rfc:password_registry
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:password_registry [2018/10/23 14:57] – pollita | rfc:password_registry [2018/12/25 13:07] (current) – This RFC has already been implemented cmb | ||
---|---|---|---|
Line 3: | Line 3: | ||
* Date: 2018-10-15 | * Date: 2018-10-15 | ||
* Author: Sara Golemon, pollita@php.net | * Author: Sara Golemon, pollita@php.net | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 41: | Line 41: | ||
The **get_info** method pointer allows adding entries to an array return value for the password_get_info() userspace command. | The **get_info** method pointer allows adding entries to an array return value for the password_get_info() userspace command. | ||
- | The **valid** method pointer is the mechanism used for determining what algorithm handler is appropriate for a given hash string. | + | The **valid** method pointer is the mechanism used for determining what algorithm handler is appropriate for a given hash string. |
Because the registry is organized as an associative array, any attempt to re-register an already present password mechanism will result in a failure. | Because the registry is organized as an associative array, any attempt to re-register an already present password mechanism will result in a failure. | ||
Line 63: | Line 63: | ||
====== Minimizing impact to BC ====== | ====== Minimizing impact to BC ====== | ||
- | We could overload the **password_hash()** and **password_needs_rehash()** methods to accept integer values 0, 1, 2, and 3 to function as aliases for DEFAULT, BCRYPT, ARGIN2I, and ARGON2ID, respectively. | + | In order to minimize the impact of the above BC. we could overload the **password_hash()** and **password_needs_rehash()** methods to accept integer values 0, 1, 2, and 3 to function as aliases for DEFAULT, BCRYPT, ARGIN2I, and ARGON2ID, respectively. Using an int would therefore work, but would produce a deprecation warning. |
===== Extension Changes ===== | ===== Extension Changes ===== | ||
Line 70: | Line 70: | ||
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
7.next | 7.next | ||
- | |||
- | ===== Open Questions ===== | ||
- | * Should the registry support password hashing mechanisms defined in script code? (I don't think so, but feel free to disagree) | ||
===== Future Scope ===== | ===== Future Scope ===== | ||
- | Review ext/sodium to see if there are additional password hashing algorithms it may be appropriate to enable. | + | * Review ext/sodium to see if there are additional password hashing algorithms it may be appropriate to enable. |
+ | * Consider exposing the registry to script code for the purpose of polyfill libraries. | ||
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== | ||
Simple 50% +1, make the password hashing system extensible via internal-only registry. | Simple 50% +1, make the password hashing system extensible via internal-only registry. | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | |||
+ | Should the above poll pass, the following 50%+1 question asks if we should additionally provide the overloaded behavior described above in " | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | |||
+ | Vote Open: 2018-11-06 17:00 UTC | ||
+ | |||
+ | Vote Closes: 2018-11-20 17:00 UTC | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
Line 86: | Line 102: | ||
* https:// | * https:// | ||
+ | ===== Implementation ===== | ||
+ | |||
+ | - Implementation: | ||
+ | - Documentation: | ||
rfc/password_registry.1540306671.txt.gz · Last modified: 2018/10/23 14:57 by pollita