Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

On Fri, May 12, 2017 at 8:37 PM, Dan Ackroyd wrote: > This conversation appears to have reached an end. > Indeed. No example usage that justifies current signature. It proves what was wrong. I'll post final doc patch in new thread. Regards, -- Yasuo Ohgaki

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Everyone, This conversation appears to have reached an end. Please consider carefully before continuing it. /xkcd 386 cheers Dan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Ryan, On Wed, May 10, 2017 at 7:12 AM, Ryan Pallas wrote: > Dude, he doesnt have to provide anything. The proposal was turned down > unanimously. Why do you keep sending mail after mail on this? Also, try > sending one mail instead of many when replying. Also, consider

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

On Wed, May 10, 2017 at 7:21 AM, li...@rhsoft.net wrote: > Am 09.05.2017 um 23:36 schrieb Yasuo Ohgaki: > >> Hi, >> >> On Sun, Apr 30, 2017 at 3:55 PM, li...@rhsoft.net > li...@rhsoft.net> > wrote: >> >> . PLEASE STOP riding

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Am 09.05.2017 um 23:36 schrieb Yasuo Ohgaki: Hi, On Sun, Apr 30, 2017 at 3:55 PM, li...@rhsoft.net > wrote: . PLEASE STOP riding that dead horse - it's even annoying for users following the devel-list how you

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

On May 9, 2017 15:46, "Yasuo Ohgaki" wrote: Hi Andrey, On Sun, Apr 30, 2017 at 8:26 AM, Yasuo Ohgaki wrote: > On Sun, Apr 30, 2017 at 8:14 AM, Yasuo Ohgaki wrote: > >> I don't need your view of HKDF RFC or usage, but I do need good

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Andrey, On Sun, Apr 30, 2017 at 8:26 AM, Yasuo Ohgaki wrote: > On Sun, Apr 30, 2017 at 8:14 AM, Yasuo Ohgaki wrote: > >> I don't need your view of HKDF RFC or usage, but I do need good practical >> examples that justify your point of view. Please

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi, On Sun, Apr 30, 2017 at 3:55 PM, li...@rhsoft.net wrote: > . PLEASE STOP riding that dead horse - it's even annoying for users > following the devel-list how you argue on that opic over months - nonody > shares your view, that's it - accept it Apparently not. You

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Am 30.04.2017 um 01:26 schrieb Yasuo Ohgaki: On Sun, Apr 30, 2017 at 8:14 AM, Yasuo Ohgaki wrote: I don't need your view of HKDF RFC or usage, but I do need good practical examples that justify your point of view. Please don't waste of your/my time, just give some good

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

On Sun, Apr 30, 2017 at 8:14 AM, Yasuo Ohgaki wrote: > I don't need your view of HKDF RFC or usage, but I do need good practical > examples that justify your point of view. Please don't waste of your/my > time, > just give some good examples in next reply. Thanks. > BTW,

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Andrey, On Tue, Apr 25, 2017 at 7:17 PM, Andrey Andreev wrote: > Hi, > > On Tue, Apr 25, 2017 at 3:28 AM, Yasuo Ohgaki wrote: > >> > >> If you want examples, search GitHub for PHP code utilizing HKDF - you > >> will see that most projects use it without

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi, On Tue, Apr 25, 2017 at 3:28 AM, Yasuo Ohgaki wrote: >> >> If you want examples, search GitHub for PHP code utilizing HKDF - you >> will see that most projects use it without a salt, including >> https://github.com/defuse/php-encryption - pretty much the best PHP >>

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

On Tue, Apr 25, 2017 at 9:28 AM, Yasuo Ohgaki wrote: > I don't think the author wouldn't make such mistake, so I checked. > Oops. Double denial. I thought the author wouldn't make such mistake, so I checked. -- Yasuo Ohgaki yohg...@ohgaki.net

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Andrey, On Sun, Apr 23, 2017 at 7:24 AM, Andrey Andreev wrote: > > You're tired? Yasuo, the reason why you're not receiving replies > unless you say "I'll commit in a few days if there are no more > comments" is because everybody is tired of talking to you. > > If you want

