On Thu, 1 Jun 2017 11:45:14 +0100 Cory Benfield <c...@lukasa.co.uk> wrote: > > I am claiming that using OpenSSL certificate validation with root stores that > are not intended for OpenSSL can be. This is because trust of a certificate > is non-binary. For example, consider WoSign. The Windows TLS implementation > will distrust certificates that chain up to WoSign as a root certificate that > were issued after October 21 2016. This is not something that can currently > be represented as a PEM file. Therefore, the person exporting the certs needs > to choose: should that be exported or not? If it is, then OpenSSL will > happily trust it even in situations where the system trust store would not.
I was not talking about exporting the whole system CA as a PEM file, I was talking about adding an option for system adminstrators to configure an extra CA certificate to be recognized by pip. > More generally, macOS allows the administrator to configure graduated trust: > that is, to override whether or not a root should be trusted for certificate > validation in some circumstances. Again, exporting this to a PEM does not > persist this information. How much of this is relevant to pip? Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
