NSS:FaceToFace2012: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
 
(132 intermediate revisions by 11 users not shown)
Line 1: Line 1:
'''DRAFT''' -- This is only a draft, still under discussion!
=ACTION ITEMS=
A summary of the action items resulting from the NSS face-to-face meetings of August 2012 is here:


==NSS Face to Face Meeting==
* https://etherpad.mozilla.org/nss-F2F-2012-actionItems


Date: TBD
=NSS Face to Face Meeting=


Location: 650 Castro Street, Mountain View, CA 94041
'''Date:''' August 7 and 8, 2012 (Tuesday and Wednesday), Dinner on Monday August 6


Conference Room: (possibly Northbridge, 4th Floor)
'''Location:''' 650 Castro Street, Mountain View, CA 94041


Attendees:  
'''Arrival:''' 9:00am, 3rd floor of Mozilla building
* Everyone local should try to attend the appropriate meetings in person.  
 
* Everyone else may attend the appropriate meetings via Vidyo or phone.
'''Conference Room:''' Northbridge, 4th Floor, 1-650-903-0800 extension 5480
 
'''Teleconference:'''
* 1-650-903-0800, extension 92, conference number 99161#
* 1-800-707-2533, password 369, conference number 99161#
 
'''Vidyo:''' Kathleen Wilson (9161)
 
'''Etherpad:'''
* Day 1: https://etherpad.mozilla.org/nss-F2F-2012
* Day 2 Infrastructure: https://etherpad.mozilla.org/nss-F2F-2012-day2
* Day 2 Technical Discussions: https://etherpad.mozilla.org/nss-F2F-2012-day2-technicalDiscussions
 
'''IRC server:''' irc.mozilla.org, room: #nss
 
'''Attendees:''' Everyone local should try to attend the appropriate meetings in person. Everyone else may attend the appropriate meetings via teleconference.


==High Level Schedule==
==High Level Schedule==
Line 18: Line 34:
   <th>Day</th>
   <th>Day</th>
   <th>Topics</th>  
   <th>Topics</th>  
  <th>Attendees</th>
</tr>
</tr>
<tr>
<tr>
   <td>1</td>
   <td>Monday</td>
   <td>Context Setting, Roadmaps, Infrastructure</td>
  <td>Dinner</td>
   <td>Kai Engert, Bob Relyea, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, and other Mozilla folks depending on the meeting topic.</td>
</tr>
<tr>
  <td>Tuesday</td>
   <td>Context Setting, Roadmaps, NSS Priorities, CAB Forum, Process, Telemetry</td>
</tr>
<tr>
  <td>Wednesday</td>
  <td>Infrastructure, Design/Technical Discussions</td>
</tr>
<tr>
  <td>Thursday</td>
   <td>3:30-5:30 - Technical Discussion about Revocation, in Mozilla office 4th floor NorthBridge</td>
</tr>
</tr>
<tr>
<tr>
   <td>2</td>
   <td>Friday</td>
   <td>Process, Infrastructure</td>
   <td>3:00 - Cert Manager UI Discussion at Red Hat office, 444 Castro st, 5th floor.</td>
  <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, and other Mozilla folks depending on the meeting topic.</td>
</tr>
</tr>
<tr>
<tr>
   <td>3</td>
   <td>To Be Scheduled Later</td>
   <td>Design and Technical Discussions</td>
   <td>Kathleen will send meeting invite for teleconferences: CA Policy Discussion (e.g. name constrained CAs), Government CA Policy Discussion</td>
  <td>NSS Team and additional Mozilla folks as needed.</td>
</tr>
</tr>
</table>
</table>


==Detailed Agenda==
==Detailed Agenda==
===Day 1===
 
===Monday, August 6===
 
* '''Dinner''' - [http://www.scratchmtnview.com Scratch in Mtn. View]
* '''Please add your name here if you plan to attend:''' Kathleen Wilson, Johnathan Nightingale, Gerv Markham, Wan-Teh Chang, Ryan Sleevi, Brian Smith, Elio Maldonado, Kai Engert, Eric Rescorla, Bob Relyea, Josh Aas, Dan Veditz
* '''Time:''' 6:00.
* '''Reservation Details:''' Your reservation for 12 at Scratch (Mtn View) is confirmed for Monday, August 6, 2012 at 6:00 PM. The reservation is held under: Kathleen Wilson.
 
