[Catalog-sig] PyPI OAuth documentation
Daniel Holth
dholth at gmail.com
Fri Jul 27 12:52:26 CEST 2012
If you take a look at the "convergence" system and make sure different parts of the net see the same key, or just do what ssh does and assume the key won't change after the first time, those are good solutions. Of course it really should just have a ca signature too.
Daniel Holth
On Jul 27, 2012, at 2:36 AM, Richard Jones <r1chardj0n3s at gmail.com> wrote:
> I'm not sure we can securely distribute the PEM to all the potential
> users. A better solution is to have a Real SSL Certificate, but that
> effort keeps failing :-(
>
> On the other hand, Kenneth just released a new version of requests
> which removes the need to use my branch :-)
>
>
> Richard
>
> On 27 July 2012 11:45, Daniel Holth <dholth at gmail.com> wrote:
>> You can also pass the expected ssl certificate to requests, but I'm not sure of the exact syntax (see the advanced use section of their docs). This is the most secure option if you know which cert the server should present.
>>
>> Daniel Holth
>>
>> On Jul 26, 2012, at 9:34 PM, Richard Jones <r1chardj0n3s at gmail.com> wrote:
>>
>>> On 27 July 2012 11:17, Richard Jones <r1chardj0n3s at gmail.com> wrote:
>>>> Note that you need to use my branch of requests for this to work
>>>> (https://github.com/r1chardj0n3s/requests) and rauth currently needs
>>>> to be modified to handle unverifiable SSL certificates.
>>>
>>> The author of rauth has shown me how to avoid the modification; the
>>> code on the wiki page now works with the current un-modified rauth
>>> release.
>>>
>>>
>>> Richard
>>> _______________________________________________
>>> Catalog-SIG mailing list
>>> Catalog-SIG at python.org
>>> http://mail.python.org/mailman/listinfo/catalog-sig
More information about the Catalog-SIG
mailing list