NSS 3.6 Plan
July 18, 2002
<< DRAFT >>
Introduction
The goal of NSS 3.6 is to deliver critical features that our customers need before NSS 4.0.
Features
In
- Determine whether NSS implements FIPS
198: Keyed-Hash Authentication Code (HMAC) (bug 148220).
- CRL cache (bug 149854).
- Partial CRL DER decoding functions for performance (bug 149816).
- Address the performance issues of cert lookup and listing on large cert databases or slow machines.
- New function CERT_VerifyCertificate for performance (bug 149832).
- New settings for the SSL_REQUIRE_CERTIFICATE option to address issues with restarting an old SSL session with client authentication (bug 135261).
- Investigate and reduce the number of PKCS#11 sessions used per SSL connection (bug 145322).
- PKCS#11 session logging (bug 98926).
Out
- Path validation for cross certification.
- Support for the "Issuing Distribution Point" CRL extension (bug 133191).
- CMC support (bug 53125).
- Support for delta-CRLs (bug 148214).
- Support for the "Freshest CRL" CRL extension (bug 148200). (This requires support for delta-CRLs).
- OCSP HTTP client may potentially block for a long time. Possible solutions include a configurable timeout (bug 110166) or a callback supplied by the NSS client.
- Multiple trust domains for virtual servers.
- Better error reporting, for example with an error stack.
- Release the regress tool, which is required by the Netscape PKCS #11 test suites.
- Conform to latest PKCS #11 revision (2.11).
- Notification of hardware accelerator failures.
- Tools: review and implement signtool enhancement requests (Bugzilla bugs #66600, #66603, #66604, #66606, and #66608).
- Tools: dbck should work.
- AES support in S/MIME.
- Interpretation of the CRL nextUpdate timestamp.
- Conform to RFC 2459.
- Elliptic Curve Cryptography (ECC).
- XML Key Management Specification (XKMS).
- OCSP local caching (bug 91532).
- Multiple client applications share the same cert and key databases.
- Resolve the remaining build issues with Mozilla client. Allow compilers (CC, CXX) and tools (PERL, ZIP) to be overridden. (Bug #52990)
- Combine SVRCORE with NSS.
- move the useful SVRCORE functions to NSS; or
- help LDAP C SDK replace SVRCORE with existing public NSS functions.
- NSS should process UTF-8 strings correctly. For example, when a web server constructs a certificate request, it passes UTF-8 to NSS and NSS converts UTF-8 to UCS4 for ASN.1 Universal String encoding.
- NSS should support certificate nicknames in multibyte character sets.
- Anything that uses certificates or refers to certificates (for example, CRLs) should be able to use Distinguished Names (organization name, common name, etc.) in multibyte character sets. This applies to not only the C API functions but also the command-line tools such as certutil.
- Command-line tools such as certutil should support the default character set of the locale, which is often not UTF-8.
- NSS should use NSPR's error message functions for its error messages.
- NSS should support UTF-8 in certificate extensions.
- CERT_NameToAscii() should return the certificate attributes in UTF-8.
- The name of the built-in internal token is hardcoded and cannot be localized.
Performance Enhancement
In
- Set the TCP_NODELAY socket option when appropriate in the SSL protocol.
Out
- Coalesce small reads in SSL.
Bugs
The complete list of bugs that will be fixed in NSS 3.6 can be found in Bugzilla.Components
NSPR 4.2. DBM 1.61.
Platforms Supported
NSS is maintained on the platforms listed below. "Certify" means the NSS team will build and run QA tests for NSS on a machine with the specified OS.| Platform | Build | Certify | Compiler(s) |
| AIX | 4.3.3 (32 bit) | 4.3.3 4.3.3 |
xlC/C++ 3.6.6 |
4.3.3 (64 bit) |
4.3.3 | xlC/C++ 3.6.6 | |
| Compaq Tru64 | 5.0A | 5.0A 5.1 |
Compaq C V6.1-019 |
| HP-UX | 11.0 (32 bit) | 11.0 | HP92453-01 A.11.01.20 HP C Compiler |
11.0 (64 bit) |
11.0 | HP92453-01 A.11.01.20 HP C Compiler |
|
| Linux 2.2 | Red Hat 6.0 | Red Hat 6.2 | egcs-1.1.2 GNU ld version 2.9.5 (with libbfd-2.9.5.0.22.so) |
| Linux 2.4 | Red Hat 7.1 | Red Hat 7.1 | gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-81) |
| NT | NT 4.0 w/ SP 6a | NT 4.0 w/ SP 6a Win2000 w/ SP 2 |
VC++ 6.0 Service Pack 4 |
| Windows | NT 4.0 w/ SP 6a | NT 4.0 w/ SP 6a Win2000 w/ SP 2 Win95 OSR2 * |
VC++ 6.0 Service Pack 4 |
| Solaris SPARC | 2.6 | 2.6 | WorkShop Compilers C/C++ version 5.0 |
| 8 (32 bit) | 8 (32 bit) 8 (64 bit) 9 |
Forte 6 update 2 | |
| 8 (64 bit) | 8 9 |
Forte 6 update 2 | |
| Solaris x86 | 8 | 8 9 |
Forte 6 update 2 |
| Mac OS | 9 | 8.5 * 8.6 * 9 * |
Metrowerks CodeWarrior Pro 5 |
* Full QA certification will not be done on these platforms. We will only verify that PSM built with NSS 3.6 works on these platforms.
** Optional.
NSS has not yet been formally certified on any other platforms. If you have successfully run NSS QA tests on other platforms, please post the test output logs and results to mozilla.dev.tech.crypto. If you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to mozilla.dev.tech.crypto.
Note regarding NT builds: The build listed in the left column above as the "NT" build will run on NT (including Windows 2000) only and hence can potentially take advantage of some Win32 functions that are only implemented on NT, such as fibers and I/O completion ports. The build listed above as the "Windows" build will run on all Windows flavors -- 95, 98, Me, NT, and 2000.
Only NSPR makes use of this NT vs. Windows distinction and provides different NT and Windows builds. Many Netscape products, including NSS, have NT and Windows builds that are essentially the same except one difference: one is linked with the NT version of NSPR and the other is linked with the Windows version of NSPR.
Schedule
We have the following tentative target dates.| Milestone | Date |
| Feature complete | 8/23/02 |
| Beta | 8/30/02 |
| Certification (RTM Candidate) | 9/20/02 |
| RTM | 9/30/02 |