===Tuesday, August 7===
<table border="1">
<table border="1">
<tr>
<tr>
Line 50: Line 82:
   <td>Context Setting
   <td>Context Setting
* Commitment to NSS/PSM
* Commitment to NSS/PSM
* Optimizing our work dynamics</td>
* Optimizing our work dynamics
   <td>Kai Engert, Bob Relyea, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham</td>
* List Questions/Items that we would like to discuss
</td>
   <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Lukas Blakk</td>
</tr>
</tr>


<tr>
<tr>
   <td>10:30-11:30</td>
   <td>10:30-12:00</td>
   <td>Mozilla Roadmaps: Firefox, Security, and Privacy
   <td>Sharing of Roadmaps, priorities, goals
* https://wiki.mozilla.org/Firefox/Roadmap
* RedHat
* https://wiki.mozilla.org/Security/Roadmap
* Google
* https://wiki.mozilla.org/Privacy/Roadmap
* Mozilla
* Prioritizing Projects (Boot to Gecko, Firefox, Thunderbird, Xulrunner, ESR, etc.)
** https://wiki.mozilla.org/Firefox/Roadmap
** https://wiki.mozilla.org/Security/Roadmap
** https://wiki.mozilla.org/Privacy/Roadmap
** Prioritizing Projects (Boot to Gecko, Firefox, Thunderbird, Xulrunner, ESR, etc.)
  </td>
  </td>
   <td>Kai Engert, Bob Relyea, Johnathan Nightingale, Asa Dotzler, Sid Stamm, Lucas Adamski, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Josh Aas, Eric Rescorla</td>
   <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Asa Dotzler, Sid Stamm, Lucas Adamski, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco, David Keeler, David Dahl</td>
</tr>
</tr>


<tr>
<tr>
   <td>11:30-12:30</td>
   <td>12:00-12:30</td>
   <td>Lunch</td>
   <td>Lunch</td>
   <td></td>
   <td></td>
Line 72: Line 109:


<tr>
<tr>
   <td>TBD</td>
   <td>12:30-2:00</td>
   <td>Infrastructure: Automation</td>
   <td>Continuation of Priorities discussion - China, Security Roadmap</td>
   <td>Kai Engert, Bob Relyea, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn</td>
   <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Asa Dotzler, Sid Stamm, Lucas Adamski, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco, David Keeler, David Dahl, Gary Kwong</td>
</tr>
 
 
<tr>
  <td>2:00-2:30</td>
  <td>Items particularly related to our CAB Forum participation
* We need to firm up our "improving revocation" strategy, views and planned changes. Should we be pushing CAs to improve the CRL and OCSP infrastructure? If so, are we going to take advantage of it? What about all of these alternative mechanisms for revocation?
* There are some long-standing bugs that the CAB Forum has been asking us to fix for years. How are we doing?
** OCSP Stapling - {{bug|360420}}
** OCSP client should be able to use HTTP GET as well as POST - {{bug|436414}}
** Disable MD5 - {{bug|650355}}
* The security UI in Firefox has recently changed significantly. For example, we no longer display a mixed content warning! What do we think of these changes, and do we want to lobby for reversals/fixes?
 
[[NSS:WebPKI-IETF | Web PKI and the IETF]]
</td>
  <td>Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Sid Stamm, Lucas Adamski, Eric Rescorla, Ian Melven, Camilo Viecco</td>
</tr>
 
<tr>
  <td>3:00-3:30</td>
  <td>Telemetry for NSS/PSM
* https://wiki.mozilla.org/Security/Features/TLS_Telemetry
* https://wiki.mozilla.org/Privacy/Reviews/Telemetry/SSL_Certificates_And_Errors
* {{bug|707275}}
* Mozilla's telemetry
* What has been done so far
* What can be done
** NSS expose more about the connection handshake: {{bug|681839}}, {{bug|704584}}, and {{bug|704675}}
** libpkix certificate verification will only show the most cert severe error? It would be helpful to still have access to other errors
* What telemetry would the NSS team find useful?
</td>
  <td>Kai Engert, Bob Relyea, Sid Stamm, David Chan, Dan Veditz, Brian Smith, Kathleen Wilson, Ian Melven</td>
</tr>
 
