You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.7 Plan

November 14, 2002

<< DRAFT >>


The goal of NSS 3.7 is to deliver critical features and bug fixes that NSS customers need before NSS 4.0 (available in 2H 2003). The focus of NSS development will gradually shift to NSS 4.0 but we will continue to fix bugs and enhance the performance of NSS 3.x.


The features are classified in three categories: In, Highly Desirable, and Out. By the time the PRD is approved, the items on the Highly Desirable list should all be marked either In or Out.


  1. Integrate Sun's elliptic curve cryptography (ECC) code with NSS. This consists of several subitems. Some of these subitems may be dropped if they are not done by the feature complete date.
    • Crypto: Add ECC to freebl.
    • PKCS #11: Add ECC to PKCS #11 wrap and softoken.
    • Cert: Add support for certs with ECC keys and signatures.
    • SSL: Implement the ECC cipher suites for TLS.
  2. Crypto: Implement FIPS 180-2 SHA-256, SHA-384, and SHA-512 (bug 167605). SHA-256 is a recommended message digest algorithm for XML Digital Signature (XMLDSIG). We should also implement HMAC-SHA256 and RSA with SHA256.
  3. Crypto: Implement software integrity check of the softoken (bug 177387).
  4. Crypto: Verify a signature with a public key not associated with a certificate (bug 174193).
  5. Crypto: Fix the bugs that prevent the use of AES in JSS 3.3's SDR (bug 174468, bug 174806).
  6. Cert: Add a way to obtain the list of all email addresses in a cert (bug 152986).
  7. Cert: Detect certificates with duplicate issuer name and serial number (bug 172247).
  8. PKCS #11: CRL object needs to change PKCS #11 object ID upon modification (bug 162753).
  9. PKCS #11: CRL updates need to be atomic (bug 162976).
  10. PKCS#11: Add a new function that blocks the calling thread until a token is removed (bug 177391).
  11. SSL: NSS needs to poll for smartcard/hardware token removal (bug 167756).
  12. DB: Fix or find a workaround for Berkeley DB 1.85's known problem with overwriting or deleting overflow hash key/data pairs (pairs with items larger than the page size), which corrupts the cert database when we store and delete CRLs (bug 169573).
  13. DB: Investigate whether we can license Sleepycat DB for use solely within NSS by NSS users who use NSS under the MPL. (NSS users who use NSS under the GNU GPL can use Sleepycat DB because the Berkeley Database License is compatible with the GNU GPL.)
  14. Build: coreconf should allow CC (the C compiler) and CCC (the C++ compiler) to be overriden (bug 107976).
  15. Test: All tests should call NSS_Shutdown and check the return value (bug 171263).
  16. Test: Add new certificate and CRL validation tests using the vfychain test program (bug 177398).
  17. Util: Add a function that maps NSS error codes to error strings.  One proposal is to use NSPR's error-code-translation interface (bug 172051, bug 66472).
  18. PSM: Remove PSM's dependency on the private NSS header file crmfi.h (bug 118832).
  19. Doc: Document the ASN.1 templates and the classic and QuickDER decoders (bug 177394).

Highly Desirable

  1. Util: Convert the NSS code to use SEC_QuickDERDecodeItem (bug 160805).
  2. SDR: Support use of other tokens besides the built-in tokens.
  3. Crypto: Implement RSAOAEP (bug 158747). RSAOAEP is required by XML Encryption (XMLENC).
  4. Crypto: Implement AES key wrap algorithms (bug 167818). AES-128 key wrap and AES-256 key wrap are required by XML Encryption (XMLENC).


