On 2017-05-29 13:58, Niklas Keller wrote:
I have updated the RFC to use a "min_signature_bits" setting instead.
At least that name is misleading. Most PHP users would probably wonder why a setting of 128 does not allow the 160-bit hash from SHA-1 or the 512-bit RSA. So the name should be more like "min_cryptographic_strength" (possibly prefixed with "signature_") to make it clear that this is not really about the bits in signature.
I'm not totally convinced about this bit approach in general. What happens if SHA-2 is suddenly broken and people move to SHA-3 of the same length?
Just my thoughts. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