<tr>
<td>3:30-5:30</td>
  <td>Process
* Existing NSS Process Flow
* Considerations
** Design phase
** UI
** Rapid prototyping (Flowerbeetle)
** https://wiki.mozilla.org/ReleaseEngineering/DisposableProjectBranches
* Gecko Development Practices
* Code Review Standards
</td>
  <td>Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Tanvi Vyas, <strike>Alex Keybl</strike> (sadly off on PTO), Andreas Gal, Ian Melven, Lukas Blakk, Camilo Viecco</td>
</tr>
</tr>


<tr>
<tr>
   <td>TBD</td>
   <td></td>
   <td>Infrastructure: Buildbot System Demonstration</td>
   <td></td>
   <td>Kai Engert, Bob Relyea, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn</td>
   <td></td>
</tr>
</tr>


<tr>
<tr>
   <td>TBD</td>
   <td></td>
   <td>Infrastructure: Mozilla Supported Hardware </td>
   <td></td>
   <td>Kai Engert, Bob Relyea, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn</td>
   <td></td>
</tr>
</tr>


</table>
</table>


===Day 2===
===Wednesday, August 8===
<table border="1">
<table border="1">
<tr>
<tr>
Line 100: Line 185:


<tr>
<tr>
   <td>9:30-10:30</td>
   <td>10:00-10:30</td>
   <td>
   <td>Infrastructure: Version Control
*NSS priorities
* [[NSS:UsingHG | Comparing HG (Mercurial) to CVS]]
** https://wiki.mozilla.org/NSS:BurnDownList
 
*Non-PSM uses of NSS in Firefox</td>
</td>
   <td>Wan-Teh Chang, Kai Engert, Bob Relyea, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Sid Stamm, Lucas Adamski, Josh Aas, Eric Rescorla</td>
   <td>Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn, Corey Shields, Melissa O'Connor</td>
</tr>
</tr>


<tr>
<tr>
   <td>10:30-11:30</td>
   <td>10:30-12:00</td>
   <td>Process
   <td>Infrastructure: Tests and Automation
* Existing NSS Process Flow
* Making NSS automatic tests compatible with Mozilla RelEng systems
* Code Review Standards
* Current need for separate NSS test systems
* Potential Improvements to Consider
* Infrastructure that the NSS team currently depends on (Tinderbox, Bonsai, writeable CVS server)
** Design phase
* Current test system coverage vs full coverage of platforms Mozilla supports
** UI
* Plan for moving forward
** Rapid prototyping (Flowerbeetle)  
</td>
** https://wiki.mozilla.org/ReleaseEngineering/DisposableProjectBranches
   <td>Kai Engert, Bob Relyea, Elio Maldonado, Wan-Teh Chang, Ryan Sleevi, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, Justin Wood, Chris Cooper, John O'Duinn, Corey Shields, Melissa O'Connor</td>
* Gecko Development Practices</td>
   <td>Wan-Teh Chang, Kai Engert, Bob Relyea, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Tanvi Vyas, Alex Keybl, Andreas Gal</td>
</tr>
</tr>


<tr>
<tr>
   <td>11:30-12:30</td>
   <td>12:00-12:30</td>
   <td>Lunch</td>
   <td>Lunch -- Review Kai's list of questions</td>
   <td></td>
   <td></td>
</tr>
</tr>
Line 130: Line 213:
<tr>
<tr>
   <td>TBD</td>
   <td>TBD</td>
   <td>Infrastructure: Version Control</td>
   <td>
   <td>Wan-Teh Chang, Kai Engert, Bob Relyea, Johnathan Nightingale, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn</td>
*NSS priorities
</tr>
** https://wiki.mozilla.org/NSS:BurnDownList
 
*Non-PSM uses of NSS in Firefox</td>
<tr>
   <td>Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Sid Stamm, Lucas Adamski, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco</td>
  <td>TBD</td>
  <td>Infrastructure: Test Systems</td>
  <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn</td>
</tr>
</tr>


<tr>
<tr>
   <td>TBD</td>
   <td>12:30-1:00</td>
   <td>FIPS Certification</td>
   <td>FIPS Certification</td>
   <td>Wan-Teh Chang, Kai Engert, Bob Relyea, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm</td>
   <td>Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm</td>
</tr>
</tr>


