[Python-Dev] SSL certificates recommendations for downstreampython packagers

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Sun Feb 5 20:34:35 EST 2017

Cory Benfield writes:

 > From a security perspective I think we have to discount the
 > possibility of administrator error from our threat model.

I disagree in a certain sense, and in that sense you don't discount it
-- see below.

 > A threat model that includes “defend the system against intrusions
 > that the administrator incorrectly allows”

I agree that child-proof locks don't work.  The point of having a
category called "administrator error" in the threat model is not to
instantiate it, but merely to recognize it:

 > where we allow configuration we have a duty to ensure that it’s as
 > easy as possible to configure correctly,

and in particular defaults should (1) "deny everything" (well,
nearly), and (2) be robust ("forbid what is not explicitly permitted")
to configuration changes that allow accesses wherever Python can
reasonably achieve that.

 > but when using the system trust store most of the configuration is
 > actually provided by the OS tools, rather than by the
 > above-mentioned “you”, so that’s not in our control.

OK, up to the problem that OS tools may not be accessible or may be
considered unreliable.  I trust you guys to do something sane there,
and I agree it's covered by the "we can't correct admin mistakes in
complex environments" clause that you invoked above.  Python cannot
take responsibility for guessing what might happen in any given
configuration in such environments.

 > However, it’s unquestionable that the *safest* route to go down in
 > terms of preserving the expectations of users is to use the
 > platform-native TLS implementation wholesale, rather than do a
 > hybrid model like Chrome does where OpenSSL does the protocol bits
 > and the system does the X509 bits. That way Python ends up behaving
 > basically like Edge or Safari on the relevant platforms, or perhaps
 > more importantly behaving like .NET on Windows and like
 > CoreFoundation on macOS, which is a much better place to be in
 > terms of user and administrator expectations.

OK, I can't help you with the details, but I can at least say I feel
safer when you say that's where you're going. :-)

More information about the Python-Dev mailing list