Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99978 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96220 invoked from network); 20 Jul 2017 17:39:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jul 2017 17:39:09 -0000 Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain lerdorf.com designates 209.85.218.49 as permitted sender) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.218.49 mail-oi0-f49.google.com Received: from [209.85.218.49] ([209.85.218.49:33221] helo=mail-oi0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/AB-02884-DBAE0795 for ; Thu, 20 Jul 2017 13:39:09 -0400 Received: by mail-oi0-f49.google.com with SMTP id p188so33069135oia.0 for ; Thu, 20 Jul 2017 10:39:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lerdorf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JjAXZWmW5bN8FCxhsaGqunfl6frzWo2BTYT5ZI0MOlo=; b=vjrysLh7sY69As0j7cnCPq5KfoIhcnoBg92aMN6Pf/vFtzmzbFvJ3ie1yqDN0ZnsWZ V1UIywInsuR76skRmZojarQYCkWsSTtnGRLM4+COwTF9h80pvnKJdqiBSNtkzYzvd3KC /FBp25vgk4ge4OgOsC2Y5Bx6mm+cTmyAkhFV1xDXbV3NTqROGbswS3yH4wKKWVjHock+ AN4YMHhZHPeZ9FIlhG0HPqNTF8gZF3f+/8gRrBhlWCGwL9qGDqfAja1CR3gvXlkWwhE0 Sgf3+XXBWpQKEIKaNiJwpewi9XVj7NjwVz33JIVx+9KCuPVKlPPXuiuPNGXBfpyL+/2n eaxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JjAXZWmW5bN8FCxhsaGqunfl6frzWo2BTYT5ZI0MOlo=; b=LjT+S64tklko20sr3/1Gu7AiqCWh14WsKBnsk9BUAGesnhOyY4JbwsI64JZWYYPaSV 6keh4cgkhbrOyUhsKTRA1Hj2MAaoXjE++ee+J9fWE0yN7BAK4zOw/k54FfK8ZNsARUuz RGzb8n2kKD+NAMrL8wmBDKXk+0ZhGm7FOR/VoLY8J4kHM3Z/L5k5TV7vWrJ18sN2kMVW XX484+RBoQ5hf6e4pxlPXcq0QEVSyMnEswn+ldQp44rMtNkQo91PEW4dy36Q4E1dx+Dp zayLEKM5brhTNjejt9F30yQFRwVyX+qgFXYWmmf48Qj8hxf3ZWeY1Rt4Yaso+K2WAyjx 5sPQ== X-Gm-Message-State: AIVw110ZpBmiF969wwAfg03l3D/owYaY6wqvB8aAQa2VlZ+tXRaKqEqE qjj+ZxqSQmfQzlNWjdNhJvcJLL6gM5U1 X-Received: by 10.202.205.209 with SMTP id d200mr109344oig.304.1500572346617; Thu, 20 Jul 2017 10:39:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.28.5 with HTTP; Thu, 20 Jul 2017 10:38:26 -0700 (PDT) In-Reply-To: References: Date: Thu, 20 Jul 2017 13:38:26 -0400 Message-ID: To: Niklas Keller Cc: Sara Golemon , Mathias Grimm , "internals@lists.php.net" Content-Type: multipart/alternative; boundary="001a1134e218ae3cb10554c339ef" Subject: Re: [PHP-DEV] php.net website From: rasmus@lerdorf.com (Rasmus Lerdorf) --001a1134e218ae3cb10554c339ef Content-Type: text/plain; charset="UTF-8" On Thu, Jul 20, 2017 at 1:42 AM, Niklas Keller wrote: > > They can also just request them themselves, but only for their mirror > domain. If you allow them to issue for www.php.net, you can as well just > put the current private key there. > I think there is a big difference between putting the private key there and proxying validation for just a www.php.net CN alias. We already have a list of known mirrors, so we would make sure to only validate www.php.net for those. By validating www.php.net we allow any mirror to pretend they are www.php.net and no other *.php.net domain, which is exactly what we want. -Rasmus --001a1134e218ae3cb10554c339ef--