[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

[Lennart Sorensen]

On Thu, Apr 10, 2014 at 11:46:28AM -0400, Paul Wouters wrote:
> And with openswan not compiled for NSS, you have a fourth set of crypto
> to certify.

Yeah, and apparently a rather old one.  For some reason I thought it
actually used openssl.  I see pluto linked against gnutls, libssl and
libcrypto on Debian.  It seems to have covered all its bases.  It even
has libp11-kit0 as a library.

> For us, NSS has some clear advantages (see previous email)

Smartcard support and such does seem like a clever feature, and the
ability to use crypto without knowing the actual keys is a nice feature.

> But I don't know anyone who is happy with their crypto library.

Anything to do with certificates is a nightmare. :)

> It would be great if the latest openssl disasters would lead to a new
> crypto library that is much more usable, is certified and audited,
> and can be used for FIPS compliant systems. We just need a kickstarter
> with a couple of million dollars to make this happen :/

That would be nice.  I am not betting on it though.  Openssl does have
a fips certified version.

A nice crypto library with well written clean code under a nice free
license (more free than GPL, so maybe BSD or something) would be nice.

-- 
Len Sorensen