Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72339
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76862 invoked from network); 6 Feb 2014 14:09:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2014 14:09:54 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.180 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.216.180 mail-qc0-f180.google.com  
Received: from [209.85.216.180] ([209.85.216.180:61288] helo=mail-qc0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 30/F1-00209-0B793F25 for <internals@lists.php.net>; Thu, 06 Feb 2014 09:09:52 -0500
Received: by mail-qc0-f180.google.com with SMTP id i17so3112914qcy.25
        for <internals@lists.php.net>; Thu, 06 Feb 2014 06:09:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ZDDVdo2OO7Otk260ThiVQf4wHNFg8K/PWtZJQIoiN1I=;
        b=yD5j0+eiiPz7Yo8WE9QPp1o+2MUec1weRbL/Bx5CPCucNKrlR8A+Ol+vy7lPolfbpG
         QDWDU5Pqgeb1Z6DVNsJhmN7JtYl9VcXQlJEL7tljrihJjBz2zBCwuG0Thp9dplmj6Lfj
         bYJGJuQ00qV3fYJSZavDM7lmhfxJ79XT6LJd6KAE6wdN73hx4CkN8zsb5W8Ht2bSmlqQ
         s3Z9+usFFOSPK5Ql6BALjWE2SxeZ9iJiWUWupD2tNott3V5X/vgz1bq8bVD5FfFIWzpK
         UkaqbwS68mG52kqPzYm6W/XUSVwp4uFHURInTLad/5YLS2dkQsUbxF6vrBJN4UAR69Gz
         H57w==
MIME-Version: 1.0
X-Received: by 10.140.39.212 with SMTP id v78mr11865487qgv.77.1391695789745;
 Thu, 06 Feb 2014 06:09:49 -0800 (PST)
Received: by 10.140.96.70 with HTTP; Thu, 6 Feb 2014 06:09:49 -0800 (PST)
In-Reply-To: <1386084526.20140206011339@cypressintegrated.com>
References: <CAH8Mpn=Kw9CCmpiXm-UE2s=GKFroTGczTr=ENczuAeiTCH6QwQ@mail.gmail.com>
	<344075933.20140203143339@figureone.com>
	<CAH8MpnkuFDNzYi4enqqtQcmis08LyTWojV3DZrc_Mwim=aqvRQ@mail.gmail.com>
	<CAH8MpnnXag49Yw9yE2p=+h3X2caz6wwfiT8kLf8H_WxrwtjVNw@mail.gmail.com>
	<CAEZPtU7CciuHS+TDRKWZitBnmuGT3EN8wNmz=dXoP92g8Bs7mw@mail.gmail.com>
	<617796370.20140204005840@cypressintegrated.com>
	<CAEZPtU4Ed5ZM_5veS41u=O26UvXnYCGS=XSDWaHJ5+7fJ6=+fw@mail.gmail.com>
	<52F098F7.7000901@lsces.co.uk>
	<CAEZPtU68J_r-GnnwyS1KryLm7nzmxqLz9KKuiNZ1Ygc2Zag85w@mail.gmail.com>
	<52F09D64.9020803@lsces.co.uk>
	<CAEZPtU4n_WnZHvU1GhDwF0jQPHKt=F9mqrYZTh9=58mE9Wz1Nw@mail.gmail.com>
	<52F0A501.8030105@lsces.co.uk>
	<CAEZPtU4N0eCQb8pXUxruovQytGazkjBaNU=ji5vxVxorBYJdDQ@mail.gmail.com>
	<52F0ACC6.8030409@lsces.co.uk>
	<CAEZPtU7djiCn3hH+gRcXJdeLgo=z-zEvD9FFQz-Zqekh=EWePw@mail.gmail.com>
	<1386084526.20140206011339@cypressintegrated.com>
Date: Thu, 6 Feb 2014 15:09:49 +0100
Message-ID: <CAH-PCH5nQwNq5J2+zxFbm3Yu6DhG52dz=rWs8Jd4_m0vHF4LoA@mail.gmail.com>
To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
Cc: Pierre Joye <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c126622ef0ec04f1bd6d81
Subject: Re: [PHP-DEV] Re: Windows Peer Verification
From: tyra3l@gmail.com (Ferenc Kovacs)

--001a11c126622ef0ec04f1bd6d81
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 6, 2014 at 7:13 AM, Sanford Whiteman <
swhitemanlistens-software@cypressintegrated.com> wrote:

> Hey Pierre, re: the script to download the trusted CA bundle, how do
> you propose to make *that* connection secure the first time?
>
> Not being facetious. I was convinced (albeit suddenly) by Padraic's
> argument that all fault for insecure remote transfers lies with the
> developer as long as secure options exist. How do we avoid being that
> same kind of developer? Neither plain-text download nor unverified TLS
> should be used for the trusted CA root list. The ability to tamper
> with that download would be catastrophic.
>
> If we can't ship the CA bundle and can't ship even the CA cert for the
> site we choose to deliver the bundle, I think it's better to give
> people the URL and tell them to use a browser (which will perform
> verification).
>
> I was poking around and noticed that Mono's CLI for fetching the CA
> bundle (in this case Mozilla's) uses a plain http:// URL. I find this
> to be rather bizarre under the circumstances.
> [http://linux.die.net/man/1/mozroots]
>
> -- S.
>
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
What Pierre is/was proposing is that we include the CA file to the windows
binary distribution, and we also include a script, which can
generate/download the same CA file, so if you don't trust us to sneak
something to the CA file, you can see for yourself, and also, when the
Windows team does the packaging, they would use the same script (executed
by a php installation already properly configured for ssl) to create the CA
file to be included to the binary release.
So this would serve more of a transparency purpose, than to provide a way
to the php installs without a CA file to get one(as you mentioned, that
would be a chicken/egg problem).

At least this is my understanding of the proposal (and if you remember, I'm
on the side of not shipping a CA file at all, but educating our users
where/how to get one).

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--001a11c126622ef0ec04f1bd6d81--