Differences

This shows you the differences between two versions of the page.

--- rfc:password_registry [2018/10/23 14:57] – pollita
+++ rfc:password_registry [2018/11/20 19:02] – Close voting pollita
@@ Line 3: / Line 3: @@
   * Date: 2018-10-15
   * Author: Sara Golemon, pollita@php.net
-  * Status: Under Discussion
+  * Status: Accepted
   * First Published at: http://wiki.php.net/rfc/password_registry
@@ Line 41: / Line 41: @@
 The **get_info** method pointer allows adding entries to an array return value for the password_get_info() userspace command.  This function must return SUCCESS or FAILURE.
-The **valid** method pointer is the mechanism used for determining what algorithm handler is appropriate for a given hash string.  For example, only the **bcrypt** handler should return true for a hash string beginning with "$2y$".
+The **valid** method pointer is the mechanism used for determining what algorithm handler is appropriate for a given hash string.  For example, only the **bcrypt** handler should return true for a hash string beginning with "$2y$".  This callback may be NULL if the name alone is sufficient to identify an algorithm.  For example, the bcrypt algorithm has a length check in addition to its name identifier.
 Because the registry is organized as an associative array, any attempt to re-register an already present password mechanism will result in a failure.
@@ Line 63: / Line 63: @@
 ====== Minimizing impact to BC ======
-We could overload the **password_hash()** and **password_needs_rehash()** methods to accept integer values 0, 1, 2, and 3 to function as aliases for DEFAULT, BCRYPT, ARGIN2I, and ARGON2ID, respectively.
+In order to minimize the impact of the above BC. we could overload the **password_hash()** and **password_needs_rehash()** methods to accept integer values 0, 1, 2, and 3 to function as aliases for DEFAULT, BCRYPT, ARGIN2I, and ARGON2ID, respectively.   Using an int would therefore work, but would produce a deprecation warning.  This is being presented as a separate vote below.
 ===== Extension Changes =====
@@ Line 70: / Line 70: @@
 ===== Proposed PHP Version(s) =====
 .next
-===== Open Questions =====
-  * Should the registry support password hashing mechanisms defined in script code? (I don't think so, but feel free to disagree)
 ===== Future Scope =====
-Review ext/sodium to see if there are additional password hashing algorithms it may be appropriate to enable.
+  * Review ext/sodium to see if there are additional password hashing algorithms it may be appropriate to enable.
+  * Consider exposing the registry to script code for the purpose of polyfill libraries.
 ===== Proposed Voting Choices =====
 Simple 50% +1, make the password hashing system extensible via internal-only registry.
+<doodle title="Make the password hashing system extensible via internal-only registry?" auth="pollita" voteType="single" closed="true">
+   * Yes
+   * No
+</doodle>
+Should the above poll pass, the following 50%+1 question asks if we should additionally provide the overloaded behavior described above in "minimizing impact to BC".
+<doodle title="Support integer constants 0-3 to password_hash() et. al. for BC" auth="pollita" voteType="single" closed="true">
+   * Yes
+   * No
+</doodle>
+Vote Open: 2018-11-06 17:00 UTC
+Vote Closes: 2018-11-20 17:00 UTC
 ===== Patches and Tests =====

Differences

Page Tools