canmove, Confirmed users
937
edits
NSS:Roadmap: Difference between revisions
Jump to navigation
Jump to search
→NSS 3.12
| Line 47: | Line 47: | ||
We also need to decide which NSS tools to ship. The candidate list is certutil, modutil, pk12util, signtool, and ssltap. | We also need to decide which NSS tools to ship. The candidate list is certutil, modutil, pk12util, signtool, and ssltap. | ||
= NSS 3. | = NSS 3.11.1 = | ||
== NSS 3.11.1 Features == | |||
=== OCSP HTTP Client Callback === | |||
We will add OCSP HTTP client callback support so that Firefox 2.0 can do OCSP through a proxy server ([https://bugzilla.mozilla.org/show_bug.cgi?id=111384 Bugzilla bug 111384]). | |||
=== Elliptic Curve Cryptography === | |||
The NSS codebase currently contains [http://en.wikipedia.org/wiki/Elliptic_curve_cryptography Elliptic Curve Cryptography (ECC)] algorithms donated by Sun Research Labs, however they are turned off by default in the builds script. In this release we will implement the ECC TLS cipher suites and enable NSS to use third-party tokens that implement ECC. We have not yet decided if we will enable all ECC functionality in this release. | |||
This work was originally scheduled for NSS 3.12. We have decided to do it earlier in NSS 3.11.1. | |||
= NSS 3.11.5 (FIPS) = | |||
The version number 3.11.5 has been reserved for the NSS 3.11.x release that | |||
will pass FIPS 140-2 validation. | |||
= NSS 3.12 = | |||
== NSS 3.12 Major Features == | |||
=== libpkix: an RFC 3280 Compliant Certificate Path Validation Library === | === libpkix: an RFC 3280 Compliant Certificate Path Validation Library === | ||
| Line 69: | Line 78: | ||
New variants of CERT_VerifyCert will be added that use libpkix for certificate path validation. | New variants of CERT_VerifyCert will be added that use libpkix for certificate path validation. | ||
=== | === TLS Server Name Indication === | ||
We are considering accelerating the implementation of the TLS Server Name Indication (SNI) extension (see RFC 3546) in light of a recent IEBlog [http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2]. | |||
=== SQLite-Based Multiaccess Certificate and Key Databases === | |||
Many client applications, such as Mozilla Firefox, Mozilla Thunderbird, Evolution, OpenOffice.org, are using NSS now, but they each have their own certificate and key databases. As a result, for example, if you import and trust a certificate in Firefox, you will not see it in Thunderbird. This is because Berkeley DB 1.85, the database NSS currently uses, can't be used by multiple processes. | |||
Although new versions of Berkeley DB (from Sleepycat Software) support multiprocess access, its open source license is incompatible with the Mozilla Public License (MPL). | |||
We are planning to implement a multiaccess database using [http://www.sqlite.org/ SQLite], which has a "public domain" license. In NSS 3.11 we plan to offer this new multiaccess database as an alternate database plugin (librdb.so). We plan to make it the default database in NSS 3.12. Other Mozilla teams are adopting SQLite, making it a logical choice for the NSS project as well. | |||
Since libpkix is significant amount of work, it is likely that the multiaccess database feature will be postponed to NSS 3.13. | |||
<b>Note:</b> This change will affect code inside the FIPS 140-2 defined module boundaries. Therefore, we will need to document these changes and obtain a delta validation. | |||
= Future Work: NSS 3.13 and Beyond = | = Future Work: NSS 3.13 and Beyond = | ||