Hi all, I have updated the RFC (https://wiki.php.net/rfc/data_encoding_api) to include base58 encoding and decoding functions to the proposal with arguments in favor of the addition.
Best regards, Ignace On Fri, Jun 20, 2025 at 10:17 AM ignace nyamagana butera < nyamsp...@gmail.com> wrote: > Thanks for the RFC! > > Here my doleance about it: > > - please make base58 part of the RFC - it's already widely used and having > it implemented in C would be great. See > https://github.com/php/php-src/issues/15195 > > I see that there's already a PECL extension for base58. I will see what I > can do because it was listed as a future scope for the moment. > > - it'd be great to default to url-safe base64. The RFC-compliant variant > is a very common risk, it'd be great to be on the safe side by default > > I went with the RFC recommendation to set up the default. In case of > Base64 the URL Safe variant is not the default. While we support URL safe > variants there are plenty of applications which do not expect the URL Safe > variant, for instance, the data URLs do not use the URL Safe variant. > > - why do we need to decide between constant-time and unprotected? Can't we > always go for the constant-time behavior? If not, what about defaulting to > constant-time, again, safe by default? > > In an ideal world I would use the constant-time behavior everytime, But > this will depend largely on the implementation and if it can be applied to > every scenario hence why I went defensive on this option. > > - about DecodingMode, shouldn't this be Lenient by default, following the > robustness principle? > > I went with strict by default for security reasons. The Lenient behavior > described is for instance more restrictive than the current "lenient" mode > used by the current base64_decode function. This is due to the security > issues raised by the RFC. > > Best regards, > Ignace > > > On Thu, Jun 19, 2025 at 1:50 PM Nicolas Grekas < > nicolas.grekas+...@gmail.com> wrote: > >> Hi Ignace >> >> I'd like to start the discussion for a new RFC about adding RFC 4648 >>> compliant data encoding API >>> >>> RFC proposal link: https://wiki.php.net/rfc/data_encoding_api >>> If passed, Tim Düsterhus has volunteered to do the implementation. >>> >>> Thanks in advance for your remarks and comments. >>> >>> Best regards, >>> Ignace Nyamagana Butera >>> >> >> Thanks for the RFC! >> >> Here my doleance about it: >> >> - please make base58 part of the RFC - it's already widely used and >> having it implemented in C would be great. See >> https://github.com/php/php-src/issues/15195 >> - it'd be great to default to url-safe base64. The RFC-compliant variant >> is a very common risk, it'd be great to be on the safe side by default >> - why do we need to decide between constant-time and unprotected? Can't >> we always go for the constant-time behavior? If not, what about defaulting >> to constant-time, again, safe by default? >> - about DecodingMode, shouldn't this be Lenient by default, following the >> robustness principle? >> - (base85 looks great and would be nice to have also :) ) >> >> Cheers, >> Nicolas >> >
