[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Thu Apr 10 18:59:25 EEST 2014

On Thu, Apr 10, 2014 at 11:46:28AM -0400, Paul Wouters wrote:
> And with openswan not compiled for NSS, you have a fourth set of crypto
> to certify.

Yeah, and apparently a rather old one.  For some reason I thought it
actually used openssl.  I see pluto linked against gnutls, libssl and
libcrypto on Debian.  It seems to have covered all its bases.  It even
has libp11-kit0 as a library.

> For us, NSS has some clear advantages (see previous email)

Smartcard support and such does seem like a clever feature, and the
ability to use crypto without knowing the actual keys is a nice feature.

> But I don't know anyone who is happy with their crypto library.

Anything to do with certificates is a nightmare. :)

> It would be great if the latest openssl disasters would lead to a new
> crypto library that is much more usable, is certified and audited,
> and can be used for FIPS compliant systems. We just need a kickstarter
> with a couple of million dollars to make this happen :/

That would be nice.  I am not betting on it though.  Openssl does have
a fips certified version.

A nice crypto library with well written clean code under a nice free
license (more free than GPL, so maybe BSD or something) would be nice.

Len Sorensen

More information about the Swan-dev mailing list