diff --git a/lib/jwcrypto b/lib/jwcrypto
index 299db4be7b6fc30a7d5a94815a143560f0cfc1ac..8cbb157af1dd2b544d08422a4c3c32ff26d6534a 160000
--- a/lib/jwcrypto
+++ b/lib/jwcrypto
@@ -1 +1 @@
-Subproject commit 299db4be7b6fc30a7d5a94815a143560f0cfc1ac
+Subproject commit 8cbb157af1dd2b544d08422a4c3c32ff26d6534a
diff --git a/verifier/app.js b/verifier/app.js
index bf6571161d9fc601261999e84edc55d8399a9ca4..db7c14b17f6ad1a0730d6147bd12f37e5f4611d4 100644
--- a/verifier/app.js
+++ b/verifier/app.js
@@ -40,7 +40,6 @@ const   path = require('path'),
    httputils = require('./lib/httputils.js'),
  idassertion = require('./lib/idassertion.js'),
 certassertion = require('./lib/certassertion.js'),
-         jwt = require('./lib/jwt.js'),
      express = require('express'),
      metrics = require('../libs/metrics.js'),
      logger = require('../libs/logging.js').logger;
@@ -54,18 +53,15 @@ logger.info("verifier server starting up");
 function doVerify(req, resp, next) {
   req.body = req.body || {}
   var assertion = (req.query && req.query.assertion) ? req.query.assertion : req.body.assertion;
-  var certificates = (req.query && req.query.certificates) ? req.query.certificates : req.body.certificates;
   var audience = (req.query && req.query.audience) ? req.query.audience : req.body.audience;
 
-  if (!(assertion && audience && certificates))
-    return resp.json({ status: "failure", reason: "need assertion, certificates audience" });
+  if (!(assertion && audience))
+    return resp.json({ status: "failure", reason: "need assertion and audience" });
 
   // removed CORS support, encourages wrong implementation approach
 
-  var cert_list = certificates.split(",");
-
   certassertion.verify(
-    cert_list, assertion, audience,
+    assertion, audience,
     function(email, audience, expires) {
       resp.json({
         status : "okay",
diff --git a/verifier/lib/certassertion.js b/verifier/lib/certassertion.js
index c4d988b59ac6a0698b15fc31904eeeef3cfca0e5..b2ed480d6c14aa7fc46f9842d9a710e3374592ce 100644
--- a/verifier/lib/certassertion.js
+++ b/verifier/lib/certassertion.js
@@ -44,6 +44,7 @@ url = require("url"),
 jwk = require("../../lib/jwcrypto/jwk"),
 jwt = require("../../lib/jwcrypto/jwt"),
 jwcert = require("../../lib/jwcrypto/jwcert"),
+vep = require("../../lib/jwcrypto/vep"),
 logger = require("../../libs/logging.js").logger;
 
 // configuration information to check the issuer
@@ -122,14 +123,16 @@ function retrieveHostPublicKey(host, successCB, errorCB) {
 
 // verify the tuple certList, assertion, audience
 //
-// certList is an array of serialized certs (strings)
-// assertion is a serialized jwt (string)
+// assertion is a bundle of the underlying assertion and the cert list
 // audience is a web origin, e.g. https://foo.com or http://foo.org:81
 //
 // pkRetriever should be sent in only by code that really understands
 // what it's doing, e.g. testing code.
-function verify(certList, assertion, audience, successCB, errorCB, pkRetriever) {
-  jwcert.JWCert.verifyChain(certList, function(issuer, next) {
+function verify(assertion, audience, successCB, errorCB, pkRetriever) {
+  // assertion is bundle
+  var bundle = vep.unbundleCertsAndAssertion(assertion);
+  
+  jwcert.JWCert.verifyChain(bundle.certificates, function(issuer, next) {
     // for now, only support the browserid.org issuer
     if (issuer != "browserid.org") {
       // allow other retrievers for now for testing
@@ -148,7 +151,7 @@ function verify(certList, assertion, audience, successCB, errorCB, pkRetriever)
     retrieveHostPublicKey(issuer, next);
   }, function(pk, principal) {
     var tok = new jwt.JWT();
-    tok.parse(assertion);
+    tok.parse(bundle.assertion);
 
     // audience must match!
     if (tok.audience != audience)
diff --git a/verifier/test/certassertion-test.js b/verifier/test/certassertion-test.js
index 8e0d0f294e7e5a1bb8da23bc9ca8a595815f3f7a..87d111051cbc0dde56e940fa2eca1ed7ca732426 100644
--- a/verifier/test/certassertion-test.js
+++ b/verifier/test/certassertion-test.js
@@ -40,6 +40,7 @@ var vows = require("vows"),
     jwk = require("../../lib/jwcrypto/jwk"),
     jwt = require("../../lib/jwcrypto/jwt"),
     jwcert = require("../../lib/jwcrypto/jwcert"),
+    vep = require("../../lib/jwcrypto/vep"),
     events = require("events");
 
 vows.describe('certassertion').addBatch({
@@ -51,13 +52,14 @@ vows.describe('certassertion').addBatch({
       var cert = new jwcert.JWCert("fakeroot.com", new Date(), user_kp.publicKey, {email:"user@fakeroot.com"}).sign(root_kp.secretKey);
       var assertion = new jwt.JWT(null, new Date(), "rp.com").sign(user_kp.secretKey);
 
-      var cb = this.callback;
+      var self = this;
+      var bundle = vep.bundleCertsAndAssertion([cert],assertion);
       
       // verify it
       certassertion.verify(
-        [cert], assertion, "rp.com",
+        bundle, "rp.com",
         function(email, audience, expires) {
-          cb({email:email, audience: audience, expires:expires});
+          self.callback({email:email, audience: audience, expires:expires});
         },
         function(msg) {},
         function(issuer, next) {