> Personally, I say no. If people are going to programmatically use encrypted
> stream transfers they need to at the very least understand the basics of
> the CA system. We shouldn't subsidize insecurity, and it's trivially easy
> to procure a CA file.
That's a double standard. You're saying _Windows_ users need to "at
the very least understand" while other users don't need to understand
it at all, because It Just Works.
And anyway I'm not in agreement that if people are going to use
outbound encryption -- if they are going to simply call a PHP function
-- they need to understand how to update their local CA bundle. I
would think that, the majority of the time, users are either [a]
loading a provided "PHP binding" (.PHP file) for a public API or [b]
copying-and-pasting boilerplate code from API documentation and, just
speaking realistically, you should not expect them to know what's
going on under the hood. You can have a relatively good understanding
of HTTP (without the S) and when your service says "now you must use
encryption" there shouldn't be a big learning curve on the user side.
-- S.