[Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan ncoghlan at gmail.com
Sun Aug 31 23:41:21 CEST 2014 

On 1 Sep 2014 06:32, "Paul Moore" <p.f.moore at gmail.com> wrote:
>
> On 31 August 2014 21:15, Antoine Pitrou <antoine at python.org> wrote:
> > What do you call your local cert store?
>
> I was referring to Christian's comment
> > It's very simple to trust a self-signed certificate: just download it
and stuff it into the trust store.
>
> From his recent response, I guess he meant the system store, and he
> agrees that this is a bad option.
>
> OK, that's fair, but:
>
> a) Is there really no OS-level personal trust store? I'm thinking of
> Windows here for my own personal use, but the same question applies
> elsewhere.
> b) I doubt my confusion over Christian's response is atypical. Based
> on what he said, if we hadn't had the subsequent discussion, I would
> probably have found a way to add a cert to "the store" without
> understanding the implications. While it's not Python's job to educate
> users, it would be a shame if its default behaviour led people to make
> ill-informed decisions.

Right, this is why I came to the conclusion we need to follow the browser
vendors lead here and support a per-user Python specific supplementary
certificate cache before we can start validating certs by default at the
*Python* level. There are still too many failure modes for cert management
on private networks for us to safely ignore the use case of needing to
force connections to services with invalid certs.

We don't need to *solve* that problem here today - we can push it back to
Alex (and anyone else interested) as a building block to investigate
providing as part of cryptography.io or certi.fi, with a view to making a
standard library version of that (along with any SSL module updates) part
of PEP 476.

In the meantime, we can update the security considerations for the ssl
module to make it clearer that the defaults are set up for trusted networks
and that using it safely on the public internet may mean you're better off
with a third party library like requests or Twisted. (I'll start another
thread shortly that is highly relevant to that topic)

Regards,
Nick.

>
> Maybe an SSL HOWTO would be a useful addition to the docs, if anyone
> feels motivated to write one.
>
> Regardless, thanks for the education!
>
> Paul
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140901/b0faf726/attachment-0001.html>

More information about the Python-Dev mailing list