CACert is not in the root trust store on *any* platform that I'm aware of, and has not passed any audits. Seehttp://lwn.net/SubscriberLink/590879/ce23ed7bab68e489/ for more background.In it's place I've added StartSSL, which is included in most (all?) root trust stores, and offers free certs.

I completely agree, it seems less than good to recommend CACert.

That whole paragraph in the documentation is weird. Usually, you don't download select root certificates from various CAs, you just elect to trust a predetermined set of root certs (the system ones, usually).I would suggest rewording it and dropping the various download URLs.(and if the suggestion to provide the full chain is obsolete for SSLv3 and TLSv1, then similarly it may be dropped entirely - we needn't support SSLv2 specificities in the docs)

It's quite old (that paragraph) likely it was written that way because back then Python didn't have a way to load certificates.

I've attempted to modernize the paragraph.

Removed 2.7 since there's no API for getting the platform certs.

The latest patch looks good to me.

Looks good to me too.

New changeset6f776c91da08 by Donald Stufft in branch '3.4':Issue#21043: Remove the recommendation for specific CA organizationshttp://hg.python.org/cpython/rev/6f776c91da08

New changeset0485552b487e by Donald Stufft in branch 'default':Merge in 3.4 to bring forward the Issue#21043 changes.http://hg.python.org/cpython/rev/0485552b487e

New changeset7ef262eafecd by Donald Stufft in branch '2.7':Issue#21043 - Remove CACert.org from the recommendationshttp://hg.python.org/cpython/rev/7ef262eafecd