Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70704
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67331 invoked from network); 17 Dec 2013 12:36:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Dec 2013 12:36:18 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.51 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.128.51 mail-qe0-f51.google.com  
Received: from [209.85.128.51] ([209.85.128.51:43565] helo=mail-qe0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E4/6D-32483-14540B25 for <internals@lists.php.net>; Tue, 17 Dec 2013 07:36:18 -0500
Received: by mail-qe0-f51.google.com with SMTP id 1so5124203qee.10
        for <internals@lists.php.net>; Tue, 17 Dec 2013 04:36:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=XSCgMUM1S9ELoDpv0n3qDuDtfZlieoDrE/kOMV7CkgA=;
        b=xv/fIam2NrgHNdqNHk+/uskCIkP38GqmGcExHtS4D7Zvy7/YmFTOhygsifBQ0lbfwg
         ZUDIzg/LKF5Knpt88pW4WhizeaY+8xsWmZqvrWKc/D1vvOiCXlrRRVd+XPq2UawngVMx
         +WFjc/70JZKBJeKSVvYboBskyGYbW0ze3QxQQ3KR9VaiGjPXx019f4Lz5sbiw6NqEdv3
         9IX4HC7Cg3AVPII6sWtxJOlnjZgW1axwbMYHv2zlPN12S2OmdDPsi6ZC2wf/KyMFmJ+Q
         hfDcZK2hO3j5MjsyRKkWdyUp02+q4FLIyf3UXfRkyy3kRv6OD86Oa1MsirMWzUAH9OqH
         1RyQ==
MIME-Version: 1.0
X-Received: by 10.49.25.109 with SMTP id b13mr42498238qeg.3.1387283775216;
 Tue, 17 Dec 2013 04:36:15 -0800 (PST)
Received: by 10.140.37.179 with HTTP; Tue, 17 Dec 2013 04:36:15 -0800 (PST)
In-Reply-To: <52B041E5.9070903@php.net>
References: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com>
	<52AFABF7.60105@sugarcrm.com>
	<CAH8MpnnuSh1RJ8=Ty8rhEqg1mfGdJD+hs63zm7jBR66iXYaVXg@mail.gmail.com>
	<52B004E2.30607@php.net>
	<CAH-PCH6vYL6jmCd-D=3qxTV_pqP_-9Qd2rENGtDENfS8i=6Qiw@mail.gmail.com>
	<CAH8Mpnnbdn+hXw5R=m-qWexOmgR3+deSEE5a0vKhOQ=Rjf5egw@mail.gmail.com>
	<52B041E5.9070903@php.net>
Date: Tue, 17 Dec 2013 13:36:15 +0100
Message-ID: <CAH-PCH5Hnm0TBQSs+DCF2xLVoUY1QeNqWMBnb1Y6JkKvP9_dBA@mail.gmail.com>
To: Joe Watkins <krakjoe@php.net>
Cc: PHP Internals <internals@lists.php.net>, Daniel Lowrey <rdlowrey@gmail.com>
Content-Type: multipart/alternative; boundary=047d7b677f1e9fe6ec04edba2c4d
Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification
From: tyra3l@gmail.com (Ferenc Kovacs)

--047d7b677f1e9fe6ec04edba2c4d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 17, 2013 at 1:21 PM, Joe Watkins <krakjoe@php.net> wrote:

> On 12/17/2013 12:08 PM, Daniel Lowrey wrote:
>
>> given that this is a security related change, one could argue that
>>>
>> security
>>
>>> fixes should be ok to go in a minor version, even if they break BC.
>>>
>>
>> This was my thought process. In my mind the RFC is about improving
>> security
>> for users who don't know any better. I'm hoping to avoid the "Are we
>> allowed to break BC?" discussion.
>>
>
> Okay, but nobody is asking the question "are we allowed to break
> compatiblity for no good reason", because it's a silly question.
>
>
>
>> Adding a CA file to the distribution is exceedingly simple, but this is
>> not
>> a silver bullet. For example, the Mozilla CA file used by cURL is usuall=
y
>> updated three or four times a year. Even when bundling a CA file it woul=
d
>> only be a matter of time before a distribution's version was out of date=
.
>> In the end we can only do so much before users must bear the weight of
>> maintaining an acceptable level of security themselves.
>>
>>
>>
> So then bundle it, doing something is much better than doing nothing,
> there are plenty of opportunities to update the cafile with minor version=
s,
> the package maintainers will likely solve the stale cafile problem for us
> on the major distributions, when they see we are actually doing something
> about it ...
>
> It really does not seem sensible to purposefully break compatibility when
> it can be retained easily, the vote is going to be split with no clear
> outcome doing no good for anyone. Reduce the options to two if you want t=
o
> actually move forward.
>
> That's enough from me, gonna go find something to break :)
>
>
Don't forget that bundling a CA file also means that take the burden of
keeping it up-to-date to our shoulders.
I'm not saying that we shouldn't do it, but if we do then we have to make
sure that we understand the implications.
Even if we take the "easy" path, and select an already existing CA bundle
(eg. Mozilla), we have to make sure to always ship the up-to-date version
and there could be events, when we would need to create a release only
because some CA incident (like what happened with DigiNotar in 2011 which
forced the everybody shipping CA bundles to update their bundle to remove
this CA from it's list of trusted CAs).
As I've said, I'm only stating this so everybody can understand the
implications before voting.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--047d7b677f1e9fe6ec04edba2c4d--