changeset:   89951:6f776c91da08
branch:      3.4
parent:      89948:2bbda947a5b3
user:        Donald Stufft <donald@stufft.io>
date:        Mon Mar 24 19:26:03 2014 -0400
files:       Doc/library/ssl.rst Misc/NEWS
description:
Issue #21043: Remove the recommendation for specific CA organizations

Closes #21043 by updating the documentation to remove specific CA
organizations and update the text to no longer need to tell you to
download root certificates, but instead use the OS certificates
avaialble through SSLContext.load_default_certs.


diff -r 2bbda947a5b3 -r 6f776c91da08 Doc/library/ssl.rst
--- a/Doc/library/ssl.rst	Mon Mar 24 22:34:34 2014 +0100
+++ b/Doc/library/ssl.rst	Mon Mar 24 19:26:03 2014 -0400
@@ -1339,20 +1339,9 @@
 certificate, you need to provide a "CA certs" file, filled with the certificate
 chains for each issuer you are willing to trust.  Again, this file just contains
 these chains concatenated together.  For validation, Python will use the first
-chain it finds in the file which matches.  Some "standard" root certificates are
-available from various certification authorities: `CACert.org
-<http://www.cacert.org/index.php?id=3>`_, `Thawte
-<http://www.thawte.com/roots/>`_, `Verisign
-<http://www.verisign.com/support/roots.html>`_, `Positive SSL
-<http://www.PositiveSSL.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt>`_
-(used by python.org), `Equifax and GeoTrust
-<http://www.geotrust.com/resources/root_certificates/index.asp>`_.
-
-In general, if you are using SSL3 or TLS1, you don't need to put the full chain
-in your "CA certs" file; you only need the root certificates, and the remote
-peer is supposed to furnish the other certificates necessary to chain from its
-certificate to a root certificate.  See :rfc:`4158` for more discussion of the
-way in which certification chains can be built.
+chain it finds in the file which matches.  The platform's certificates file can
+be used by calling :meth:`SSLContext.load_default_certs`, this is done
+automatically with :func:`.create_default_context`.
 
 Combined key and certificate
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff -r 2bbda947a5b3 -r 6f776c91da08 Misc/NEWS
--- a/Misc/NEWS	Mon Mar 24 22:34:34 2014 +0100
+++ b/Misc/NEWS	Mon Mar 24 19:26:03 2014 -0400
@@ -79,6 +79,9 @@
 Documentation
 -------------
 
+- Issue #21043: Remove the recommendation for specific CA organizations and to
+  mention the ability to load the OS certificates.
+
 - Issue #20765: Add missing documentation for PurePath.with_name() and
   PurePath.with_suffix().