[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

Paul Wouters paul at nohats.ca
Tue Apr 8 02:22:51 EEST 2014

wonder if we can use this instead of the legacy x509 code....

-------- Original Message --------
Subject: Announcing Mozilla::PKIX, a New Certificate Verification Library
Date: Mon, 07 Apr 2014 15:33:50 -0700
From: Kathleen Wilson <kwilson at mozilla.com>
Reply-To: mozilla's crypto code discussion list
<dev-tech-crypto at lists.mozilla.org>
To: mozilla-dev-tech-crypto at lists.mozilla.org


We have been working on a new certificate verification library for
Gecko, and would greatly appreciate it if you will test this new library
and review the new code.


NSS currently has two code paths for doing certificate verification.
"Classic" verification has been used for verification of non-EV
certificates, and libPKIX has been used for verification of EV

As many of you are aware, the NSS team has wanted to replace the
"classic" verification with libPKIX for a long time. However, the
current libPKIX code was auto-translated from Java to C, and has proven
to be very difficult to maintain and use. Therefore, Mozilla has created
a new certificate verification library called mozilla::pkix.

Request for Testing

Replacing the certificate verification library can only be done after
gaining sufficient confidence in the new code by having as many people
and organizations test it as possible.

We ask that all of you help us test this new library as described here:

Testing Window: The mozilla::pkix certificate verification library is
available for testing now in Nightly Firefox builds. We ask that you
test as soon as possible, and that you complete your testing before
Firefox 31 exits the Aurora branch in June.
(See https://wiki.mozilla.org/RapidRelease/Calendar)

Request for Code Review

The more people who code review the new code, the better. So we ask all
of you C++ programmers out there to review the code and let us know if
you see any potential issues.

We look forward to your help in testing and reviewing this new
certificate verification library.

Mozilla Security Engineering Team

dev-security mailing list
dev-security at lists.mozilla.org

More information about the Swan-dev mailing list