Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop recommending CACert.org in the SSL documentation #65242

Closed
alex opened this issue Mar 23, 2014 · 11 comments
Closed

Stop recommending CACert.org in the SSL documentation #65242

alex opened this issue Mar 23, 2014 · 11 comments
Labels
docs Documentation in the Doc dir type-feature A feature request or enhancement

Comments

@alex
Copy link
Member

alex commented Mar 23, 2014

BPO 21043
Nosy @pitrou, @alex, @dstufft
Files
  • cacert.diff
  • cacert.diff
  • cacert.diff
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2014-03-24.23:29:29.789>
created_at = <Date 2014-03-23.23:50:30.731>
labels = ['type-feature', 'docs']
title = 'Stop recommending CACert.org in the SSL documentation'
updated_at = <Date 2014-03-24.23:49:56.489>
user = 'https://github.com/alex'

    bugs.python.org fields:

    activity = <Date 2014-03-24.23:49:56.489>
actor = 'python-dev'
assignee = 'docs@python'
closed = True
closed_date = <Date 2014-03-24.23:29:29.789>
closer = 'dstufft'
components = ['Documentation']
creation = <Date 2014-03-23.23:50:30.731>
creator = 'alex'
dependencies = []
files = ['34598', '34599', '34600']
hgrepos = []
issue_num = 21043
keywords = ['patch']
message_count = 11.0
messages = ['214656', '214657', '214658', '214659', '214660', '214661', '214698', '214700', '214762', '214764', '214768']
nosy_count = 5.0
nosy_names = ['pitrou', 'alex', 'docs@python', 'python-dev', 'dstufft']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue21043'
versions = ['Python 3.4', 'Python 3.5']
    @alex
    Copy link
    Member Author

    alex commented Mar 23, 2014

    CACert is not in the root trust store on *any* platform that I'm aware of, and has not passed any audits. See http://lwn.net/SubscriberLink/590879/ce23ed7bab68e489/ for more background.

    In it's place I've added StartSSL, which is included in most (all?) root trust stores, and offers free certs.

    @alex alex added docs Documentation in the Doc dir type-feature A feature request or enhancement labels Mar 23, 2014
    @dstufft
    Copy link
    Member

    dstufft commented Mar 23, 2014

    I completely agree, it seems less than good to recommend CACert.

    @pitrou
    Copy link
    Member

    pitrou commented Mar 24, 2014

    That whole paragraph in the documentation is weird. Usually, you don't download select root certificates from various CAs, you just elect to trust a predetermined set of root certs (the system ones, usually).

    I would suggest rewording it and dropping the various download URLs.

    (and if the suggestion to provide the full chain is obsolete for SSLv3 and TLSv1, then similarly it may be dropped entirely - we needn't support SSLv2 specificities in the docs)

    @dstufft
    Copy link
    Member

    dstufft commented Mar 24, 2014

    It's quite old (that paragraph) likely it was written that way because back then Python didn't have a way to load certificates.

    @alex
    Copy link
    Member Author

    alex commented Mar 24, 2014

    I've attempted to modernize the paragraph.

    @alex
    Copy link
    Member Author

    alex commented Mar 24, 2014

    Removed 2.7 since there's no API for getting the platform certs.

    @BreamoreBoy BreamoreBoy mannequin changed the title Stop reccomending CACert.org in the SSL documentation Stop recommending CACert.org in the SSL documentation Mar 24, 2014
    @dstufft
    Copy link
    Member

    dstufft commented Mar 24, 2014

    The latest patch looks good to me.

    @pitrou
    Copy link
    Member

    pitrou commented Mar 24, 2014

    Looks good to me too.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Mar 24, 2014

    New changeset 6f776c91da08 by Donald Stufft in branch '3.4':
    Issue bpo-21043: Remove the recommendation for specific CA organizations
    http://hg.python.org/cpython/rev/6f776c91da08

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Mar 24, 2014

    New changeset 0485552b487e by Donald Stufft in branch 'default':
    Merge in 3.4 to bring forward the Issue bpo-21043 changes.
    http://hg.python.org/cpython/rev/0485552b487e

    @dstufft dstufft closed this as completed Mar 24, 2014
    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Mar 24, 2014

    New changeset 7ef262eafecd by Donald Stufft in branch '2.7':
    Issue bpo-21043 - Remove CACert.org from the recommendations
    http://hg.python.org/cpython/rev/7ef262eafecd

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    docs Documentation in the Doc dir type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @alex @dstufft @pitrou