Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99957
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20366 invoked from network); 20 Jul 2017 00:41:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jul 2017 00:41:37 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain lerdorf.com designates 209.85.218.42 as permitted sender)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.218.42 mail-oi0-f42.google.com  
Received: from [209.85.218.42] ([209.85.218.42:36525] helo=mail-oi0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 79/C1-02884-D3CFF695 for <internals@lists.php.net>; Wed, 19 Jul 2017 20:41:35 -0400
Received: by mail-oi0-f42.google.com with SMTP id x187so14811782oig.3
        for <internals@lists.php.net>; Wed, 19 Jul 2017 17:41:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lerdorf-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Owo8GiQx11FIr7L3RJm5xotGXOOH4xTa1RQLF9CO3Es=;
        b=SR0iSHzVjr7yab6/51lkfS14Y6a5RIl8xvh7qkFzTiVjtCEYXtl9c7kytjp39fv71d
         HZntnfRRIKpC/xUul1/kRcSHT8i5mkl5lhaUdVIj2GcokXGKzNM6b3Lf5CpUEkf65x/M
         TS5Qi3prBAu47Dx9XMMb7ELEfoeIaZ3yxTw7AOzbo482/kT2RsBoJCdYEPgINfhoUDPv
         FIWYeq9rZ5+uryzi7jKh8Ahjgwn/UnQ52hgAgzqgIHAF2hT3xmJcyTtcmNuHc0ZtzMT1
         3xY5NYpkoYJsopKQ+9PF7W61ZxoKYcpPY4WYB/XkKsJdT/kO5LO0lNKXS5nAK8koNOob
         CsLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Owo8GiQx11FIr7L3RJm5xotGXOOH4xTa1RQLF9CO3Es=;
        b=KCBCxg2pC5wBQrwVlPT0II7OvkmD8xfOgcuyuS/PkGSkjt/OaAhihmFuh/A1ds8Gpr
         gw06N/3inAukqVlN9Ih7i7sCpzE9cJVR4+hVJ2wqTo2McNPnr/xTfMva27Rwl/y1eGpB
         Oi/ccwamLGoSf8yO3I2PiKE9b9/e426uyLZPoWFTTPUscp97yUfEFQrswlew9Rn5pKiK
         lSk93dlm2NgYjVpzVo77ncce4UbjGEgqZMErIox/ll6NqstE/5aqTG5Y7zrssnAM4YyG
         WHV26aurdxPtnDMcUKFRAd5DQVAfCmrr869oZ2TZaakH1Fr5FSawc6TOvVdV22ddDDok
         H3Qw==
X-Gm-Message-State: AIVw110Ynja2XHWGPauna7Xm5hxrjyf4rLnk5hWGRSepcowKDxNCgknR
	hZ4/IC6ixBZZjIsdocDiUk8AAj5OaQg1
X-Received: by 10.202.205.139 with SMTP id d133mr3751595oig.109.1500511290092;
 Wed, 19 Jul 2017 17:41:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.28.5 with HTTP; Wed, 19 Jul 2017 17:40:49 -0700 (PDT)
In-Reply-To: <CANUQDCjB9UY8jTmmp43bQAW_9xJnoMbREN1zOQh1LubTfO4C-w@mail.gmail.com>
References: <CA+aNembkpeU+vTX0dr1r_NuPZkKu4Da2rMTbS3RWk2eSacF_KA@mail.gmail.com>
 <CAESVnVrCndhLSuxZzNp5xqQLp8SC0wGSDAq8cjH+fRew-cCf1g@mail.gmail.com> <CANUQDCjB9UY8jTmmp43bQAW_9xJnoMbREN1zOQh1LubTfO4C-w@mail.gmail.com>
Date: Wed, 19 Jul 2017 20:40:49 -0400
Message-ID: <CACXBjuiL_=-qy53BWbB31_t_XJXqBguwVToS9bV=2K2np+zaRA@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: Sara Golemon <pollita@php.net>, Mathias Grimm <mathiasgrimm@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a1134f3446d8ed60554b50214"
Subject: Re: [PHP-DEV] php.net website
From: rasmus@lerdorf.com (Rasmus Lerdorf)

--001a1134f3446d8ed60554b50214
Content-Type: text/plain; charset="UTF-8"

On Wed, Jul 19, 2017 at 1:42 PM, Niklas Keller <me@kelunik.com> wrote:

>
> We should really change that and fully move to HTTPS.
>

I have looked at various ways of doing this, but it isn't trivial and it
has absolutely nothing to do with the actual html and slapping in some
https links instead of http. The problem here is that we have external
volunteers running all our mirrors and we do geo-dns for www.php.net to
your geographically close mirror site. Putting the private key for
www.php.net on dozens of servers around the world we don't control is a
non-starter.

One way that I played with was to use letsencrypt and have each mirror
request an ssl cert for their local mirror, ca1.php.net, for example, and
include a CN alias for www.php.net in that request. Then we would run
domain a validation gateway/proxy on www.php.net which would validate these
requests on behalf of the mirrors. But there are some security issues with
this approach that I haven't quite thought through. I would love to hear
suggestions for perhaps a simpler solution to this problem that doesn't
require pasting our private key all over the internet.

-Rasmus

--001a1134f3446d8ed60554b50214--