Cory Benfield writes:
From a security perspective I think we have to discount the possibility of administrator error from our threat model.
I disagree in a certain sense, and in that sense you don't discount it -- see below.
A threat model that includes “defend the system against intrusions that the administrator incorrectly allows”
I agree that child-proof locks don't work. The point of having a category called "administrator error" in the threat model is not to instantiate it, but merely to recognize it:
where we allow configuration we have a duty to ensure that it’s as easy as possible to configure correctly,
and in particular defaults should (1) "deny everything" (well, nearly), and (2) be robust ("forbid what is not explicitly permitted") to configuration changes that allow accesses wherever Python can reasonably achieve that.
but when using the system trust store most of the configuration is actually provided by the OS tools, rather than by the above-mentioned “you”, so that’s not in our control.
OK, up to the problem that OS tools may not be accessible or may be considered unreliable. I trust you guys to do something sane there, and I agree it's covered by the "we can't correct admin mistakes in complex environments" clause that you invoked above. Python cannot take responsibility for guessing what might happen in any given configuration in such environments.
However, it’s unquestionable that the *safest* route to go down in terms of preserving the expectations of users is to use the platform-native TLS implementation wholesale, rather than do a hybrid model like Chrome does where OpenSSL does the protocol bits and the system does the X509 bits. That way Python ends up behaving basically like Edge or Safari on the relevant platforms, or perhaps more importantly behaving like .NET on Windows and like CoreFoundation on macOS, which is a much better place to be in terms of user and administrator expectations.
OK, I can't help you with the details, but I can at least say I feel safer when you say that's where you're going. :-)