NSS libPKIX Brainstorming: Difference between revisions

***The internals of the implementation of the function are written. Finalizing  API design. For more information see [https://bugzilla.mozilla.org/show_bug.cgi?id=294531 bug 294531]

**keep all existing verification API, but change their implementation to call libPKIX functions

*NSS internal libraries such as libSSL and libSMIME that utilize NSS chain building and validation features will need to be modified in order to leverage new functionalities provided by libPKIX. These changes are related to propagating policy parameters for certificate chain building/validation API from user application to NSS libraries and back. There are also open questions regarding changes in chain building process(See "Open Questions" 1-3) answers to that will result in NSS libraries modifications.

***Verify libPKIX certificate chain validation compatibility with NSS. This task will requires to possess very wide set of, preferably life, certificates. One way to obtain them is to use search engine to find variety of websites that can provide us site certificates and certificate chains.

:::::::::As an example of a certificate-searching scenario we can use wget to submit query to a search website to get all possible sites that have words "bank", "account", "mortgage". After parsing the results we can use wget to try to get certificate associated with these sites.

***Verify libPKIX certificate chain building compatibility with NSS. Same certificates that were used to check verifying compatibility can be used to for this task.

***Extended validation functionality testing provided by PKIX. This testing task includes checking validation based on policies and various certificate policy extensions. The current set of tests will be enough to verify that the libPKIX works correctly. But these tests will be modified to be launched using new NSS certificate chain validation API.