[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
Antoine Pitrou
solipsis at pitrou.net
Mon Jun 3 18:56:08 CEST 2013
On Mon, 3 Jun 2013 12:43:32 -0400
Donald Stufft <donald at stufft.io> wrote:
>
> On Jun 3, 2013, at 5:51 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>
> > On Mon, 3 Jun 2013 21:37:10 +1200
> > Ben Hoyt <benhoyt at gmail.com> wrote:
> >>
> >> I'm not familiar with Unix/Linux, but on Windows, if it's anything
> >> like mimetypes it'll be really hard to get consistent behaviour across
> >> different boxes/versions from the registry, or wherever certs might be
> >> stored on Windows. I'd much rather have a slightly outdated but
> >> consistent experience by default.
> >
> > The problem with a "slightly outdated" CA store is that it can be a
> > security risk.
> >
> > Regards
> >
> > Antoine.
> >
> >
> > _______________________________________________
> > Python-Dev mailing list
> > Python-Dev at python.org
> > http://mail.python.org/mailman/listinfo/python-dev
> > Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io
>
> Tracking the Mozilla store isn't difficult. New additions can be ignored for currently released Pythons so we'd just need to watch them for blacklisting certs and roll that into a security update.
Let's see if our security release managers want to do that job.
Regards
Antoine.
More information about the Python-Dev
mailing list