Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72104 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7012 invoked from network); 3 Feb 2014 19:34:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 19:34:05 -0000 Authentication-Results: pb1.pair.com smtp.mail=sandy@figureone.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=sandy@figureone.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain figureone.com designates 173.1.104.101 as permitted sender) X-PHP-List-Original-Sender: sandy@figureone.com X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com Received: from [173.1.104.101] ([173.1.104.101:65408] helo=rproxy2-b-iv.figureone.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 97/9C-35654-C2FEFE25 for ; Mon, 03 Feb 2014 14:34:05 -0500 Received: from bad.dop.co ([108.12.130.219]) by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id PVK88057; Mon, 03 Feb 2014 11:33:57 -0800 Date: Mon, 3 Feb 2014 14:33:39 -0500 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <344075933.20140203143339@figureone.com> To: Daniel Lowrey CC: "internals@lists.php.net" , In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Windows Peer Verification From: sandy@figureone.com (Sanford Whiteman) > I'm totally in agreement with everything you've said. There is no "learning > curve." The only thing required for a secure transfer in this case is the > knowledge that: > (1) You need a CA to verify that the other party is who they say they are > (2) As such, you have to tell PHP about the CA file(s) you want it to use. No. The other "only thing" required for a secure transfer on Windows, if you do not ship a working Windows installer, is that the user [] have permission to manage the server's PHP installation For emphasis: we are talking about the PHP developer. I don't know how you can assume that the PHP dev who is authoring -- let alone simply rolling out -- a WordPress plug-in can perform this step. Perhaps "learning curve" is the wrong term. How about "newly required server privileges"? Of course, they may be able to specify a PEM in their home directory. Which means they have to change the code they are rolling out to add the extra arguments. Which means that third-party code can no longer be updated automatically. > There is nothing confusing or difficult about setting a single php.ini > value "openssl.cafile = C:\path\to\cacert.pem" > The whole point of the recently accepted RFC and the new RFC on TLS > security is to eliminate the need for users to understand TLS to use these > features. The intent of turning on peer verification by default is to enforce better security at the possible (in fact, previously documented) cost of users having to understand, if not TLS itself, how to manage a CA > There is no disagreement here and I'm not sure what you're > arguing here.