|
|
|
|
|
|
by paragon_init
878 days ago
|
|
|
> * I shouldn't have to care where the certificates are stored. Just load the os default ones without asking me. > * I shouldn't have to know what a pem is, and I shouldn't have to open() one. Agreed, but what you're requesting is separate from the work being discussed in this blog post, and both are actually compatible. For the PHP community, we made Certainty - https://github.com/paragonie/certainty You can just... <?php
use ParagonIE\Certainty\RemoteFetch;
// cURL boilerplate
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
// Fetch the latest CACert bundle, verify its authenticity, save it locally
$fetcher = new RemoteFetch('/path/to/certainty/data');
$latestCACertBundle = $fetcher->getLatestBundle();
curl_setopt($ch, CURLOPT_CAINFO, $latestCACertBundle->getFilePath());
Writing a Python client should be relatively straightforward, should anyone want to.For Python specifically, there may be some value in storing the relevant PEM files into something like SigStore. That could be an easier proposal for the PyCA team to consider. |
|
|