> And anyway I'm not in agreement that if people are going to use
> outbound encryption -- if they are going to simply call a PHP function
> -- they need to understand how to update their local CA bundle. I
> would think that, the majority of the time, users are either [a]
> loading a provided "PHP binding" (.PHP file) for a public API or [b]
> copying-and-pasting boilerplate code from API documentation and, just
> speaking realistically, you should not expect them to know what's
> going on under the hood. You can have a relatively good understanding
> of HTTP (without the S) and when your service says "now you must use
> encryption" there shouldn't be a big learning curve on the user side.
I'm totally in agreement with everything you've said. There is no "learning
curve." The only thing required for a secure transfer in this case is the
knowledge that:
(1) You need a CA to verify that the other party is who they say they are
(2) As such, you have to tell PHP about the CA file(s) you want it to use.
There is nothing confusing or difficult about setting a single php.ini
value "openssl.cafile = C:\path\to\cacert.pem"
But there is something *very* wrong with allowing users to do this without
peer verification by default:
file_get_contents('http://yourbankinginstitution.com');
The whole point of the recently accepted RFC and the new RFC on TLS
security is to eliminate the need for users to understand TLS to use these
features. There is no disagreement here and I'm not sure what you're
arguing here.