<tr>
<tr>
   <td>TBD</td>
   <td>1:00-1:30</td>
   <td>Operating System Requirements and Operating System Integration; e.g.
   <td>Operating System Requirements and Operating System Integration; e.g.
* smartcard support
* smartcard support
Line 155: Line 235:
* integration with operating-system cert stores on non-NSS-based platforms
* integration with operating-system cert stores on non-NSS-based platforms
</td>
</td>
   <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm</td>
   <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm</td>
</tr>
 
<tr>
  <td>1:30-2:30</td>
  <td>Discussion: Upgrade from HTTP to HTTPS
* [[NSS:upgradeToHTTPS | Upgrade to HTTPS Problem Statement]]
</td>
  <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Dan Veditz, Camilo Viecco, Adam Barth, Pat McManus, Lucas Adamski, Eric Rescorla</td>
</tr>
 
<tr>
  <td>2:30-4:30</td>
  <td>Discussions: Revocation</td>
  <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Johnathan Nightingale, Larissa Co, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Eric Rescorla, Dan Veditz, Camilo Viecco,</td>
</tr>
 
</table>
 
===Thursday, August 9===
<table border="1">
<tr>
  <th>Time</th>
  <th>Meeting Topic</th>
  <th>Attendees</th>
</tr>
 
<tr>
  <td>3:30-5:30</td>
  <td>Discussion: Revocation</td>
  <td>Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Eric Rescorla, Dan Veditz, Camilo Viecco</td>
</tr>
 
<tr>
  <td></td>
  <td></td>
  <td></td>
</tr>
</tr>


</table>
</table>


===Day 3===
===Friday, August 10===
<table border="1">
<table border="1">
<tr>
<tr>
   <th>Day/Time</th>
   <th>Time</th>
   <th>Meeting Topic</th>  
   <th>Meeting Topic</th>  
   <th>Attendees</th>  
   <th>Attendees</th>  
Line 169: Line 285:


<tr>
<tr>
   <td>9:30-10:30</td>
   <td>3:00-5:00</td>
   <td>Design/Technical Discussion: Telemetry for NSS/PSM
   <td>Discussion: Cert Manager UI</td>
https://wiki.mozilla.org/Security/Features/TLS_Telemetry
  <td>Kai Engert, Bob Relyea, Larissa Co</td>
</td>
</tr>
   <td>NSS Team, Sid Stamm, David Chan, Dan Veditz, Brian Smith, Kathleen Wilson</td>
 
<tr>
  <td></td>
  <td></td>
   <td></td>
</tr>
</tr>


</table>
===To Be Scheduled===
<table border="1">
<tr>
<tr>
   <td>TBD</td>
   <th>Day/Time</th>
   <td>Design/Technical Discussion: OCSP Stapling
   <th>Meeting Topic</th>  
https://wiki.mozilla.org/Security/Features/OCSP_Stapling
   <th>Attendees</th>  
* Already implemented?
* Any discussion needed?
</td>
   <td>NSS Team, Lucas Adamski, Camilo Viecco, Sid Stamm, Brian Smith, Dan Veditz</td>
</tr>
</tr>


<tr>
<tr>
   <td>TBD</td>
   <td>TBD</td>
   <td>Design/Technical Discussion: CA Pinning
   <td>CA Policy Discussion (Name Constrained CAs)</td>
https://wiki.mozilla.org/Security/Features/CA_pinning_functionality
   <td>Kathleen Wilson, Ryan Sleevi, Brian Smith, Dan Veditz, Kai Engert, Gerv Markham</tr>
</td>
   <td>NSS Team, Lucas Adamski, Camilo Viecco, Sid Stamm, Brian Smith, Dan Veditz</td>
</tr>


<tr>
<tr>
   <td>TBD</td>
   <td>TBD</td>
   <td>Design/Technical Discussion: TBD</td>
   <td>Government CA Policy Discussion</td>
   <td>NSS Team and additional Mozilla folks as needed.</td>
   <td>Kathleen Wilson, Brian Smith, Bob Relyea, Camilo Viecco, Gerv Markham, Eric Rescorla, Dan Veditz, Sid Stamm, Kai Engert</td>
</tr>
</tr>


<tr>
<tr>
   <td>TBD</td>
   <td></td>
   <td>Design/Technical Discussion: TBD</td>
   <td></td>
   <td>NSS Team and additional Mozilla folks as needed.</td>
   <td></td>
</tr>
</tr>


