NSS 3.8 Plan
December 2002
Introduction
The goal of NSS 3.8 is to deliver critical features and bug fixes that NSS customers need in the first half of 2003.
Features
The features are classified in three categories: In, Highly Desirable, and Out. By the time the PRD is approved, the items on the Highly Desirable list should all be marked either In or Out.In
- Integrate Sun's elliptic curve cryptography (ECC) code with NSS (bug 195135). This consists of several subitems. Some of these subitems may be dropped if they are not done by the feature complete date.
- Crypto: Add ECC to freebl.
- PKCS #11: Add ECC to PKCS #11 wrap and softoken.
- Cert: Add support for certs with ECC keys and signatures.
- SSL: Implement the ECC cipher
suites for TLS.
- Crypto: Implement FIPS 180-2 SHA-256, SHA-384, and SHA-512 (bug 167605). SHA-256 is a recommended message digest algorithm for XML Digital Signature (XMLDSIG). We should also implement HMAC-SHA256 and RSA with SHA256.
- Crypto: Implement software integrity check of the softoken (bug 177387).
- PKCS #11: CRL updates
need to be atomic (bug 162976).
- SSL: NSS needs to poll for smartcard/hardware
token removal (bug 167756).
- Build: coreconf should allow CC (the C compiler) and CCC (the C++ compiler) to be overriden (bug 107976).
- Test: All tests should call NSS_Shutdown and check the return value (bug 171263).
- PSM: Remove PSM's dependency on the private NSS header file crmfi.h (bug 118832).
- Doc: Document the ASN.1 templates and the classic and QuickDER
decoders (bug
177394).
Highly Desirable
- Util: Convert the NSS code to use SEC_QuickDERDecodeItem (bug 160805).
- Crypto: Implement AES key wrap algorithms (bug 167818).
AES-128 key wrap and AES-256 key wrap are required by XML Encryption (XMLENC).
Out
- Test: Add new certificate and CRL validation tests using the vfychain test program (bug 177398).
- Util: Add a function that maps NSS error codes to error strings. One proposal is to use NSPR's error-code-translation interface (bug 172051, bug 66472).
- SDR: Support use of other tokens besides the built-in tokens.
- Crypto: Implement RSAOAEP (bug 158747).
RSAOAEP is required by XML Encryption (XMLENC).
- Path validation for cross certification.
- Support for the "Issuing Distribution Point" CRL extension (bug 133191).
- CMC support (bug 53125).
- Support for delta-CRLs (bug 148214).
- Support for the "Freshest CRL" CRL extension (bug 148200). (This requires support for delta-CRLs).
- SSL: Implement the server-side DHE TLS ciphersuites (bug 102794).
- Server Name Identification in TLS.
- Crypto: Make softoken a cryptographic service and cert store provider
on Windows.
- Cert: Need ability to request and issue certs with SubjectAltName
extension (bug 122863).
- OCSP HTTP client may potentially block for a long time. Possible solutions include a configurable timeout (bug 110166) or a callback supplied by the NSS client.
- DB: Rev the NSS database schema to accomodate new requirements (such as multiple email addresses per email profile).
- DB: Add checksums for objects (such as trust) stored
in the NSS databases to detect file corruption.
- Multiple trust domains for virtual servers.
- Better error reporting, for example with an error stack.
- Release the regress tool, which is required by the Netscape PKCS #11 test suites.
- Notification of hardware accelerator failures.
- Tools: review and implement signtool enhancement requests (Bugzilla bugs #66600, #66603, #66604, #66606, and #66608).
- Tools: dbck should work.
- AES support in S/MIME.
- Interpretation of the CRL nextUpdate timestamp.
- XML Key Management Specification (XKMS).
- OCSP local caching (bug 91532).
- Resolve the remaining build issues with Mozilla client. Allow tools (PERL, ZIP) to be overridden (bug 82268).
- Combine SVRCORE with NSS.
