Some addons, like Gmail S/MIME and Penango, require the classic CERT_Verify* API in addition to CERT_PKIXVerifyCert, because CERT_PKIXVerifyCert does not have some features that these addons need. Once all the bugs blocking this bug are fixed, we can stop exporting the classic CERT_Verify* API from the copy of NSS that we ship with Firefox and/or Thunderbird. There are probably more bugs that need to be added to the dependency list. Sean, it would be great if you could add the other dependencies you know about, filing new bugs if necessary. One of the issues that Sean mentioned is that libpkix does not return a partial certificate chain when it fails to build a complete chain. Such logic may also be useful for Gecko's cert UI. However, this doesn't necessarily need to be implemented in libpkix, AFAICT. We may just need an API or example code, that, given cert A, returns all possible known signers of cert A. Then, this function can be called recursively to build one or more possible partial paths. Another issue that Sean mentioned is bug 640892. Again, I am not sure if we really need to fix that bug, or if we can find some workarounds, like the ones I have suggested for Gecko in bug 699874 and elsewhere. (Or, perhaps it is not too difficult to fix bug 640892.)

At this point, I think all we would need to do here is remove CERT_VerifyCertificate and CERT_PKIXVerifyCert from config/external/nss/nss.symbols. There may be other (now-)unused functions that can be removed from that file as well.