NSS:Roadmap: Difference between revisions

NSS:Roadmap (view source)

Revision as of 09:30, 20 November 2007

632 bytes added , 20 November 2007

FRevised estimate of what's in and out for NSS 3.12

Nelsonb

106

edits

@@ Line 1: / Line 1: @@
-Updated: June 15, 2006 by Wan-Teh Chang
+Last Updated: November 20, Nelson Bolyard
 = Introduction =
@@ Line 17: / Line 17: @@
 = NSS 3.12 =
-== NSS 3.12 Major Features ==
+== NSS 3.12 Major Features (Planned) ==
 === libpkix: an RFC 3280 Compliant Certificate Path Validation Library ===
@@ Line 23: / Line 23: @@
 We are implementing libpkix, a new certificate path validation library that supports the certificate and CRL profile specified in RFC 3280.
-libpkix will add to NSS several features that are long overdue, such as certificate policy, cross-certification (Federal Bridge CA), and delta CRLs.
+libpkix will add to NSS several features that are long overdue, such as certificate policy extension handling, cross-certification (Federal Bridge CA), and delta CRLs.
-New variants of CERT_VerifyCert will be added that use libpkix for certificate path validation.
+A new variant of CERT_VerifyCert will be added that uses libpkix for certificate path validation, and the old CERT_Verify functions will optionally use libPKIX with limited capability.
-=== SQLite-Based Multiaccess Certificate and Key Databases ===
+=== SQLite-Based Shareable Certificate and Key Databases ===
-Many client applications, such as Firefox, Thunderbird, Evolution, and OpenOffice.org, use NSS, but they each have their own certificate and key databases. As a result, for example, if you import and trust a certificate in Firefox, you will not see it in Thunderbird. This is because Berkeley DB 1.85, the database NSS currently uses, can't be used by multiple processes.
+Many client applications, such as Firefox, Thunderbird, Evolution, and OpenOffice.org, use NSS, but they each have their own certificate and key databases. As a result, for example, if you import and trust a certificate in Firefox, you will not see it in Thunderbird. This is because Berkeley DB 1.85, the database NSS currently uses, can't be shared by multiple processes.
 Although new versions of Berkeley DB (from Sleepycat Software) support multiprocess access, its open source license is incompatible with the Mozilla Public License (MPL).
-We are planning to implement a multiaccess database using [http://www.sqlite.org/ SQLite], which is in the "public domain". Other Mozilla teams are adopting SQLite, making it a logical choice for the NSS project as well.
+We are planning to implement a shareable database using [http://www.sqlite.org/ SQLite], which is in the "public domain". Other Mozilla teams are adopting SQLite, making it a logical choice for the NSS project as well.
-Since libpkix is significant amount of work, it is likely that the multiaccess database feature will be postponed to NSS 3.13.
 <b>Note:</b> This change will affect code inside the FIPS 140-2 defined cryptographic module boundaries. Therefore, we will need to document these changes and obtain a delta validation.
-[[ NSS_Shared_DB|Proposed Shared Database Design Document is here.]]<br>
+[[ NSS_Shared_DB|Proposed Shareable Database Design Document is here.]]<br>
-[[ NSS_Shared_DB_Test|Instructions to build the Shared DB.]]<br>
+[[ NSS_Shared_DB_Test|Instructions to build the Shareable DB.]]<br>
-[[ NSS_Shared_DB_Samples|Instructions to test the Shared DB alpha.]]
+[[ NSS_Shared_DB_Samples|Instructions to test the Shareable DB alpha.]]
 === Component Refactoring ===
@@ Line 49: / Line 47: @@
 nssckbi (and ideally all of ckfw). It would be nice to ship nssckbi libraries separate from base NSS.
-softoken/freebl. These are our fips components. we want to make sure they are totally separated from the rest of NSS.
+softoken/freebl. These are our FIPS components. we want to make sure they are totally separated from the rest of NSS.
+util library.  Eliminate multiple copies of libutil functions that are linked in to multiple other shared libraries by making libutil a shared library.
 A document on refactoring for NSS 3.11 is available [[NSS_Refactor_3_11|here]].
@@ Line 55: / Line 55: @@
 A document on refactoring for NSS 3.12 is available [[NSS_Refactor_3_12|here]].
-= Future Work: NSS 3.13 and Beyond =
+== Capture from NSS 3.12 planning ==
-== Biometrics ==
+Some of these items are already documented above. Some (many) of these items will be put off to later releases.
-NSS needs to support external biometrics to unlock tokens. Today there are limitation in the PKCS#11 specifications which make it hard to replace the traditional smartcard PIN UI prompt with an external biometric operation. For example, we would like to unlock smartcards using a fingerprint reader or retina scanner.
+* IN (Planned for NSS 3.12, underway)
+** LibPKIX support
+*** Most features, but see below
+** Shareable DB
+*** Could add requirement for a new FIPS validation
+** Refactoring
+*** Util
+** OCSP Response Cache
+** Tool Improvements
+*** certutil support additional cert extensions
+*** long option name support
+* Uncertain
+** Refactoring
+*** nssckbi
+*** softoken/freebl
+** PKCS11 modules to access foreign key stores
+*** CAPI
+*** Mac keychain
+*** a PEM file
+** LibPKIX features
+*** Non-blocking cert verification
+*** CRL Fetching using CRLDP extensions
+* OUT (Not likely to be in NSS 3.12)
+** SSL enhancements
+*** Server side SNI
+*** Support curve based certificate selection for ECC certs.
+*** Server side DHE
+*** Support single use keys
+*** OCSP stapling (requires OCSP Cache).
+** Tool Improvements
+*** pkcs 7 cert packager
+*** better diagnostics for pk12util
+*** rationalized option names
+*** localization of tools
+** ECC for S/MIME
+** Language bindings for scripting languages
+*** Perl
+*** Python
+** Phone home root certs
+** Better NSS documentation
+*** tools (Unix man pages)
+*** API's
+*** HW security modules (PKCS #11 tools and test suites).
-== Capture from NSS 3.12 planning ==
+= Future: Work that may come after the release of NSS 3.12 =
-Some of these items are already documented above. Some (many) of these items will be put off to the next release.
+== Biometrics ==
-* LibPKIX support
+NSS needs to support external biometrics to unlock tokens. Today there are limitation in the PKCS#11 specifications which make it hard to replace the traditional smartcard PIN UI prompt with an external biometric operation. For example, we would like to unlock smartcards using a fingerprint reader or retina scanner.
-** EV Certificates
-** OCSP Cache
-* Shared DB
-** Could add requirement for a new FIPS validation
-* SSL
-** Server side SNI
-** Support curve based certificate selection for ECC certs.
-** Server side DHE
-** Support single use keys
-** OCSP stapling (requires OCSP Cache).
-* interoperability
-** capi PKCS 11
-** mac keychain PKCS 11
-** pem file PKCS 11
-* ECC for S/MIME
-* Language bindings for other languages (scripting languages like Perl and Python)
-* Improved tools
-** certutil
-** pkcs 7 cert packager
-** better diagnostics for pk12util
-** rationalized options
-** localization of tools
-* Phone home root certs
-* Better NSS documentations
-** tools (Unix man pages)
-** API's
-** HW security modules (PKCS #11 tools and test suites).
 = Schedules =
@@ Line 109: / Line 124: @@
 == NSS 3.12 ==
-* Feature Complete: TBD
+* Feature Complete for clients: TBD
+* Feature Complete for servers: TBD
 * Beta: TBD
 * RTM: TBD