Author ncoghlan
Recipients Lukasa, alex, christian.heimes, dstufft, giampaolo.rodola, janssen, martin.panter, ncoghlan, orsenthil, vstinner
Date 2016-09-09.11:09:38
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1473419378.63.0.777606959826.issue28022@psf.upfronthosting.co.za>
In-reply-to
Content
+1 for directing all programmatic configuration through SSLContext

However, implicitly verifying certificates for protocols other than HTTPS needs to be contingent on a properly designed approach to configuration that leaves informed users in full control of the behaviour of their systems - while I'm fully supportive of secure-by-default behaviour to protect unaware users, it's also the case that most other protocols haven't had the forcing function of web browser behaviour encouraging them to improve their certificate handling, and even that's still in a tragically bad state once you get away from the public web.

The file based scheme in PEP 493, https://www.python.org/dev/peps/pep-0493/#backporting-pep-476-to-earlier-python-versions, was deliberately written to be potentially suitable for expansion to other protocols, but actually using it for that purpose would require the definition of a new feature PEP targeting 3.7 (which may then potentially be pitched for backporting to earlier versions as a subsequent proposal).
History
Date User Action Args
2016-09-09 11:09:38ncoghlansetrecipients: + ncoghlan, janssen, orsenthil, vstinner, giampaolo.rodola, christian.heimes, alex, martin.panter, dstufft, Lukasa
2016-09-09 11:09:38ncoghlansetmessageid: <1473419378.63.0.777606959826.issue28022@psf.upfronthosting.co.za>
2016-09-09 11:09:38ncoghlanlinkissue28022 messages
2016-09-09 11:09:38ncoghlancreate