>> There is a new "match_hostname" that doesn't implement all the 
>> required, standard SSL/TLS Client security checks that should be done.

>Indeed, as the name indicates, it just checks the hostname.
>Please detail what the other security checks are (bonus points if you >provide a patch + tests).

You need to check expiration date of the cert in question, and I suppose invocation date as well.
You need to look at each of the CNs in the subject name, as well as each of the DNSname types in the SAN extension.
You *absolutely must* make sure that each of the intermediate certificates has Basic Constraints: CA set to True.  Otherwise a certificate for foo.com can sign for bar.com (this keeps happening).
You should support the Name Constraints extension, that allows certificates to sign for a subset of names.  Nobody really uses this, because reliability is so low though.


> > It has been noticed by the well known security researcher Dan Kaminsky

> What's the URL for this?

I'll see your URL and raise you a submitted bug report with recommendations.  It seems to get better results than posting random whining on a web page somewhere :)

> > A) Integrate the Mozilla CA pack into Python, updating it with each
> > security release.

> I suggest you discuss this on python-dev:
> http://mail.python.org/mailman/listinfo/python-dev

It's an ugly dependency, I know.  X.509 suffers from a "false coherence" design, in which a couple of parties actively work to make it look like it has a coherent trust model.  The best you can do is try to borrow/leverage the work of one of those parties.