[Python-Dev] PEP 476: Enabling certificate validation by default!

Paul Moore p.f.moore at gmail.com
Sun Aug 31 22:30:28 CEST 2014

On 31 August 2014 21:15, Antoine Pitrou <antoine at python.org> wrote:
> What do you call your local cert store?

I was referring to Christian's comment
> It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store.

>From his recent response, I guess he meant the system store, and he
agrees that this is a bad option.

OK, that's fair, but:

a) Is there really no OS-level personal trust store? I'm thinking of
Windows here for my own personal use, but the same question applies
b) I doubt my confusion over Christian's response is atypical. Based
on what he said, if we hadn't had the subsequent discussion, I would
probably have found a way to add a cert to "the store" without
understanding the implications. While it's not Python's job to educate
users, it would be a shame if its default behaviour led people to make
ill-informed decisions.

Maybe an SSL HOWTO would be a useful addition to the docs, if anyone
feels motivated to write one.

Regardless, thanks for the education!


More information about the Python-Dev mailing list