[Python-Dev] PEP 476: Enabling certificate validation by default!
Antoine Pitrou
solipsis at pitrou.net
Sun Aug 31 03:25:25 CEST 2014
On Sun, 31 Aug 2014 09:26:30 +1000
Nick Coghlan <ncoghlan at gmail.com> wrote:
> >>
> >> * configuration:
> >>
> >> It would be good to be able to switch this on or off
> >> without having to change the code, e.g. via a command
> >> line switch and environment variable; perhaps even
> >> controlling whether or not to raise an exception or
> >> warning.
> >>
> >> * choice of trusted certificate:
> >>
> >> Instead of hard wiring using the system CA roots into
> >> Python it would be good to just make this default and
> >> permit the user to point Python to a different set of
> >> CA roots.
> >>
> >> This would enable using self signed certs more easily.
> >> Since these are often used for tests, demos and education,
> >> I think it's important to allow having more control of
> >> the trusted certs.
> >
> >
> > +1 for PEP with above changes.
>
> Ditto from me.
>
> In relation to changing the Python CLI API to offer some of the wget/curl
> style command line options, I like the idea of providing recipes in the
> docs for implementing them at the application layer, but postponing making
> the *default* behaviour configurable that way.
I'm against any additional environment variables and command-line
options. It will only complicate and obscure the security parameters of
certificate validation.
The existing knobs have already been mentioned in this thread, I won't
mention them here again.
Regards
Antoine.
More information about the Python-Dev
mailing list