I guess something we should think about is whether to introduce RFC 2818 hostname checking into urllib.urlopen() and similar utilities. Presumably one would add an optional arg specifying a file full of root certs to validate against, and if that arg was present, would retrieve the hostname info from the validated cert, and do the client-side check. Bill