[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)
lsorense at csclub.uwaterloo.ca
Thu Apr 10 18:59:25 EEST 2014
On Thu, Apr 10, 2014 at 11:46:28AM -0400, Paul Wouters wrote:
> And with openswan not compiled for NSS, you have a fourth set of crypto
> to certify.
Yeah, and apparently a rather old one. For some reason I thought it
actually used openssl. I see pluto linked against gnutls, libssl and
libcrypto on Debian. It seems to have covered all its bases. It even
has libp11-kit0 as a library.
> For us, NSS has some clear advantages (see previous email)
Smartcard support and such does seem like a clever feature, and the
ability to use crypto without knowing the actual keys is a nice feature.
> But I don't know anyone who is happy with their crypto library.
Anything to do with certificates is a nightmare. :)
> It would be great if the latest openssl disasters would lead to a new
> crypto library that is much more usable, is certified and audited,
> and can be used for FIPS compliant systems. We just need a kickstarter
> with a couple of million dollars to make this happen :/
That would be nice. I am not betting on it though. Openssl does have
a fips certified version.
A nice crypto library with well written clean code under a nice free
license (more free than GPL, so maybe BSD or something) would be nice.
More information about the Swan-dev