Author christian.heimes
Recipients christian.heimes, gvanrossum, pitrou
Date 2013-10-19.10:13:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1382177615.53.0.483229006152.issue19292@psf.upfronthosting.co.za>
In-reply-to
Content
http://www.python.org/dev/peps/pep-0453/#bundling-ca-certificates-with-cpython proposes that ensurepip comes with a default CA cert bundle, too. I see two issues with the proposal:

1) We must have a way to update the cert bundle outside the release cycle, e.g. with a download-able package from PyPI

2) CA certs can have an implicit purpose that is not part of the X.509 cert. A cert may only apply to server certs, client certs, S/MIME and/or other purposes like software signing. I have found a couple of issues in NSS certdata parsers and cert bundles like curl, Egenix OpenSSL (both fixed) and Ubuntu (not fixed yet). In order to get it right we need a separate bundle for every purpose. See https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004

A while ago I started a PEP about the topic but it's not done yet. https://bitbucket.org/tiran/peps/src/tip/pep-9999.txt
History
Date User Action Args
2013-10-19 10:13:35christian.heimessetrecipients: + christian.heimes, gvanrossum, pitrou
2013-10-19 10:13:35christian.heimessetmessageid: <1382177615.53.0.483229006152.issue19292@psf.upfronthosting.co.za>
2013-10-19 10:13:35christian.heimeslinkissue19292 messages
2013-10-19 10:13:35christian.heimescreate