybe not the appropriate response for this >> use case. >> The SensitiveParameter attribute and the SensitiveParameterValue give >> some solutions for opaque objects, however it is not sufficient alone. >> Do you think it should be better achieved as internal classes/functions? >> >> Grégory >> >> Le dimanche 9 juin 2024 à 15:10:40 UTC+2, Tim Düsterhus a écrit : >> >>> Hi >>> >>> On 6/7/24 04:39, Adrien Crivelli wrote: >>> > https://3v4l.org/IPXe0#v8.2.20 seems to demonstrate that the plain >>> native >>> > `SensitiveParameterValue` does not disclose any more information than >>> your >>> > custom `Secured` class. Unless there is more features than you did not >>> > mention, I'd also suggest to directly use the >>> > native `SensitiveParameterValue` for maximum interoperability and ease >>> of >>> > use. >>> >>> As the RFC author of the RFC in question: One thing a userland class >>> cannot protect against that SensitiveParameterValue as an internal class >>> protects against is an `(array)` cast. >>> >>> Best regards >>> Tim Düsterhus >>> >> -- You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/7d0239b3-647d-413d-91b1-157c8ca760acn%40googlegroups.com.
