You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.9 Plan

  October 14, 2003


The goal of NSS 3.9 is to deliver critical features and bug fixes that NSS customers need in the fourth quarter of 2003.


The features are classified in three categories: In, Highly Desirable, and Out. By the time the PRD is approved, the items on the Highly Desirable list should all be marked either In or Out.


  1. Doc: Document the certificate, CRL, and PKCS#11 wrapper functions.
  2. Test: Implement some tests in NIST's PKI Test Suite (bug 177398).
  3. Support GeneralizedTime (bug 143334).
  4. RFC 3280 compliant name constraints (bug 208047).
  5. 2DES encrypt/decrypt references missing third 3DES key (bug 201521).
  6. Recognize all cert name attribute types in RFC 3280 (bug 207711)
  7. PK11_ListCerts skips duplicated keys/certs between tokens (bug 72291).
  8. PK11_FindCertFromNickname returns certificate with unexpected slot if identical keys/certs exist within the key DB and a PKCS11 token (bug 74822). Note: this bug has been resolved WONTFIX because of a limitation of the current NSS implementation. A workaround in JSS (bug 216117) has been provided to the customer.
  9. Convert email query keys to lowercase before searching (bug 141882).
  10. Crash in cert cache during smart card client auth stress test (bug 204549).
  11. OCSP needs more fine tuned error messages (bug 94413).
  12. NSS needs to be able to create token symkeys from unwrap and derive (bug 221067).
  13. Redefine NSS cert nicknames to identify certs unambiguously (by including an optional serial number at the end) (bug 210941).
  14. Tools: modutil does not list or delete modules that it cannot load (bug 203866, bug 203868).

Highly Desirable

  1. Measure and profile multithreaded signing operation performance on multiprocessor systems.
  2. Verify that a private key is deleted when all the certs associated with the private key have been deleted (bug 95150, bug 111078).
  3. Implement reference-counted PKCS #11 sessions (bug 216552). (Sun)
  1. Bugs marked with "[xmlsec-nss]" in Bugzilla.
    • Need a function to convert an ascii decimal string to an DER integer string (bug 212864).
    • etc.
  2. Handle ASCII names in certificates correctly (bug 82357, bug 210584, bug 210709, bug 220427, bug 220855, bug 211655).
  3. Tools: improve certutil's certificate extension parsing and display (bug 222124).
  4. Add OIDs dynamically in a thread-safe manner (bug 196360).
  5. Remove the locks that are not contended for (bug 200708). (Sun)


The complete list of bugs that will be fixed in NSS 3.9 can be found in Bugzilla.


  • NSPR 4.3.
  • DBM 1.61.
  • Platforms Supported

    NSS is maintained on the platforms listed below. "Certify" means the NSS team will build and run QA tests for NSS on a machine with the specified OS.

    Platform Build Certify Compiler(s)
    HP-UX 11.0 (32 bit) 11.0 HP92453-01 A.11.01.20 HP C Compiler

    11.0 (64 bit)

    11.0 HP92453-01 A.11.01.20 HP C Compiler
    Linux 2.4 Red Hat 7.2 Red Hat 7.2
    Red Hat 7.3
    Sun Linux 5.0
    gcc 2.96-108
    NT Win2000 SP2 Win2000 SP2
    VC++ 6.0 Service Pack 4
    Windows Win2000 SP2 Win2000 SP2

    Win95 OSR2 * 
    Win98 SE * 
    Win Me *

    VC++ 6.0 Service Pack 4
    Solaris SPARC 8 (32 bit) 8 (32 bit)
    8 (64 bit)
    Forte 6 update 2
    8 (64 bit) 8
    Forte 6 update 2
    Mac OS X 10.2
    Apple Computer, Inc. version gcc-934.3, based on gcc version 2.95.2 19991024 (release)

    * Full QA certification will not be done on these platforms. We will only verify that PSM built with NSS 3.6 works on these platforms.

    ** Optional.

    NSS has not yet been formally certified on any other platforms. If you have successfully run NSS QA tests on other platforms, please post the test output logs and results to If you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to

    Note regarding NT builds: The build listed in the left column above as the "NT" build will run on NT (including Windows 2000) only and hence can potentially take advantage of some Win32 functions that are only implemented on NT, such as fibers and I/O completion ports. The build listed above as the "Windows" build will run on all Windows flavors -- 95, 98, Me, NT, and 2000.

    Only NSPR makes use of this NT vs. Windows distinction and provides different NT and Windows builds. Many Netscape products, including NSS, have NT and Windows builds that are essentially the same except one difference: one is linked with the NT version of NSPR and the other is linked with the Windows version of NSPR.


    We have the following target dates.

    Milestone Date
    Feature complete (FC) 10/17/2003
    Beta 10/31/2003
    Certification (RTM Candidate) 11/14/2003
    RTM 11/21/2003