ACTION ITEMS

A summary of the action items resulting from the NSS face-to-face meetings of August 2012 is here:

https://etherpad.mozilla.org/nss-F2F-2012-actionItems

NSS Face to Face Meeting

Date: August 7 and 8, 2012 (Tuesday and Wednesday), Dinner on Monday August 6

Location: 650 Castro Street, Mountain View, CA 94041

Arrival: 9:00am, 3rd floor of Mozilla building

Conference Room: Northbridge, 4th Floor, 1-650-903-0800 extension 5480

Teleconference:

1-650-903-0800, extension 92, conference number 99161#
1-800-707-2533, password 369, conference number 99161#

Vidyo: Kathleen Wilson (9161)

Etherpad:

Day 1: https://etherpad.mozilla.org/nss-F2F-2012
Day 2 Infrastructure: https://etherpad.mozilla.org/nss-F2F-2012-day2
Day 2 Technical Discussions: https://etherpad.mozilla.org/nss-F2F-2012-day2-technicalDiscussions

IRC server: irc.mozilla.org, room: #nss

Attendees: Everyone local should try to attend the appropriate meetings in person. Everyone else may attend the appropriate meetings via teleconference.

High Level Schedule

Day	Topics
Monday	Dinner
Tuesday	Context Setting, Roadmaps, NSS Priorities, CAB Forum, Process, Telemetry
Wednesday	Infrastructure, Design/Technical Discussions
Thursday	3:30-5:30 - Technical Discussion about Revocation, in Mozilla office 4th floor NorthBridge
Friday	3:00 - Cert Manager UI Discussion at Red Hat office, 444 Castro st, 5th floor.
To Be Scheduled Later	Kathleen will send meeting invite for teleconferences: CA Policy Discussion (e.g. name constrained CAs), Government CA Policy Discussion

Detailed Agenda

Monday, August 6

Dinner - Scratch in Mtn. View
Please add your name here if you plan to attend: Kathleen Wilson, Johnathan Nightingale, Gerv Markham, Wan-Teh Chang, Ryan Sleevi, Brian Smith, Elio Maldonado, Kai Engert, Eric Rescorla, Bob Relyea, Josh Aas, Dan Veditz
Time: 6:00.
Reservation Details: Your reservation for 12 at Scratch (Mtn View) is confirmed for Monday, August 6, 2012 at 6:00 PM. The reservation is held under: Kathleen Wilson.

Tuesday, August 7

Day/Time	Meeting Topic	Attendees
9:30-10:30	Context Setting Commitment to NSS/PSM Optimizing our work dynamics List Questions/Items that we would like to discuss	Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Lukas Blakk
10:30-12:00	Sharing of Roadmaps, priorities, goals RedHat Google Mozilla https://wiki.mozilla.org/Firefox/Roadmap https://wiki.mozilla.org/Security/Roadmap https://wiki.mozilla.org/Privacy/Roadmap Prioritizing Projects (Boot to Gecko, Firefox, Thunderbird, Xulrunner, ESR, etc.)	Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Asa Dotzler, Sid Stamm, Lucas Adamski, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco, David Keeler, David Dahl
12:00-12:30	Lunch
12:30-2:00	Continuation of Priorities discussion - China, Security Roadmap	Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Asa Dotzler, Sid Stamm, Lucas Adamski, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco, David Keeler, David Dahl, Gary Kwong
2:00-2:30	Items particularly related to our CAB Forum participation We need to firm up our "improving revocation" strategy, views and planned changes. Should we be pushing CAs to improve the CRL and OCSP infrastructure? If so, are we going to take advantage of it? What about all of these alternative mechanisms for revocation? There are some long-standing bugs that the CAB Forum has been asking us to fix for years. How are we doing? OCSP Stapling - bug 360420 OCSP client should be able to use HTTP GET as well as POST - bug 436414 Disable MD5 - bug 650355 The security UI in Firefox has recently changed significantly. For example, we no longer display a mixed content warning! What do we think of these changes, and do we want to lobby for reversals/fixes? Web PKI and the IETF	Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Sid Stamm, Lucas Adamski, Eric Rescorla, Ian Melven, Camilo Viecco
3:00-3:30	Telemetry for NSS/PSM https://wiki.mozilla.org/Security/Features/TLS_Telemetry https://wiki.mozilla.org/Privacy/Reviews/Telemetry/SSL_Certificates_And_Errors bug 707275 Mozilla's telemetry What has been done so far What can be done NSS expose more about the connection handshake: bug 681839, bug 704584, and bug 704675 libpkix certificate verification will only show the most cert severe error? It would be helpful to still have access to other errors What telemetry would the NSS team find useful?	Kai Engert, Bob Relyea, Sid Stamm, David Chan, Dan Veditz, Brian Smith, Kathleen Wilson, Ian Melven
3:30-5:30	Process Existing NSS Process Flow Considerations Design phase UI Rapid prototyping (Flowerbeetle) https://wiki.mozilla.org/ReleaseEngineering/DisposableProjectBranches Gecko Development Practices Code Review Standards	Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Tanvi Vyas, ~~Alex Keybl~~ (sadly off on PTO), Andreas Gal, Ian Melven, Lukas Blakk, Camilo Viecco