- move the useful SVRCORE functions to NSS; or
- help LDAP C SDK replace SVRCORE with existing public NSS functions.
- NSS should process UTF-8 strings correctly. For example, when a web server constructs a certificate request, it passes UTF-8 to NSS and NSS converts UTF-8 to UCS4 for ASN.1 Universal String encoding.
- NSS should support certificate nicknames in multibyte character sets.
- Anything that uses certificates or refers to certificates (for example, CRLs) should be able to use Distinguished Names (organization name, common name, etc.) in multibyte character sets. This applies to not only the C API functions but also the command-line tools such as certutil.
- Command-line tools such as certutil should support the default character set of the locale, which is often not UTF-8.
- NSS should support UTF-8 in certificate extensions.
- CERT_NameToAscii() should return the certificate attributes in UTF-8.
- The name of the built-in internal token is hardcoded and cannot be localized.
Bugs
The complete list of bugs that will be fixed in NSS 3.7 can be found in Bugzilla.Components
NSPR 4.3. DBM 1.61.
Platforms Supported
NSS is maintained on the platforms listed below. "Certify" means the NSS team will build and run QA tests for NSS on a machine with the specified OS.Platform | Build | Certify | Compiler(s) |
AIX | 5.1 (32 bit) | 5.1 | C for AIX, Version 5.0 |
5.1 (64 bit) |
5.1 | C for AIX, Version 5.0 | |
Compaq Tru64 | 5.0A | 5.0A
5.1 |
Compaq C V6.3-132
or Compaq C V6.4-214 (dtk) |
HP-UX | 11.0 (32 bit) | 11.0 | HP92453-01
A.11.01.20 HP C Compiler |
11.0 (64 bit) |
11.0 | HP92453-01 A.11.01.20
HP C Compiler |
|
Linux 2.4 | Red Hat 7.2 | Red Hat 7.2 Red Hat 7.3 Sun Linux 5.0 |
gcc 2.96-108 |
NT | Win2000 SP2 | Win2000 SP2 WinXP |
VC++ 6.0 Service Pack 4 |
Windows | Win2000 SP2 | Win2000 SP2 WinXP Win95 OSR2 * |
VC++ 6.0 Service Pack 4 |
Solaris SPARC | 8 (32 bit) | 8 (32 bit)
8 (64 bit) 9 |
Forte 6 update 2 |
8 (64 bit) | 8 9 |
Forte 6 update 2 | |
Solaris x86 | 8 | 8 9 |
Forte 6 update 2 |
Mac OS X | 10.1.5 |
10.1.5 10.2.1 |
Apple Computer, Inc. version gcc-934.3,
based on gcc version 2.95.2 19991024 (release) |
* Full QA certification will not be done on these platforms. We will only verify that PSM built with NSS 3.6 works on these platforms.
** Optional.
NSS has not yet been formally certified on any other platforms. If you have successfully run NSS QA tests on other platforms, please post the test output logs and results to mozilla.dev.tech.crypto. If you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to mozilla.dev.tech.crypto.
Note regarding NT builds: The build listed in the left column above as the "NT" build will run on NT (including Windows 2000) only and hence can potentially take advantage of some Win32 functions that are only implemented on NT, such as fibers and I/O completion ports. The build listed above as the "Windows" build will run on all Windows flavors -- 95, 98, Me, NT, and 2000.
Only NSPR makes use of this NT vs. Windows distinction and provides different NT and Windows builds. Many Netscape products, including NSS, have NT and Windows builds that are essentially the same except one difference: one is linked with the NT version of NSPR and the other is linked with the Windows version of NSPR.
Schedule
We have the following target dates.Milestone | Date |
Feature complete (FC) | 1/27/2003 |
Beta | 2/10/2003 |
Beta 2 | 3/14/2003 |
Certification (RTM Candidate) | 3/24/2003 |
RTM | 3/31/2003 |