Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69232 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14537 invoked from network); 19 Sep 2013 13:29:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2013 13:29:36 -0000 Authentication-Results: pb1.pair.com header.from=bryan@ravensight.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=bryan@ravensight.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain ravensight.org from 209.85.223.169 cause and error) X-PHP-List-Original-Sender: bryan@ravensight.org X-Host-Fingerprint: 209.85.223.169 mail-ie0-f169.google.com Received: from [209.85.223.169] ([209.85.223.169:45950] helo=mail-ie0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9C/B4-24386-F3CFA325 for ; Thu, 19 Sep 2013 09:29:35 -0400 Received: by mail-ie0-f169.google.com with SMTP id tp5so15237106ieb.14 for ; Thu, 19 Sep 2013 06:29:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :thread-index:content-language; bh=AVAxW4vFVc8VZxc6Giyg1KrLmPHclrJMF9IHanrmsWs=; b=ifNpIVg20gkbnsJlkTlmoGVfQZXaxeKjf0m8SGQFBsoHDe8NnzW9TKXMAPZpolBnYH 2deUBSEYud2tJuAuXpga3Rn1UshKNvvv2Z71LyHBlmFZ9QPXCQ6vuRMbdqW5dXKwbC5J waHQ3Zz6o/3vo/r4jAL0u+ENfBvCgKDT62gyJAlQ6Xfwnac0ZDpqgoCm5xiDFuN/wJ8M rx9+zKCC1lSxDlzbfqaiqcRS/jpKqZqX0ovaI5F21YyFo7JO9cVnTG8TCRTNBwA/rygw oivDVcmi2JxNqIHJSCDzDkvaYhWUJaSkxTxBmGoiY4fijQlzOKSrg4NYBSAS7HSs6gkT yjFQ== X-Gm-Message-State: ALoCoQk0DDrEDH0O2+jhOnZ8gRJHXfk5tWC3RyAhVS6L87qtiOQ8TXNO5/fIC5O2n8B5pA7Zqltf X-Received: by 10.50.111.48 with SMTP id if16mr1121899igb.23.1379597372759; Thu, 19 Sep 2013 06:29:32 -0700 (PDT) Received: from Genie (108-202-93-53.lightspeed.mssnks.sbcglobal.net. [108.202.93.53]) by mx.google.com with ESMTPSA id w4sm3640568igb.5.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 19 Sep 2013 06:29:32 -0700 (PDT) To: "'Tjerk Anne Meesters'" , "'Pierre Joye'" Cc: , , "'Daniel Lowrey'" , , =?iso-8859-1?Q?'=C1ngel_Gonz=E1lez'?= References: <523A466C.4070903@gmail.com> In-Reply-To: Date: Thu, 19 Sep 2013 08:29:35 -0500 Message-ID: <000001ceb53c$492a3090$db7e91b0$@org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac61FtbrlHbBuePWQ7OzBCpGorwMRQAJD6aw Content-Language: en-us Subject: RE: [PHP-DEV] Re: Re: PHP Crypt functions - security audit From: bryan@ravensight.org ("Bryan C. Geraghty") -----Original Message----- From: tjerk.meesters@gmail.com [mailto:tjerk.meesters@gmail.com] On Behalf Of Tjerk Anne Meesters Sent: Thursday, September 19, 2013 4:01 AM > My point is that you need a reasonably up-to-date certs bundle to enable verification by default. Actually, you don't. There is no reason why certificate validation cannot be enabled by default without a CA bundle. Yes, verifications will fail by default but this is no different than the cases where someone has an oddball provider or self-signed certificates; they have to manually add the cert for verification to pass. Additionally, given the current certificate climate, I wouldn't trust anything signed by the global CAs. If you're concerned about security, you should be validating the certificate fingerprint and not trusting CAs. Bryan