> I'm totally in agreement with everything you've said. There is no "learning
> curve." The only thing required for a secure transfer in this case is the
> knowledge that:
> (1) You need a CA to verify that the other party is who they say they are
> (2) As such, you have to tell PHP about the CA file(s) you want it to use.
No.
The other "only thing" required for a secure transfer on Windows, if
you do not ship a working Windows installer, is that the user
[] have permission to manage the server's PHP installation
For emphasis: we are talking about the PHP developer.
I don't know how you can assume that the PHP dev who is authoring --
let alone simply rolling out -- a WordPress plug-in can perform this
step. Perhaps "learning curve" is the wrong term. How about "newly
required server privileges"?
Of course, they may be able to specify a PEM in their home directory.
Which means they have to change the code they are rolling out to add
the extra arguments. Which means that third-party code can no longer
be updated automatically.
> There is nothing confusing or difficult about setting a single php.ini
> value "openssl.cafile = C:\path\to\cacert.pem"
> The whole point of the recently accepted RFC and the new RFC on TLS
> security is to eliminate the need for users to understand TLS to use these
> features.
The intent of turning on peer verification by default is to enforce
better security at the possible (in fact, previously documented) cost
of users having to understand, if not TLS itself, how to manage a CA
> There is no disagreement here and I'm not sure what you're
> arguing here.