Elaborate on setTrustedCAs() and disableCAVerification() #39
Description
It is great, not only having u2f-php, but also a easy to follow explanation plus u2f-php-examples (although it seems that there were some breaking changes since the latest release, so some steps only with with the latest, non-released version).
I cam over the CA's certificates and are currently handling an older Yubikey that does not verify against the certificate included in the u2f-php/CAcerts. It also seems not so straigforward to find the proper certificates on the Yubico website. Well, probably I have been looking in the wrong edge...
That said: I would greatly appreciate a few more lines in the README about how much security one losed by using disableCAVerification(). In my understanding, this only means that one cannot verify that the token is of any of the "certified" hardware manufacturers ... any yes, it may be an older token or some cheap crap that has security issues. If the latter is the case, that definitly would reduce security. But are there other issues that I have missed? It would be great to have some notes to make an informed decision which way to use!