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi, On Sat, Apr 22, 2017 at 10:37 PM, Yasuo Ohgaki wrote: > Hi Niklas, > > On Sun, Apr 23, 2017 at 4:32 AM, Niklas Keller wrote: >> >> >> What the... there were multiple concerns regarding the changes already. >> I'm hereby expressing another strong -1 on

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Niklas, On Sun, Apr 23, 2017 at 4:32 AM, Niklas Keller wrote: > > What the... there were multiple concerns regarding the changes already. > I'm hereby expressing another strong -1 on these. > Instead of posting your feeling, please post logic behind your idea. Most of the

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

2017-04-22 21:14 GMT+02:00 Yasuo Ohgaki : > Hi all, > > On Sat, Apr 15, 2017 at 9:17 AM, Yasuo Ohgaki wrote: > > > My opinions are either based on concrete logic or > > recommendations based reliable sources. > > > > I improved hash_hkdf() manual farther

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi all, On Sat, Apr 15, 2017 at 9:17 AM, Yasuo Ohgaki wrote: > My opinions are either based on concrete logic or > recommendations based reliable sources. > > I improved hash_hkdf() manual farther more based on RFC 5869 descriptions. >

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Pieter, On Fri, Apr 14, 2017 at 6:45 PM, Pieter Hordijk wrote: > > I have the feeling you keep adding your own personal preferences to the > manual. No, not at all. My opinions are either based on concrete logic or recommendations based reliable sources. I improved

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Nikita, On Fri, Apr 14, 2017 at 6:24 PM, Nikita Popov wrote: > Strong -1 on these docs changes. They are wrong and they will confuse > users about when and how HKDF should be used. > > I have no idea where you got the idea that HKDF is supposed to be used for > CSRF

[PHP-DEV] Re: [PHP-DOC] [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hello, The PHP documentation has a separate place for detailed examples. For example: http://php.net/manual/en/book.inclued.php http://php.net/manual/en/inclued.examples-implementation.php The same could be done for ext/hash which today lacks an Examples section:

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

rey Andreev" > <n...@devilix.net>, "internals" <internals@lists.php.net>, "phpdoc" > <php...@lists.php.net> > Sent: Friday, April 14, 2017 11:24:53 AM > Subject: Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter > On Thu, Apr 13, 201

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

On Thu, Apr 13, 2017 at 11:22 PM, Yasuo Ohgaki wrote: > Hi Pieter and all, > > On Thu, Apr 13, 2017 at 5:11 PM, Pieter Hordijk > wrote: > > > Is this really something we need in our official docs instead of for > > example > > on a personal blog? > >

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi all, On Fri, Apr 14, 2017 at 6:22 AM, Yasuo Ohgaki wrote: > > On Thu, Apr 13, 2017 at 5:11 PM, Pieter Hordijk > wrote: > >> Is this really something we need in our official docs instead of for >> example >> on a personal blog? >> > > I wrote draft

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Pieter and all, On Thu, Apr 13, 2017 at 5:11 PM, Pieter Hordijk wrote: > Is this really something we need in our official docs instead of for > example > on a personal blog? > I wrote draft doc patch. Please verify. Index: en/reference/hash/functions/hash-hkdf.xml

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Pieter, On Thu, Apr 13, 2017 at 5:38 PM, Yasuo Ohgaki wrote: > > On Thu, Apr 13, 2017 at 5:11 PM, Pieter Hordijk > wrote: > >> To be honest I am afraid of ending up with something like the current >> state >> of the session docs. Which are imo way

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Peiter, On Thu, Apr 13, 2017 at 5:11 PM, Pieter Hordijk wrote: > To be honest I am afraid of ending up with something like the current state > of the session docs. Which are imo way too broad / opinionated, non > English, > contains utterly confusing examples and / or

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

- Original Message - > From: "Yasuo Ohgaki" <yohg...@ohgaki.net> > To: "Joe Watkins" <pthre...@pthreads.org>, "Andrey Andreev" <n...@devilix.net> > Cc: internals@lists.php.net > Sent: Thursday, April 13, 2017 1:07:19 AM > S

