Robert Relyea a écrit :
7. libpkix can actually fetch CRL's on the fly. The old code can only use CRL's that have been manually downloaded. We have hacks in PSM to periodically load CRL's, which work for certain enterprises, but not with the internet.
PSM's periodic CRL download's certainly quite broken, but OTOH "on the fly" CRL fetching certainly won't work either on the Internet with regard to the delay it induces.
I'm ok if someone wanted to rework the libpkix code itself, but trying to shoehorn in the libpkix features into the old cert processing code is the longer path to getting to something stable. Note that the decision to move away from the old code was made by those who knew it best.
Probably quite true, but the question of why libpkix is so big stays, it very unlikely it brings a value proportionate to it's size.
In the best of world, I'd vote for a complete reworking of it. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