</table>
</table>


===Potential Design/Technical Discussion Topics===
===Potential Design/Technical Discussion Topics===
Here's a list of possible items to have design and/or technical discussions about. Let's identify the ones that the team would like to have a focused discussion on, then add them to the schedule above.
Here's a list of possible items to have design and/or technical discussions about.
* [https://wiki.mozilla.org/Security/Features/OCSP_Stapling OCSP Stapling]
* [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality CA Pinning]
* TLS 1.1
* TLS 1.1
* TLS 1.2
* TLS 1.2
Line 220: Line 339:
* Cert Blocklist via Update Ping
* Cert Blocklist via Update Ping
* HSTS
* HSTS
== Background: Notes from Kai/Dustin Meeting in June ==
* [https://wiki.mozilla.org/NSS NSS] is a general purpose C crypto/certificate management library used by a number of applications as well as Mozilla (cert8.db and key3.db holds user stored passwords). NSS contains code that interfaces with multiple security devices (PKCS11) - smart cards, hardware tokens, etc. Chrome on Linux uses NSS as well, but use the local crypto toolkit on windows and OS X
* NSPR is a cross platform API wrapper around various operating system specific C interfaces. NSS is based on NSPR in order to be portable to many platforms.
Releases are done with NSPR/NSS at the same time (keep them in sync).  They just ask people not to make any changes, then make a tar ball.  No binary releases since it's just a library.
Historically, the people who've worked on NSS have been a bit separate from the rest of the project.  Members work at RedHat and Google (for example). During the last year, a few more people have volunteered.
There aren't a lot of updates and the NSS team only does code merges every once in a while.  They use CVS for VCS since there's little development compared to the rest of the mozilla project, and they don't want to maintain multiple additional branches or learn a new VCS (not enough people resources).
Currently working on TLS 1.1 and hopefully TLS 1.2 in the future.  So there are two branches right now (stable and dev).
IT resources:
* Until recently, it has been a long struggle to get resources since Mozilla has moved on to new processes (tinderbox/bonsai, buildbot, VCS, etc).  NSS has requirements that are not being met.
* In the past, Sun was providing people to work on QA/testing, but that went away when Oracle bought Sun. Then Redhat took over. Redhat had to figure out how to run the tests (only old versions of the tests were checked in).
* Redhat only has Linux, not Windows or Macs, so they didn't have the ability to test on those architectures.
* About a year and a half ago, Mozilla offered to help as long as the NSS/NSPR team conformed to the rest of releng systems (all or nothing).  The NSS group didn't have the resources to make their things compatible and were spending all of their resources trying to pick up the pieces from the Oracle purchase and subsequent ousting from Sun's hardware/QA group.
* NSS/NSPR needed immediate coverage to get testing on other platforms working, but that took a year (when Dustin stepped in, Mozilla provided community VMs)
* Kai wrote wiki pages on how to set up the VMs to run tests after getting access to these VMs, so that situation is better now.
* Kai is working on a list of steps to get from where the team is now to something closer to what Mozilla would like to support (no more CVS, for example), but they need to plan this out, compromise to find what works best for NSS/NSPR team and Mozilla both, and they need help making the transition (again, lack of people resources on their part). 
* Dustin had some suggestions on what might work, but these things still need to be hashed out and defined.

Latest revision as of 18:14, 14 August 2012

ACTION ITEMS

A summary of the action items resulting from the NSS face-to-face meetings of August 2012 is here:

NSS Face to Face Meeting

Date: August 7 and 8, 2012 (Tuesday and Wednesday), Dinner on Monday August 6

Location: 650 Castro Street, Mountain View, CA 94041

Arrival: 9:00am, 3rd floor of Mozilla building

Conference Room: Northbridge, 4th Floor, 1-650-903-0800 extension 5480

Teleconference:

  • 1-650-903-0800, extension 92, conference number 99161#
  • 1-800-707-2533, password 369, conference number 99161#

Vidyo: Kathleen Wilson (9161)

Etherpad:

IRC server: irc.mozilla.org, room: #nss

Attendees: Everyone local should try to attend the appropriate meetings in person. Everyone else may attend the appropriate meetings via teleconference.

High Level Schedule

Day Topics
Monday Dinner
Tuesday Context Setting, Roadmaps, NSS Priorities, CAB Forum, Process, Telemetry
Wednesday Infrastructure, Design/Technical Discussions
Thursday 3:30-5:30 - Technical Discussion about Revocation, in Mozilla office 4th floor NorthBridge
Friday 3:00 - Cert Manager UI Discussion at Red Hat office, 444 Castro st, 5th floor.
To Be Scheduled Later Kathleen will send meeting invite for teleconferences: CA Policy Discussion (e.g. name constrained CAs), Government CA Policy Discussion

Detailed Agenda

Monday, August 6

  • Dinner - Scratch in Mtn. View
  • Please add your name here if you plan to attend: Kathleen Wilson, Johnathan Nightingale, Gerv Markham, Wan-Teh Chang, Ryan Sleevi, Brian Smith, Elio Maldonado, Kai Engert, Eric Rescorla, Bob Relyea, Josh Aas, Dan Veditz
  • Time: 6:00.
  • Reservation Details: Your reservation for 12 at Scratch (Mtn View) is confirmed for Monday, August 6, 2012 at 6:00 PM. The reservation is held under: Kathleen Wilson.

Tuesday, August 7

Day/Time Meeting Topic Attendees
9:30-10:30 Context Setting
  • Commitment to NSS/PSM
  • Optimizing our work dynamics
  • List Questions/Items that we would like to discuss
 Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Lukas Blakk
10:30-12:00 Sharing of Roadmaps, priorities, goals Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Asa Dotzler, Sid Stamm, Lucas Adamski, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco, David Keeler, David Dahl
12:00-12:30 Lunch
12:30-2:00 Continuation of Priorities discussion - China, Security Roadmap Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Johnathan Nightingale, Asa Dotzler, Sid Stamm, Lucas Adamski, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco, David Keeler, David Dahl, Gary Kwong
2:00-2:30 Items particularly related to our CAB Forum participation
  • We need to firm up our "improving revocation" strategy, views and planned changes. Should we be pushing CAs to improve the CRL and OCSP infrastructure? If so, are we going to take advantage of it? What about all of these alternative mechanisms for revocation?
  • There are some long-standing bugs that the CAB Forum has been asking us to fix for years. How are we doing?
  • The security UI in Firefox has recently changed significantly. For example, we no longer display a mixed content warning! What do we think of these changes, and do we want to lobby for reversals/fixes?

Web PKI and the IETF

Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Sid Stamm, Lucas Adamski, Eric Rescorla, Ian Melven, Camilo Viecco
3:00-3:30 Telemetry for NSS/PSM Kai Engert, Bob Relyea, Sid Stamm, David Chan, Dan Veditz, Brian Smith, Kathleen Wilson, Ian Melven
3:30-5:30 Process Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Tanvi Vyas, Alex Keybl (sadly off on PTO), Andreas Gal, Ian Melven, Lukas Blakk, Camilo Viecco

Wednesday, August 8

Day/Time Meeting Topic Attendees
10:00-10:30 Infrastructure: Version Control Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, John O'Duinn, Corey Shields, Melissa O'Connor
10:30-12:00 Infrastructure: Tests and Automation
  • Making NSS automatic tests compatible with Mozilla RelEng systems
  • Current need for separate NSS test systems
  • Infrastructure that the NSS team currently depends on (Tinderbox, Bonsai, writeable CVS server)
  • Current test system coverage vs full coverage of platforms Mozilla supports
  • Plan for moving forward
 Kai Engert, Bob Relyea, Elio Maldonado, Wan-Teh Chang, Ryan Sleevi, Brian Smith, Josh Aas, Kathleen Wilson, Dustin Mitchell, Justin Wood, Chris Cooper, John O'Duinn, Corey Shields, Melissa O'Connor
12:00-12:30 Lunch -- Review Kai's list of questions
TBD Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Dan Veditz, Sid Stamm, Lucas Adamski, Josh Aas, Eric Rescorla, Ian Melven, Camilo Viecco
12:30-1:00 FIPS Certification Wan-Teh Chang, Ryan Sleevi, Kai Engert, Bob Relyea, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm
1:00-1:30 Operating System Requirements and Operating System Integration; e.g.
  • smartcard support
  • client certificate management
  • certificate management in general
  • FIPS certificate crypto module that the user is automatically logged into
  • integration with operating-system cert stores on non-NSS-based platforms
 Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Johnathan Nightingale, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm
1:30-2:30 Discussion: Upgrade from HTTP to HTTPS Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Dan Veditz, Camilo Viecco, Adam Barth, Pat McManus, Lucas Adamski, Eric Rescorla
2:30-4:30 Discussions: Revocation Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Johnathan Nightingale, Larissa Co, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Eric Rescorla, Dan Veditz, Camilo Viecco,

Thursday, August 9

Time Meeting Topic Attendees
3:30-5:30 Discussion: Revocation Kai Engert, Bob Relyea, Wan-Teh Chang, Ryan Sleevi, Elio Maldonado, Brian Smith, Kathleen Wilson, Gerv Markham, Sid Stamm, Eric Rescorla, Dan Veditz, Camilo Viecco

Friday, August 10

Time Meeting Topic Attendees
3:00-5:00 Discussion: Cert Manager UI Kai Engert, Bob Relyea, Larissa Co

To Be Scheduled

Day/Time Meeting Topic Attendees
TBD CA Policy Discussion (Name Constrained CAs) Kathleen Wilson, Ryan Sleevi, Brian Smith, Dan Veditz, Kai Engert, Gerv Markham
TBD Government CA Policy Discussion Kathleen Wilson, Brian Smith, Bob Relyea, Camilo Viecco, Gerv Markham, Eric Rescorla, Dan Veditz, Sid Stamm, Kai Engert

Potential Design/Technical Discussion Topics

Here's a list of possible items to have design and/or technical discussions about.

  • OCSP Stapling
  • CA Pinning
  • TLS 1.1
  • TLS 1.2
  • Libpkix enablement for all certs
  • OCSP Get
  • libssl4
  • J-PAKE
  • CA:OCSP-HardFail
  • Cert Blocklist via Update Ping
  • HSTS

Background: Notes from Kai/Dustin Meeting in June

  • NSS is a general purpose C crypto/certificate management library used by a number of applications as well as Mozilla (cert8.db and key3.db holds user stored passwords). NSS contains code that interfaces with multiple security devices (PKCS11) - smart cards, hardware tokens, etc. Chrome on Linux uses NSS as well, but use the local crypto toolkit on windows and OS X
  • NSPR is a cross platform API wrapper around various operating system specific C interfaces. NSS is based on NSPR in order to be portable to many platforms.

Releases are done with NSPR/NSS at the same time (keep them in sync). They just ask people not to make any changes, then make a tar ball. No binary releases since it's just a library.

Historically, the people who've worked on NSS have been a bit separate from the rest of the project. Members work at RedHat and Google (for example). During the last year, a few more people have volunteered.

There aren't a lot of updates and the NSS team only does code merges every once in a while. They use CVS for VCS since there's little development compared to the rest of the mozilla project, and they don't want to maintain multiple additional branches or learn a new VCS (not enough people resources).

Currently working on TLS 1.1 and hopefully TLS 1.2 in the future. So there are two branches right now (stable and dev).

IT resources:

  • Until recently, it has been a long struggle to get resources since Mozilla has moved on to new processes (tinderbox/bonsai, buildbot, VCS, etc). NSS has requirements that are not being met.
  • In the past, Sun was providing people to work on QA/testing, but that went away when Oracle bought Sun. Then Redhat took over. Redhat had to figure out how to run the tests (only old versions of the tests were checked in).
  • Redhat only has Linux, not Windows or Macs, so they didn't have the ability to test on those architectures.
  • About a year and a half ago, Mozilla offered to help as long as the NSS/NSPR team conformed to the rest of releng systems (all or nothing). The NSS group didn't have the resources to make their things compatible and were spending all of their resources trying to pick up the pieces from the Oracle purchase and subsequent ousting from Sun's hardware/QA group.
  • NSS/NSPR needed immediate coverage to get testing on other platforms working, but that took a year (when Dustin stepped in, Mozilla provided community VMs)
  • Kai wrote wiki pages on how to set up the VMs to run tests after getting access to these VMs, so that situation is better now.
  • Kai is working on a list of steps to get from where the team is now to something closer to what Mozilla would like to support (no more CVS, for example), but they need to plan this out, compromise to find what works best for NSS/NSPR team and Mozilla both, and they need help making the transition (again, lack of people resources on their part).
  • Dustin had some suggestions on what might work, but these things still need to be hashed out and defined.
Retrieved from "https://wiki.allizom.org/index.php?title=NSS:FaceToFace2012&oldid=460881"