On 1 Sep 2014 06:32, "Paul Moore" <email@example.com> wrote:
> On 31 August 2014 21:15, Antoine Pitrou <firstname.lastname@example.org> wrote:
> > What do you call your local cert store?
> I was referring to Christian's comment
> > It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store.
> From his recent response, I guess he meant the system store, and he
> agrees that this is a bad option.
> OK, that's fair, but:
> a) Is there really no OS-level personal trust store? I'm thinking of
> Windows here for my own personal use, but the same question applies
> b) I doubt my confusion over Christian's response is atypical. Based
> on what he said, if we hadn't had the subsequent discussion, I would
> probably have found a way to add a cert to "the store" without
> understanding the implications. While it's not Python's job to educate
> users, it would be a shame if its default behaviour led people to make
> ill-informed decisions.
Right, this is why I came to the conclusion we need to follow the browser vendors lead here and support a per-user Python specific supplementary certificate cache before we can start validating certs by default at the *Python* level. There are still too many failure modes for cert management on private networks for us to safely ignore the use case of needing to force connections to services with invalid certs.
We don't need to *solve* that problem here today - we can push it back to Alex (and anyone else interested) as a building block to investigate providing as part of cryptography.io or certi.fi, with a view to making a standard library version of that (along with any SSL module updates) part of PEP 476.
In the meantime, we can update the security considerations for the ssl module to make it clearer that the defaults are set up for trusted networks and that using it safely on the public internet may mean you're better off with a third party library like requests or Twisted. (I'll start another thread shortly that is highly relevant to that topic)
> Maybe an SSL HOWTO would be a useful addition to the docs, if anyone
> feels motivated to write one.
> Regardless, thanks for the education!
> Python-Dev mailing list
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com