Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72098
Return-Path: <swhitemanlistens-software@cypressintegrated.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98877 invoked from network); 3 Feb 2014 19:00:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 19:00:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender)
X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com
X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com  
Received: from [173.1.104.101] ([173.1.104.101:64660] helo=rproxy2-b-iv.figureone.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C2/EA-35654-137EFE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 14:00:03 -0500
Received: from bad.dop.co ([108.12.130.219])
        by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id PUK07556
        for <internals@lists.php.net>; Mon, 03 Feb 2014 10:59:56 -0800
Date: Mon, 3 Feb 2014 13:59:38 -0500
Reply-To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
X-Priority: 3 (Normal)
Message-ID: <1861338437.20140203135938@cypressintegrated.com>
To: Daniel Lowrey <internals@lists.php.net>
In-Reply-To: <CAH8Mpnnu0BqRmb1PmGjQLTWYA0mtGkJdniDbGbD1Nn+Fn30JZw@mail.gmail.com>
References: <CAH8MpnnmKt2byQU8DcWetnK6W7GB9HuF3srea-ECwQ4RRe1SWQ@mail.gmail.com> <CAEZPtU7Euu1mQiJ-2n8r9hQjt9ShqRaiQAouP=FSFeV9OVdjwA@mail.gmail.com> <CAH8Mpnnu0BqRmb1PmGjQLTWYA0mtGkJdniDbGbD1Nn+Fn30JZw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Windows Peer Verification
From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman)

> Personally, I say no. If people are going to programmatically use encrypted
> stream transfers they need to at the very least understand the basics of
> the CA system. We shouldn't subsidize insecurity, and it's trivially easy
> to procure a CA file.

That's a double standard. You're saying _Windows_ users need to "at
the very least understand" while other users don't need to understand
it at all, because It Just Works.

And anyway I'm not in agreement that if people are going to use
outbound encryption -- if they are going to simply call a PHP function
-- they need to understand how to update their local CA bundle. I
would think that, the majority of the time, users are either [a]
loading a provided "PHP binding" (.PHP file) for a public API or [b]
copying-and-pasting boilerplate code from API documentation and, just
speaking realistically, you should not expect them to know what's
going on under the hood. You can have a relatively good understanding
of HTTP (without the S) and when your service says "now you must use
encryption" there shouldn't be a big learning curve on the user side.

-- S.