Certificate validation does disk I/O and/or network I/O so it should never be done on the main thread. The most certain way to ensure that this certificate processing is not donesynchronously on the main thread is to replace/remove all the synchronous APIs that do such processing that are exposed to code outside of PSM (after changing all the callers within Firefox to use the replacement and giving other Gecko-based projects and addon developers a heads-up). This is consistent with the idea (plan?) to disable the ability for chrome code to do synchronous XHR.

Brian are there known cases of this still in the code?

Yes. For example, almost all of nsIX509CertDB and nsIX509CertDB2, and many things from nsIX509Cert, including: void getUsagesArray(in boolean localOnly, out uint32_t verified, out uint32_t count, [array, size_is(count)] out wstring usages); void getUsagesString(in boolean localOnly, out uint32_t verified, out AString usages); unsigned long verifyForUsage(in unsigned long usage); readonly attribute nsIASN1Object ASN1Structure; // I think void markForPermDeletion(); // from nsIX509Cert2 Also, for example, nsNSSComponent::Init does disk I/O on the main thread during startup, and nsNSSCertificate::IsExtendedValidation can be executed on the main thread Out of all things, I would say the most serious problems I know of are the nsNSSComponent::Init and nsNSSCertificate::IsExtendedValidation. Most of the prerequisite work on eliminating the badness of IsExtendedValidation is in bug 754365.