  1. Path validation for cross certification.
  2. Support for the "Issuing Distribution Point" CRL extension (bug 133191).
  3. CMC support (bug 53125).
  4. Support for delta-CRLs (bug 148214).
  5. Support for the "Freshest CRL" CRL extension (bug 148200).  (This requires support for delta-CRLs).
  6. SSL: Implement the server-side DHE TLS ciphersuites (bug 102794).
  7. Server Name Identification in TLS.
  8. Crypto: Make softoken a cryptographic service and cert store provider on Windows.
  9. Cert: Need ability to request and issue certs with SubjectAltName extension (bug 122863).
  10. OCSP HTTP client may potentially block for a long time.  Possible solutions include a configurable timeout (bug 110166) or a callback supplied by the NSS client.
  11. DB: Rev the NSS database schema to accomodate new requirements (such as multiple email addresses per email profile).
  12. DB: Add checksums for objects (such as trust) stored in the NSS databases to detect file corruption.
  13. Multiple trust domains for virtual servers.
  14. Better error reporting, for example with an error stack.
  15. Release the regress tool, which is required by the Netscape PKCS #11 test suites.
  16. Notification of hardware accelerator failures.
  17. Tools: review and implement signtool enhancement requests (Bugzilla bugs #66600, #66603, #66604, #66606, and #66608).
  18. Tools: dbck should work.
  19. AES support in S/MIME.
  20. Interpretation of the CRL nextUpdate timestamp.
  21. XML Key Management Specification (XKMS).
  22. OCSP local caching (bug 91532).
  23. Resolve the remaining build issues with Mozilla client. Allow tools (PERL, ZIP) to be overridden (bug 82268).
  24. Combine SVRCORE with NSS.
    • move the useful SVRCORE functions to NSS; or
    • help LDAP C SDK replace SVRCORE with existing public NSS functions.
  25. NSS should process UTF-8 strings correctly.  For example, when a web server constructs a certificate request, it passes UTF-8 to NSS and NSS converts UTF-8 to UCS4 for ASN.1 Universal String encoding.
  26. NSS should support certificate nicknames in multibyte character sets.
  27. Anything that uses certificates or refers to certificates (for example, CRLs) should be able to use Distinguished Names (organization name, common name, etc.) in multibyte character sets.  This applies to not only the C API functions but also the command-line tools such as certutil.
  28. Command-line tools such as certutil should support the default character set of the locale, which is often not UTF-8.
  29. NSS should support UTF-8 in certificate extensions.
  30. CERT_NameToAscii() should return the certificate attributes in UTF-8.
  31. The name of the built-in internal token is hardcoded and cannot be localized.


The complete list of bugs that will be fixed in NSS 3.7 can be found in Bugzilla.


  • NSPR 4.3.
  • DBM 1.61.
  • Platforms Supported

    NSS is maintained on the platforms listed below. "Certify" means the NSS team will build and run QA tests for NSS on a machine with the specified OS.

    Platform Build Certify Compiler(s)
    AIX 5.1 (32 bit) 5.1 C for AIX, Version 5.0

    5.1 (64 bit)

    5.1 C for AIX, Version 5.0
    Compaq Tru64 5.0A 5.0A 
    Compaq C V6.3-132 or Compaq C V6.4-214 (dtk)
    HP-UX 11.0 (32 bit) 11.0 HP92453-01 A.11.01.20 HP C Compiler

    11.0 (64 bit)

    11.0 HP92453-01 A.11.01.20 HP C Compiler
    Linux 2.4 Red Hat 7.2 Red Hat 7.2
    Red Hat 7.3
    Sun Linux 5.0
    gcc 2.96-108
    NT Win2000 SP2 Win2000 SP2
    VC++ 6.0 Service Pack 4
    Windows Win2000 SP2 Win2000 SP2

    Win95 OSR2 * 
    Win98 SE * 
    Win Me *

    VC++ 6.0 Service Pack 4
    Solaris SPARC 8 (32 bit) 8 (32 bit)
    8 (64 bit)
    Forte 6 update 2
    8 (64 bit) 8
    Forte 6 update 2
    Solaris x86 8 8
    Forte 6 update 2
    Mac OS X 10.1.5
    Apple Computer, Inc. version gcc-934.3, based on gcc version 2.95.2 19991024 (release)

    * Full QA certification will not be done on these platforms. We will only verify that PSM built with NSS 3.6 works on these platforms.

    ** Optional.

    NSS has not yet been formally certified on any other platforms. If you have successfully run NSS QA tests on other platforms, please post the test output logs and results to If you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to

    Note regarding NT builds: The build listed in the left column above as the "NT" build will run on NT (including Windows 2000) only and hence can potentially take advantage of some Win32 functions that are only implemented on NT, such as fibers and I/O completion ports. The build listed above as the "Windows" build will run on all Windows flavors -- 95, 98, Me, NT, and 2000.

    Only NSPR makes use of this NT vs. Windows distinction and provides different NT and Windows builds. Many Netscape products, including NSS, have NT and Windows builds that are essentially the same except one difference: one is linked with the NT version of NSPR and the other is linked with the Windows version of NSPR.


    We have the following tentative target dates.

    Milestone Date
    Feature complete (FC) 1/27/2003
    Beta 2/10/2003 (FC + 2 weeks)
    Certification (RTM Candidate) 2/24/2003 (Beta + 2 weeks)
    RTM 3/3/2003 (Certification + 1 week)