Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72100 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2294 invoked from network); 3 Feb 2014 19:19:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 19:19:39 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.169 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.213.169 mail-ig0-f169.google.com Received: from [209.85.213.169] ([209.85.213.169:54379] helo=mail-ig0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AF/8B-35654-BCBEFE25 for ; Mon, 03 Feb 2014 14:19:39 -0500 Received: by mail-ig0-f169.google.com with SMTP id uq10so6345322igb.0 for ; Mon, 03 Feb 2014 11:19:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=VezQRe+TgnGMTgGazaRM4M9SIeoK2WOAA008FgBQzzU=; b=Jm09yvGUAhpNHzV5QmoHBKVVozgKSB4rOxjtIT3FrsJw9ptl7ZYstIMxA+no4s5mV5 D/SSEO6f0ke6qCW6eUAx9fImyRaCr42CP2e5073b8nvc3VTru6+yn1CSUO8MxwPTWCsW QQgDwl3NXdBLqyRj/Sgkq/vhetFJWWxX8KVI7QnHrPmHzhwyGUK106eMEzqMUNlTByJx 0SEoZHAkc2d6/RqmodpXkFOdfpFYZ4iqAqGUhMednptqGZbB5ohy73dQ8HQ5ligo8HpD XGyYVFsIguUMyRH8Cv+X58mnH13STYxIdDqkYbocblSHg3jPJtqcFFF0+P6pMp3FgQ33 VtoQ== MIME-Version: 1.0 X-Received: by 10.42.66.134 with SMTP id p6mr1328030ici.85.1391455176688; Mon, 03 Feb 2014 11:19:36 -0800 (PST) Received: by 10.50.29.140 with HTTP; Mon, 3 Feb 2014 11:19:36 -0800 (PST) Date: Mon, 3 Feb 2014 14:19:36 -0500 Message-ID: To: "internals@lists.php.net" , swhitemanlistens-software@cypressintegrated.com Content-Type: multipart/alternative; boundary=90e6ba613dd4870a7904f185679d Subject: Re: Windows Peer Verification From: rdlowrey@gmail.com (Daniel Lowrey) --90e6ba613dd4870a7904f185679d Content-Type: text/plain; charset=ISO-8859-1 > And anyway I'm not in agreement that if people are going to use > outbound encryption -- if they are going to simply call a PHP function > -- they need to understand how to update their local CA bundle. I > would think that, the majority of the time, users are either [a] > loading a provided "PHP binding" (.PHP file) for a public API or [b] > copying-and-pasting boilerplate code from API documentation and, just > speaking realistically, you should not expect them to know what's > going on under the hood. You can have a relatively good understanding > of HTTP (without the S) and when your service says "now you must use > encryption" there shouldn't be a big learning curve on the user side. I'm totally in agreement with everything you've said. There is no "learning curve." The only thing required for a secure transfer in this case is the knowledge that: (1) You need a CA to verify that the other party is who they say they are (2) As such, you have to tell PHP about the CA file(s) you want it to use. There is nothing confusing or difficult about setting a single php.ini value "openssl.cafile = C:\path\to\cacert.pem" But there is something *very* wrong with allowing users to do this without peer verification by default: file_get_contents('http://yourbankinginstitution.com'); The whole point of the recently accepted RFC and the new RFC on TLS security is to eliminate the need for users to understand TLS to use these features. There is no disagreement here and I'm not sure what you're arguing here. --90e6ba613dd4870a7904f185679d--