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Joe, On Wed, Apr 12, 2017 at 7:46 PM, Joe Watkins wrote: > This RFC was left open for 5 days past the end of voting as declared on > the RFC. > Thank you, I forgot about this. IMHO, it's a shame for us we should have inconsistent and insecure function signature for a

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Morning, This RFC was left open for 5 days past the end of voting as declared on the RFC. I have closed the vote, and moved it out of voting section on RFC index. Cheers Joe On Sat, Apr 1, 2017 at 3:50 AM, Yasuo Ohgaki wrote: > Hi all, > > - insecure signature (it

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi all, - insecure signature (it ignores strong RFC 5689 recommendation) s/RFC 5689/RFC 5869/ On Sat, Apr 1, 2017 at 11:27 AM, Yasuo Ohgaki wrote: > > Given that the function is live in the wild, massively changing the order >> of things and defaults is an instant red

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi Stephen, On Mon, Mar 27, 2017 at 1:09 PM, Stephen Reay wrote: > > It sounds to me like it is *possible* to currently use hash_hkdf() in a > secure manner, but that you (and some others?) feel the arg order and > default args are not conducive to safe/secure usage. >

Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

> > I'll try to explain a bit more by examples. > Hi Yasuo, It sounds to me like it is *possible* to currently use hash_hkdf() in a secure manner, but that you (and some others?) feel the arg order and default args are not conducive to safe/secure usage. Given that the function is live in

[PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter

Hi all, Since hash_hkdf() is in PHP 7.1.2, I restarted vote. I posted previous announce in discussion thread by mistake. https://wiki.php.net/rfc/improve_hash_hkdf_parameter Vote start: 2017-03-26 Vote end: 2017-04-07 UTC 23:59:59 Current hash_hkdf() function signature does not make sense. -

Re: [PHP-DEV] [RFC] [VOTE] Improve hash_hkdf() parameter

Hi Nikita, On Sat, Mar 25, 2017 at 8:17 PM, Nikita Popov wrote: > I cannot, however, entirely refrain from pointing out the irony of making > all parameters but $length required, while $length is actually the one > parameter that any reasonable use of this function must

Re: [PHP-DEV] [RFC] [VOTE] Improve hash_hkdf() parameter

On Sat, Mar 25, 2017 at 10:16 PM, Niklas Keller wrote: > https://wiki.php.net/rfc/improve_hash_hkdf_parameter# > backward_incompatible_changes says "It is merged into PHP 7.1.2.", but > doesn't talk about what it's supposed to say: It breaks BC with the already > released

Re: [PHP-DEV] [RFC] [VOTE] Improve hash_hkdf() parameter

https://wiki.php.net/rfc/improve_hash_hkdf_parameter#backward_incompatible_changes says "It is merged into PHP 7.1.2.", but doesn't talk about what it's supposed to say: It breaks BC with the already released implementation. https://wiki.php.net/rfc/improve_hash_hkdf_parameter#rfc_impact says

Re: [PHP-DEV] [RFC] [VOTE] Improve hash_hkdf() parameter

On Sat, Mar 25, 2017 at 3:25 AM, Yasuo Ohgaki wrote: > Hi all, > > Since hash_hkdf() is in PHP 7.1.2, I start vote from today. > > Current hash_hkdf() function signature does not make sense. > > - hash_hkdf() is simple hash_hmac() extension, yet it has totally >different

Re: [PHP-DEV] [RFC] [VOTE] Improve hash_hkdf() parameter

> > Hi all, > > Since hash_hkdf() is in PHP 7.1.2, I start vote from today. > > Current hash_hkdf() function signature does not make sense. > > - hash_hkdf() is simple hash_hmac() extension, yet it has totally >different signature. > - Return value is binary unlike other hash functions. > -

[PHP-DEV] [RFC] [VOTE] Improve hash_hkdf() parameter

Hi all, Since hash_hkdf() is in PHP 7.1.2, I start vote from today. Current hash_hkdf() function signature does not make sense. - hash_hkdf() is simple hash_hmac() extension, yet it has totally different signature. - Return value is binary unlike other hash functions. - The signature is