[issue21043] Stop reccomending CACert.org in the SSL documentation
New submission from Alex Gaynor: CACert is not in the root trust store on *any* platform that I'm aware of, and has not passed any audits. See http://lwn.net/SubscriberLink/590879/ce23ed7bab68e489/ for more background. In it's place I've added StartSSL, which is included in most (all?) root trust stores, and offers free certs. ---------- assignee: docs@python components: Documentation files: cacert.diff keywords: patch messages: 214656 nosy: alex, docs@python, dstufft priority: normal severity: normal status: open title: Stop reccomending CACert.org in the SSL documentation type: enhancement Added file: http://bugs.python.org/file34598/cacert.diff _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Donald Stufft added the comment: I completely agree, it seems less than good to recommend CACert. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Changes by Alex Gaynor <alex.gaynor@gmail.com>: ---------- versions: +Python 2.7, Python 3.4, Python 3.5 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Antoine Pitrou added the comment: That whole paragraph in the documentation is weird. Usually, you don't download select root certificates from various CAs, you just elect to trust a predetermined set of root certs (the system ones, usually). I would suggest rewording it and dropping the various download URLs. (and if the suggestion to provide the full chain is obsolete for SSLv3 and TLSv1, then similarly it may be dropped entirely - we needn't support SSLv2 specificities in the docs) ---------- nosy: +pitrou _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Donald Stufft added the comment: It's quite old (that paragraph) likely it was written that way because back then Python didn't have a way to load certificates. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Alex Gaynor added the comment: I've attempted to modernize the paragraph. ---------- Added file: http://bugs.python.org/file34599/cacert.diff _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Alex Gaynor added the comment: Removed 2.7 since there's no API for getting the platform certs. ---------- versions: -Python 2.7 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Changes by Alex Gaynor <alex.gaynor@gmail.com>: Added file: http://bugs.python.org/file34600/cacert.diff _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Changes by Mark Lawrence <breamoreboy@yahoo.co.uk>: ---------- title: Stop reccomending CACert.org in the SSL documentation -> Stop recommending CACert.org in the SSL documentation _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Donald Stufft added the comment: The latest patch looks good to me. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Antoine Pitrou added the comment: Looks good to me too. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Roundup Robot added the comment: New changeset 6f776c91da08 by Donald Stufft in branch '3.4': Issue #21043: Remove the recommendation for specific CA organizations http://hg.python.org/cpython/rev/6f776c91da08 ---------- nosy: +python-dev _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Roundup Robot added the comment: New changeset 0485552b487e by Donald Stufft in branch 'default': Merge in 3.4 to bring forward the Issue #21043 changes. http://hg.python.org/cpython/rev/0485552b487e ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Changes by Donald Stufft <donald@stufft.io>: ---------- resolution: -> fixed status: open -> closed _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
Roundup Robot added the comment: New changeset 7ef262eafecd by Donald Stufft in branch '2.7': Issue #21043 - Remove CACert.org from the recommendations http://hg.python.org/cpython/rev/7ef262eafecd ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21043> _______________________________________
participants (5)
-
Alex Gaynor -
Antoine Pitrou
-
Donald Stufft
-
Mark Lawrence
-
Roundup Robot