On Jun 3, 2013, at 12:52 PM, Barry Warsaw <barry@python.org> wrote:

On Jun 03, 2013, at 03:12 AM, Donald Stufft wrote:

That's fine with me too. My only reason for wanting to use the system certs
first is so if someone has modified their system certs (say to include a
corporate cert) that it would ideally take affect for Python as well.

This reminds me of one other thing.  We have to make sure that the APIs
(e.g urlopen()) continue to allow us to use self-signed certificates, if for
no other reason than for testing purposes.  OTOH, taking this away would be a
backward incompatible change in API so probably wouldn't happen anyway.

Python-Dev mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io

The other additional comment I'd like to throw in here is that if we don't bundle SSL certs I think we should still verify by default (which means HTTPS urls will throw an error by default if we can't locate a certificate store) because I think the risk to people unknowingly thinking that their HTTPS urls are protected are significant enough that this "error" shouldn't be silent by default.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA