[fabian2k]

I found the following part in the cons to NSS amusing, or maybe rather frightening:

> Certificate path building is C code designed to emulate Java code, through indirection of an average of 7 layers of macros, two platform abstraction layers, and then the remaining NSS abstraction layers (listed above)

[joshmoz]

IIRC... That is in reference to libpkix, the certificate validation component of NSS. I believe Mozilla developers are working on a replacement for it, called mozilla::pkix, in large part due to libpkix being overly complex. Last time I checked mozilla::pkix was pretty far along.

https://bugzilla.mozilla.org/show_bug.cgi?id=915930

[handsomeransoms]

It landed on Nightly a week ago, check it out! You can help us by testing it [0] or reviewing the code [1].

[0] https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing... [1] https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing...

[cvc]

To be even more precise, this new certificate validation library is the current default in nightly (ff-31), testing is welcome.

[kaiengert]

Note that NSS contains a classic certificate verification engine, which was originally written in C.

The above statement refers to an external contribution that was added to NSS. It added a second validation engine to NSS, libpkix.

It's true that the libpkix portion is very complicated code, but the above statement doesn't apply to NSS in general.