HackerTrans
TopNewTrendsCommentsPastAskShowJobs

paragon_init

no profile record

Submissions

Promoting Misuse-Resistance in Paseto Libraries

paragonie.com
2 points·by paragon_init·vor 5 Jahren·0 comments

Firebase/PHP-JWT: New Risk of HS256/RSA256 Algorithm Confusion

github.com
4 points·by paragon_init·vor 5 Jahren·0 comments

Paseto Is an Even More Secure Alternative to the JOSE Standards (JWT, etc.)

paragonie.com
16 points·by paragon_init·vor 5 Jahren·0 comments

Ristretto255 for the PHP Community

paragonie.com
3 points·by paragon_init·vor 5 Jahren·0 comments

comments

paragon_init
·vor 2 Jahren·discuss
> * I shouldn't have to care where the certificates are stored. Just load the os default ones without asking me.

> * I shouldn't have to know what a pem is, and I shouldn't have to open() one.

Agreed, but what you're requesting is separate from the work being discussed in this blog post, and both are actually compatible.

For the PHP community, we made Certainty - https://github.com/paragonie/certainty

You can just...

  <?php
  use ParagonIE\Certainty\RemoteFetch;
  // cURL boilerplate
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

  // Fetch the latest CACert bundle, verify its authenticity, save it locally  
  $fetcher = new RemoteFetch('/path/to/certainty/data');
  $latestCACertBundle = $fetcher->getLatestBundle();
  curl_setopt($ch, CURLOPT_CAINFO, $latestCACertBundle->getFilePath());
Writing a Python client should be relatively straightforward, should anyone want to.

For Python specifically, there may be some value in storing the relevant PEM files into something like SigStore. That could be an easier proposal for the PyCA team to consider.