2016-07-10 21:27 GMT+02:00 Charles R. Portwood II < charlesportwoo...@erianna.com>:
> On Sun, Jul 10, 2016 at 12:36 AM, Scott Arciszewski <sc...@paragonie.com> > wrote: > > > Version 1.3 of the Argon2 spec alleviated my concerns. > > > > I never completed my patch, and the past couple of months have been > > hectic. I can review the patch before it's merged if you want, but I > still > > don't have the free time to author an alternative. > > > > If accepted in 7.1, I believe it can be the new PASSWORD_DEFAULT in 7.3 > if > > it remains the best option. > > > > Scott Arciszewski > > Chief Development Officer > > Paragon Initiative Enterprises <https://paragonie.com> > > > > On Sun, Jul 10, 2016 at 1:24 AM, Pierre Joye <pierre....@gmail.com> > wrote: > > > >> > >> On Jul 10, 2016 2:38 AM, "Charles R. Portwood II" < > >> charlesportwoo...@erianna.com> wrote: > >> > > >> > Hello Internals, > >> > > >> > I'd like to improve the password_* functions by adding support for > >> > Argon2[1], the winner of the Password Hasing Competition[2]. > >> > > >> > I've previously implemented an extension[3] to handle this, however I > >> > believe this would be better to have Argon2 implemented directly > >> password_* > >> > functions. I would handle implementation of this enhancement, and > would > >> > like to gather your feedback before formally proposing an RFC. > >> > > >> > My wiki username is: charlesportwoodii > >> > > >> > Thank you! > >> > *Charles R. Portwood II* > >> > > >> > [1] <https://github.com/P-H-C/phc-winner-argon2> > >> > [2] <https://password-hashing.net/> > >> > [3] <https://github.com/charlesportwoodii/php-argon2-ext> > >> > >> Hi Charles, > >> > >> Nice work already. > >> > >> I add Scott to this thread to be sure he reads. As far as I remember he > >> has a patch too but there was concerns about having argon2 support at > this > >> stage because of the current state of argon2 specs (or something along > this > >> line). > >> > >> Let be sure that these concerns are solved before considering to include > >> it as it means some bc risks later if the specs change. > >> > >> Cheers > >> Pierre > >> > > > > > Thanks for your feedback everyone (and for granting wiki access)! > > This implementation would be against the version 1.3 of the Argon2 > reference library. As Scott mentioned, this proposal would be for inclusion > on 7.1, and then made PASSWORD_DEFAULT in 7.3 per the password_hash RFC, > assuming better option does not arise. > > I'll provide an RFC within the coming days which will outline everything in > detail. > > Thanks again, > > *Charles R. Portwood II* Hi Charles, it will probably have to target 7.2 as 7.1 has feature freeze in less then two weeks IIRC. Regards, Niklas
