[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)
Antoine Pitrou solipsis at pitrou.net
Sun Aug 31 03:25:25 CEST 2014
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 31 Aug 2014 09:26:30 +1000 Nick Coghlan <ncoghlan at gmail.com> wrote:
>> >> * configuration: >> >> It would be good to be able to switch this on or off >> without having to change the code, e.g. via a command >> line switch and environment variable; perhaps even >> controlling whether or not to raise an exception or >> warning. >> >> * choice of trusted certificate: >> >> Instead of hard wiring using the system CA roots into >> Python it would be good to just make this default and >> permit the user to point Python to a different set of >> CA roots. >> >> This would enable using self signed certs more easily. >> Since these are often used for tests, demos and education, >> I think it's important to allow having more control of >> the trusted certs. > > > +1 for PEP with above changes.
Ditto from me. In relation to changing the Python CLI API to offer some of the wget/curl style command line options, I like the idea of providing recipes in the docs for implementing them at the application layer, but postponing making the default behaviour configurable that way.
I'm against any additional environment variables and command-line options. It will only complicate and obscure the security parameters of certificate validation.
The existing knobs have already been mentioned in this thread, I won't mention them here again.
Regards
Antoine.
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]