HackerTrans
トップ新着トレンドコメント過去質問紹介求人

paragon_init

no profile record

投稿

Promoting Misuse-Resistance in Paseto Libraries

paragonie.com
2 ポイント·投稿者 paragon_init·5 年前·0 コメント

Firebase/PHP-JWT: New Risk of HS256/RSA256 Algorithm Confusion

github.com
4 ポイント·投稿者 paragon_init·5 年前·0 コメント

Paseto Is an Even More Secure Alternative to the JOSE Standards (JWT, etc.)

paragonie.com
16 ポイント·投稿者 paragon_init·5 年前·0 コメント

Ristretto255 for the PHP Community

paragonie.com
3 ポイント·投稿者 paragon_init·5 年前·0 コメント

コメント

paragon_init
·2 年前·議論
> * I shouldn't have to care where the certificates are stored. Just load the os default ones without asking me.

> * I shouldn't have to know what a pem is, and I shouldn't have to open() one.

Agreed, but what you're requesting is separate from the work being discussed in this blog post, and both are actually compatible.

For the PHP community, we made Certainty - https://github.com/paragonie/certainty

You can just...

  <?php
  use ParagonIE\Certainty\RemoteFetch;
  // cURL boilerplate
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

  // Fetch the latest CACert bundle, verify its authenticity, save it locally  
  $fetcher = new RemoteFetch('/path/to/certainty/data');
  $latestCACertBundle = $fetcher->getLatestBundle();
  curl_setopt($ch, CURLOPT_CAINFO, $latestCACertBundle->getFilePath());
Writing a Python client should be relatively straightforward, should anyone want to.

For Python specifically, there may be some value in storing the relevant PEM files into something like SigStore. That could be an easier proposal for the PyCA team to consider.