Closed thisispiers closed 2 years ago
No current plans, but we aren't ruling anything out. What did you have in mind?
I'm the author of that RFC, I don't use this library.
What did you have in mind?
The attribute should be applied to all parameters that hold sensitive data. For the PHP standard library this includes key material and plaintext data.
see paragonie/constant_time_encoding#48 where I made the necessary changes.
Looking at ciphersweet anything you run through Util::memzero()
during destruction should likely receive the attribute, for Util::aes256ctr()
all parameters except possibly the $nonce
should receive the attribute, &c.
See https://github.com/thisispiers/ciphersweet/commit/aa0e6664978e0c46b590e21a453372f416146c87
In future, we might be able to use classes to redact specific array values.
Done in #76
PHP 8.2 is due to be released in November. Are plans in place to support this new feature?