Wednesday, August 8

Day/Time	Meeting Topic	Attendees
10:00-10:30	Infrastructure: Version Control Comparing HG (Mercurial) to CVS	Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn, Corey Shields, Melissa O'Connor
10:30-12:00	Infrastructure: Tests and Automation Making NSS automatic tests compatible with Mozilla RelEng systems Current need for separate NSS test systems Infrastructure that the NSS team currently depends on (Tinderbox, Bonsai, writeable CVS server) Current test system coverage vs full coverage of platforms Mozilla supports Plan for moving forward	Kai Engert, Bob Relyea, Elio Maldonado, Wan-Teh Chang, Ryan Sleevi, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, Justin Wood, Chris Cooper, John O'Duinn, Corey Shields, Melissa O'Connor
12:00-12:30	Lunch -- Review Kai's list of questions
TBD	NSS priorities https://wiki.mozilla.org/NSS:BurnDownList Non-PSM uses of NSS in Firefox	Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Sid Stamm, Lucas Adamski, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco
12:30-1:00	FIPS Certification	Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm
1:00-1:30	Operating System Requirements and Operating System Integration; e.g. smartcard support client certificate management certificate management in general FIPS certificate crypto module that the user is automatically logged into integration with operating-system cert stores on non-NSS-based platforms	Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm
1:30-2:30	Discussion: Upgrade from HTTP to HTTPS Upgrade to HTTPS Problem Statement	Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Dan Veditz, Camilo Viecco, Adam Barth, Pat McManus, Lucas Adamski, Eric Rescorla
2:30-4:30	Discussions: Revocation	Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Johnathan Nightingale, Larissa Co, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Eric Rescorla, Dan Veditz, Camilo Viecco,

Thursday, August 9

Time	Meeting Topic	Attendees
3:30-5:30	Discussion: Revocation	Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Eric Rescorla, Dan Veditz, Camilo Viecco

Friday, August 10

Time	Meeting Topic	Attendees
3:00-5:00	Discussion: Cert Manager UI	Kai Engert, Bob Relyea, Larissa Co

To Be Scheduled

Day/Time	Meeting Topic	Attendees
TBD	CA Policy Discussion (Name Constrained CAs)	Kathleen Wilson, Ryan Sleevi, Brian Smith, Dan Veditz, Kai Engert, Gerv Markham
TBD	Government CA Policy Discussion	Kathleen Wilson, Brian Smith, Bob Relyea, Camilo Viecco, Gerv Markham, Eric Rescorla, Dan Veditz, Sid Stamm, Kai Engert

Potential Design/Technical Discussion Topics

Here's a list of possible items to have design and/or technical discussions about.

OCSP Stapling
CA Pinning
TLS 1.1
TLS 1.2
Libpkix enablement for all certs
OCSP Get
libssl4
J-PAKE
CA:OCSP-HardFail
Cert Blocklist via Update Ping
HSTS

Background: Notes from Kai/Dustin Meeting in June

NSS is a general purpose C crypto/certificate management library used by a number of applications as well as Mozilla (cert8.db and key3.db holds user stored passwords). NSS contains code that interfaces with multiple security devices (PKCS11) - smart cards, hardware tokens, etc. Chrome on Linux uses NSS as well, but use the local crypto toolkit on windows and OS X
NSPR is a cross platform API wrapper around various operating system specific C interfaces. NSS is based on NSPR in order to be portable to many platforms.

Releases are done with NSPR/NSS at the same time (keep them in sync). They just ask people not to make any changes, then make a tar ball. No binary releases since it's just a library.

Historically, the people who've worked on NSS have been a bit separate from the rest of the project. Members work at RedHat and Google (for example). During the last year, a few more people have volunteered.

There aren't a lot of updates and the NSS team only does code merges every once in a while. They use CVS for VCS since there's little development compared to the rest of the mozilla project, and they don't want to maintain multiple additional branches or learn a new VCS (not enough people resources).

Currently working on TLS 1.1 and hopefully TLS 1.2 in the future. So there are two branches right now (stable and dev).

IT resources:

Until recently, it has been a long struggle to get resources since Mozilla has moved on to new processes (tinderbox/bonsai, buildbot, VCS, etc). NSS has requirements that are not being met.
In the past, Sun was providing people to work on QA/testing, but that went away when Oracle bought Sun. Then Redhat took over. Redhat had to figure out how to run the tests (only old versions of the tests were checked in).
Redhat only has Linux, not Windows or Macs, so they didn't have the ability to test on those architectures.
About a year and a half ago, Mozilla offered to help as long as the NSS/NSPR team conformed to the rest of releng systems (all or nothing). The NSS group didn't have the resources to make their things compatible and were spending all of their resources trying to pick up the pieces from the Oracle purchase and subsequent ousting from Sun's hardware/QA group.
NSS/NSPR needed immediate coverage to get testing on other platforms working, but that took a year (when Dustin stepped in, Mozilla provided community VMs)
Kai wrote wiki pages on how to set up the VMs to run tests after getting access to these VMs, so that situation is better now.
Kai is working on a list of steps to get from where the team is now to something closer to what Mozilla would like to support (no more CVS, for example), but they need to plan this out, compromise to find what works best for NSS/NSPR team and Mozilla both, and they need help making the transition (again, lack of people resources on their part).
Dustin had some suggestions on what might work, but these things still need to be hashed out and defined.

NSS:FaceToFace2012

Contents

ACTION ITEMS

NSS Face to Face Meeting

High Level Schedule

Detailed Agenda

Monday, August 6

Tuesday, August 7

Wednesday, August 8

Thursday, August 9

Friday, August 10

To Be Scheduled

Potential Design/Technical Discussion Topics

Background: Notes from Kai/Dustin Meeting in June

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools