On Thu, Sep 19, 2013 at 09:58:59AM +0100, Chris Wright wrote: > On Thu, Sep 19, 2013 at 2:07 AM, Tjerk Anne Meesters > <tjerk.meest...@gmail.com> wrote: > > To be practical, verifying certificates requires an up-to-date CA bundle > > to be shipped with PHP; perhaps this is a simple thing to do, I'm not > > sure. > > Unfortunately it isn't. It's easily possible to ship a current CA bundle > *at the point when PHP is built/installed* but this needs to be *kept* up > to date in order to remain useful. In the real world, people don't update > production servers with every new release and the CA bundle that was > correct at the time of print (as it were) would soon become outdated - > although arguably an outdated bundle is better than nothing.
Agreed, however few people take PHP from the sources & compile it themselves. Most people will use the PHP that comes with their operating system and will expect their vendor/distributor to keep it up to date (security patches, etc). If the PHP project includes a CA bundle that is kept up to date then the vendor/distributors can update their customers as & when. It is not realistic to expect someone who is running a small web server to put the time into monitoring if they have up to date CA bundles; even if they understand what it is all about they probably don't have the time. This is what people expect the operating system vendor/distributor to do for them; end users will generally install updates when they become available, they generally have a hazy idea what these updates to -- that is OK, they have other things to worry about. What I am saying is that the PHP project should include a CA bundle, probably as a separately installable component that can be updated separately. This will help the vendors/distributors to push out updates to their users. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include <std_disclaimer.h> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
