Title: #367: Remove nsslib from IPA
You're right, I should probably write some design. The current implementation
does not check CRL or OSCP, so we're "fine" with this change. There is a plan
on doing CRL check in certmonger, though.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code