Author christian.heimes
Recipients christian.heimes, gvanrossum, pitrou
Date 2013-10-19.10:13:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Content proposes that ensurepip comes with a default CA cert bundle, too. I see two issues with the proposal:

1) We must have a way to update the cert bundle outside the release cycle, e.g. with a download-able package from PyPI

2) CA certs can have an implicit purpose that is not part of the X.509 cert. A cert may only apply to server certs, client certs, S/MIME and/or other purposes like software signing. I have found a couple of issues in NSS certdata parsers and cert bundles like curl, Egenix OpenSSL (both fixed) and Ubuntu (not fixed yet). In order to get it right we need a separate bundle for every purpose. See

A while ago I started a PEP about the topic but it's not done yet.
Date User Action Args
2013-10-19 10:13:35christian.heimessetrecipients: + christian.heimes, gvanrossum, pitrou
2013-10-19 10:13:35christian.heimessetmessageid: <>
2013-10-19 10:13:35christian.heimeslinkissue19292 messages
2013-10-19 10:13:35christian.heimescreate