[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Thu Apr 10 18:41:00 EEST 2014
On Thu, Apr 10, 2014 at 11:35:35AM -0400, Lennart Sorensen wrote:
> On Thu, Apr 10, 2014 at 11:06:28AM -0400, Matt Rogers wrote:
> > On Thu, Apr 10, 2014 at 10:40:40AM -0400, Lennart Sorensen wrote:
> > > On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote:
> > > > wonder if we can use this instead of the legacy x509 code....
> > >
> > > I would prefer avoiding having to maintain yet another crypto library.
> > > Needing openssl and gnutls26 is enough thank you. Routers have no need
> > > to run firefox and hence have no need to have libnss installed, so can
> > > we try to keep it that way?
> >
> > Libreswan already depends on NSS for crypto, not openssl.
>
> Well openswan didn't. We haven't upgraded yet.
>
> I would highly suggest reconsidering the use of libnss.
I am just looking at the fact that if you want to get a product fips
certified, you have to deal with checking openssl, gnutls and nss.
That's a lot of duplication.
Is NSS really that good?
--
Len Sorensen
More information about the Swan-dev
mailing list