You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.6 Plan

July 18, 2002

<< DRAFT >>


The goal of NSS 3.6 is to deliver critical features that our customers need before NSS 4.0.



  1. Determine whether NSS implements FIPS 198: Keyed-Hash Authentication Code (HMAC) (bug 148220).
  2. CRL cache (bug 149854).
  3. Partial CRL DER decoding functions for performance (bug 149816).
  4. Address the performance issues of cert lookup and listing on large cert databases or slow machines.
  5. New function CERT_VerifyCertificate for performance (bug 149832).
  6. New settings for the SSL_REQUIRE_CERTIFICATE option to address issues with restarting an old SSL session with client authentication (bug 135261).
  7. Investigate and reduce the number of PKCS#11 sessions used per SSL connection (bug 145322).
  8. PKCS#11 session logging (bug 98926).


  1. Path validation for cross certification.
  2. Support for the "Issuing Distribution Point" CRL extension (bug 133191).
  3. CMC support (bug 53125).
  4. Support for delta-CRLs (bug 148214).
  5. Support for the "Freshest CRL" CRL extension (bug 148200).  (This requires support for delta-CRLs).
  6. OCSP HTTP client may potentially block for a long time.  Possible solutions include a configurable timeout (bug 110166) or a callback supplied by the NSS client.
  7. Multiple trust domains for virtual servers.
  8. Better error reporting, for example with an error stack.
  9. Release the regress tool, which is required by the Netscape PKCS #11 test suites.
  10. Conform to latest PKCS #11 revision (2.11).
  11. Notification of hardware accelerator failures.
  12. Tools: review and implement signtool enhancement requests (Bugzilla bugs #66600, #66603, #66604, #66606, and #66608).
  13. Tools: dbck should work.
  14. AES support in S/MIME.
  15. Interpretation of the CRL nextUpdate timestamp.
  16. Conform to RFC 2459.
  17. Elliptic Curve Cryptography (ECC).
  18. XML Key Management Specification (XKMS).
  19. OCSP local caching (bug 91532).
  20. Multiple client applications share the same cert and key databases.
  21. Resolve the remaining build issues with Mozilla client. Allow compilers (CC, CXX) and tools (PERL, ZIP) to be overridden. (Bug #52990)
  22. Combine SVRCORE with NSS.
    • move the useful SVRCORE functions to NSS; or
    • help LDAP C SDK replace SVRCORE with existing public NSS functions.
  23. NSS should process UTF-8 strings correctly.  For example, when a web server constructs a certificate request, it passes UTF-8 to NSS and NSS converts UTF-8 to UCS4 for ASN.1 Universal String encoding.
  24. NSS should support certificate nicknames in multibyte character sets.
  25. Anything that uses certificates or refers to certificates (for example, CRLs) should be able to use Distinguished Names (organization name, common name, etc.) in multibyte character sets.  This applies to not only the C API functions but also the command-line tools such as certutil.
  26. Command-line tools such as certutil should support the default character set of the locale, which is often not UTF-8.
  27. NSS should use NSPR's error message functions for its error messages.
  28. NSS should support UTF-8 in certificate extensions.
  29. CERT_NameToAscii() should return the certificate attributes in UTF-8.
  30. The name of the built-in internal token is hardcoded and cannot be localized.

Performance Enhancement


  1. Set the TCP_NODELAY socket option when appropriate in the SSL protocol.


  1. Coalesce small reads in SSL.


The complete list of bugs that will be fixed in NSS 3.6 can be found in Bugzilla.


  • NSPR 4.2.
  • DBM 1.61.
  • Platforms Supported

    NSS is maintained on the platforms listed below. "Certify" means the NSS team will build and run QA tests for NSS on a machine with the specified OS.

    Platform Build Certify Compiler(s)
    AIX 4.3.3 (32 bit) 4.3.3
    xlC/C++ 3.6.6

    4.3.3 (64 bit)

    4.3.3 xlC/C++ 3.6.6
    Compaq Tru64 5.0A 5.0A 
    Compaq C V6.1-019
    HP-UX 11.0 (32 bit) 11.0 HP92453-01 A.11.01.20 HP C Compiler

    11.0 (64 bit)

    11.0 HP92453-01 A.11.01.20 HP C Compiler
    Linux 2.2 Red Hat 6.0 Red Hat 6.2 egcs-1.1.2
    GNU ld version 2.9.5 (with
    Linux 2.4 Red Hat 7.1 Red Hat 7.1 gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-81)
    NT NT 4.0 w/ SP 6a NT 4.0 w/ SP 6a 
    Win2000 w/ SP 2
    VC++ 6.0 Service Pack 4
    Windows NT 4.0 w/ SP 6a NT 4.0 w/ SP 6a 
    Win2000 w/ SP 2

    Win95 OSR2 * 
    Win98 SE * 
    Win Me *

    VC++ 6.0 Service Pack 4
    Solaris SPARC 2.6 2.6 WorkShop Compilers 
    C/C++ version 5.0
    8 (32 bit) 8 (32 bit)
    8 (64 bit)
    Forte 6 update 2
    8 (64 bit) 8
    Forte 6 update 2
    Solaris x86 8 8
    Forte 6 update 2
    Mac OS 9 8.5 * 
    8.6 * 
    9 *
    Metrowerks CodeWarrior Pro 5

    * Full QA certification will not be done on these platforms. We will only verify that PSM built with NSS 3.6 works on these platforms.

    ** Optional.

    NSS has not yet been formally certified on any other platforms. If you have successfully run NSS QA tests on other platforms, please post the test output logs and results to If you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to

    Note regarding NT builds: The build listed in the left column above as the "NT" build will run on NT (including Windows 2000) only and hence can potentially take advantage of some Win32 functions that are only implemented on NT, such as fibers and I/O completion ports. The build listed above as the "Windows" build will run on all Windows flavors -- 95, 98, Me, NT, and 2000.

    Only NSPR makes use of this NT vs. Windows distinction and provides different NT and Windows builds. Many Netscape products, including NSS, have NT and Windows builds that are essentially the same except one difference: one is linked with the NT version of NSPR and the other is linked with the Windows version of NSPR.


    We have the following tentative target dates.

    Milestone Date
    Feature complete 8/23/02
    Beta 8/30/02
    Certification (RTM Candidate) 9/20/02
    RTM 9/30/02