Cory Benfield writes: > I'm overwhelmingly, dramatically +1 on this. There's no good > architectural reason to not use the built-in certificate chains by > default. I'd like to be in favour of backporting this change to earlier > Python versions as well, but it feels just a bit too aggressive.
-1 This is just a bit too aggressive, too. I'll guarantee this breaks applications all over Japan, especially in universities because the Ministry of Education uses certificates rooted somewhere nobody's ever heard of, and typically don't bother to ensure the domain name matches the cert being presented. I've even run into such domain-match issues with banks (not banks I deal with any more, of course!) This is quite different from web browsers and other interactive applications. It has the potential to break "secure" mail and news and other automatic data transfers. Breaking people's software that should run silently in the background just because they upgrade Python shouldn't happen, and people here will blame Python, not their broken websites and network apps. I don't know what the right answer is, but this needs careful discussion and amelioration, not just "you're broken, so take the consequences!" _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
