-----Original Message----- From: tjerk.meest...@gmail.com [mailto:tjerk.meest...@gmail.com] On Behalf Of Tjerk Anne Meesters Sent: Thursday, September 19, 2013 4:01 AM
> My point is that you need a reasonably up-to-date certs bundle to enable verification by default. Actually, you don't. There is no reason why certificate validation cannot be enabled by default without a CA bundle. Yes, verifications will fail by default but this is no different than the cases where someone has an oddball provider or self-signed certificates; they have to manually add the cert for verification to pass. Additionally, given the current certificate climate, I wouldn't trust anything signed by the global CAs. If you're concerned about security, you should be validating the certificate fingerprint and not trusting CAs. Bryan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
