This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author mcepl
Recipients barry, christian.heimes, maciej.szulik, mcepl, r.david.murray
Date 2018-04-21.18:31:57
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1524335518.09.0.682650639539.issue28320@psf.upfronthosting.co.za>
In-reply-to
Content 
I do agree with http://legacy.python.org/dev/peps/pep-0476/#other-protocols:

This PEP only proposes requiring this level of validation for HTTP clients, not for other protocols such as SMTP.

This is because while a high percentage of HTTPS servers have correct certificates, as a result of the validation performed by browsers, for other protocols self-signed or otherwise incorrect certificates are far more common.

With HTTP (and thanks to Let’s Encrypt) the situation seems to be really good, and most publicly accessible webserver will hopefully have soon good signed certificates, but I am afraid that with other servers (and especially but certainly not limited to IMAP servers) there are just too many self-signed certificates (or ones signed by suspicious internal CAs) in various internal email servers, that changing defaults would do more harm than good, I am afraid. Also, arguing about defaults is the way of The Waste of Time, so I will try to limit myself just to this one comment on this bug.
History
Date User Action Args
2018-04-21 18:31:58mceplsetrecipients: + mcepl, barry, christian.heimes, r.david.murray, maciej.szulik
2018-04-21 18:31:58mceplsetmessageid: <1524335518.09.0.682650639539.issue28320@psf.upfronthosting.co.za>
2018-04-21 18:31:58mcepllinkissue28320 messages
2018-04-21 18:31:57mceplcreate