Re: Enable Hostname and Certificate Chain Validation
[Posted January 24, 2014 by jake]
| From: |
| Donald Stufft <donald-AT-stufft.io> |
| To: |
| Paul Moore <p.f.moore-AT-gmail.com> |
| Subject: |
| Re: Enable Hostname and Certificate Chain Validation |
| Date: |
| Wed, 22 Jan 2014 06:42:00 -0500 |
| Message-ID: |
| <0659BFF0-94C3-49CB-8054-AD2471D45CBB@stufft.io> |
| Cc: |
| Python-Dev <python-dev-AT-python.org> |
On Jan 22, 2014, at 6:21 AM, Paul Moore <p.f.moore@gmail.com> wrote:
> 2. Your proposal is that because some application authors have not
> opted in yet, we should penalise the end users of those applications
> by stopping them being able to use unverified https? And don't forget,
> applications that haven't opted in will have no switch to allow
> unverified use. That seems to be punishing the wrong people.
Another thought, if this is seriously a blocker something simple like
an environment variable could be added that switches the default.
Which would act as a global sort of —insecure flag for applications
that don’t provide one. I really don’t like the idea of doing that, but
it would be better than not validating by default.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
