For the certificate store:

Can we eventually agree to bind a default CA-store to a Mozilla verified one?
Mozilla in handling Firefox does a great job in keeping CA-store up-to-date.

Integrating default mozilla CA-store with Python builds could be a nice way, it's just a matter of integrating into the build-system the download/fetching of default Mozilla store.

At least the language base it's default on a trusted entity to manage, cross-platform, the CA-store for TLS/SSL.

The mainteinance of the CA-store would be delegated to Mozilla that has been demonstrated to be independent and very security conscious, removing dirty CA-store (like Diginotar after Iranian compromise).

That way 90% of case of of SSL/TLS certificate validation will be managed and by default it would be possible to enable secure SSL/TLS client checking like described in http://bugs.python.org/issue13647 .

Mozilla CA are available on:

https://www.mozilla.org/projects/security/certs/

The warranty and security process of Mozilla handling of SSL CA root certs is described on:

https://wiki.mozilla.org/CA

I think that Python language could reasonably base it's default root CA on the Mozilla ones that are the most recognized for security and transparency in the world.

I'm not sure Python should be in the business of distributing CA certificates. I think it's better left to the application or Linux distribution.