[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
Ethan Furman
ethan at stoneleaf.us
Mon Jun 3 18:52:27 CEST 2013
On 06/03/2013 09:43 AM, Donald Stufft wrote:
> On Jun 3, 2013, at 5:51 AM, Antoine Pitrou wrote:
>>
>> The problem with a "slightly outdated" CA store is that it can be a
>> security risk.
>
> Tracking the Mozilla store isn't difficult. New additions can be ignored for currently released Pythons so we'd just
> need to watch them for blacklisting certs and roll that into a security update.
Personally, I'm not interested in waiting six months for an update. And why can't I have the new additions?
Seems to me a better solution is to have routines that can query and update at will (meaning the app has to call them),
as well as having the bundle (black lists as well as new additions) in the regular updates.
--
~Ethan~
More information about the Python-Dev
mailing list