[Python-Dev] PEP 476: Enabling certificate validation by default!

Christian Heimes christian at python.org
Sun Aug 31 23:59:10 CEST 2014

On 31.08.2014 22:30, Paul Moore wrote:
> On 31 August 2014 21:15, Antoine Pitrou <antoine at python.org> wrote:
>> What do you call your local cert store?
> I was referring to Christian's comment
>> It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store.

I was referring to the the trust store of the SSLContext object and not
to any kind of cert store of the operating system. Sorry for the confusion.

> a) Is there really no OS-level personal trust store? I'm thinking of
> Windows here for my own personal use, but the same question applies
> elsewhere.

Windows and OSX have superior cert stores compared to Linux and BSD.
They have means for user and system wide cert stores and trust settings
Linux just have one central directory or file with all trusted certs. My
KDE has some options to disable certs but I don't know how to make use
of the configuration.

Even worse: Linux distros doesn't make a different between purposes. On
Windows a user can trust a certificate for S/MIME but not for server
auth or client auth. Ubuntu just puts all certification in one directory
but it's wrong. :(



More information about the Python-Dev mailing list