On Mon, Feb 3, 2014 at 2:33 PM, Sanford Whiteman <[email protected]>wrote:
> > I'm totally in agreement with everything you've said. There is no
> "learning
> > curve." The only thing required for a secure transfer in this case is the
> > knowledge that:
>
> > (1) You need a CA to verify that the other party is who they say they are
> > (2) As such, you have to tell PHP about the CA file(s) you want it to
> use.
>
> No.
I'm still completely befuddled. No one is arguing against ease-of use here.
Have you read the relevant RFCs? Please just take sixty seconds to at least
read this one part then come back and tell me I'm making it *more
difficult* for the average user to make secure transfers.
https://wiki.php.net/rfc/improved-tls-defaults#tldr_definitive_progress
I'm clearly trying to simplify secure https:// usage as much as
possible.
What *may or may not be tenable* is the management of a custom CA file.
Distribution has its own issues and deserves as much consideration as
userland ease-of use. Instantly discounting those is a myopic approach. You
can't just instantly rule out that bundling a file might not be feasible.