[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython) (original) (raw)

Donald Stufft donald at stufft.io
Mon Jun 3 18:43:32 CEST 2013

On Jun 3, 2013, at 5:51 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:

On Mon, 3 Jun 2013 21:37:10 +1200 Ben Hoyt <benhoyt at gmail.com> wrote:

I'm not familiar with Unix/Linux, but on Windows, if it's anything like mimetypes it'll be really hard to get consistent behaviour across different boxes/versions from the registry, or wherever certs might be stored on Windows. I'd much rather have a slightly outdated but consistent experience by default. The problem with a "slightly outdated" CA store is that it can be a security risk. Regards Antoine.

Python-Dev mailing list Python-Dev at python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io

Tracking the Mozilla store isn't difficult. New additions can be ignored for currently released Pythons so we'd just need to watch them for blacklisting certs and roll that into a security update.

Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/956e6fc3/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/956e6fc3/attachment.pgp>

More information about the Python-Dev mailing list