NSS:Roadmap

From MozillaWiki
Jump to navigation Jump to search

Updated: June 15, 2006 by Wan-Teh Chang

Introduction

Welcome to the NSS roadmap. NSS is a collection of cryptographic libraries used for performing functions like setting up SSL connections or encrypting messages using the S/MIME standard. In 2005-2006, we plan to make at lease three NSS releases: NSS 3.11, NSS 3.11.1, and NSS 3.12. This roadmap outlines the features and schedule estimates for these upcoming NSS releases. These releases will address the needs of the Mozilla clients, as well as the needs of Red Hat and Sun Microsystems server products and related technologies. Other consumers of NSS will also benefit from the performance and standards compliance features.

NSS 3.11

NSS 3.11 Roadmap has been moved to NSS:Roadmap:Archive .

FIPS 140-2 Validation

The software cryptographic module (libsoftokn3.so) in NSS 3.11 will be submitted to BKP Security, an external validation lab, for FIPS 140-2 validation. To complete the validation, we will produce some code and a lot of documentation to demonstrate that NSS adheres to the standards. This work is being tracked in our FIPS Wiki page. We are making our documentation for FIPS 140-2 validation available on our FIPS Wiki page to make it easier for other vendors to validate other versions of NSS.

Many people ask us which version of the Mozilla clients (Firefox browser and Thunderbird mail client) will contain a FIPS 140-2 validated cryptographic module. These plans are still being reviewed, but we expect Mozilla to be able to ship the FIPS 140-2 validated module in the 2.0 release. Here is the current Firefox Roadmap. Of course, any change in the NSS schedule or the Mozilla schedule could cause this target to move.

NSS 3.11.1

NSS 3.11.1 Features

OCSP HTTP Client Callback

We will add OCSP HTTP client callback support (Bugzilla bug 152426) so that Firefox 2.0 can do OCSP through a proxy server (Bugzilla bug 111384).

Elliptic Curve Cryptography

The NSS codebase currently contains Elliptic Curve Cryptography (ECC) algorithms donated by Sun Labs; however, they are turned off by default in the builds script. In this release we will implement the ECC TLS cipher suites specified in RFC 4492 (Bugzilla bug 236245).

This work was originally scheduled for NSS 3.12. We have decided to do it earlier in NSS 3.11.1.

TLS Server Name Indication

We are considering accelerating the implementation of the TLS Server Name Indication (SNI) extension (see RFC 3546) in light of a recent IEBlog Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2.

This work was originally scheduled for NSS 3.12. We have decided to do it earlier in NSS 3.11.1.

NSS 3.11.2

NSS 3.11.2 is a bug-fix patch release. It will include

  • FIPS 140-2 features: logging auditable events, new cryptographic algorithm tests,
  • fixes for the regressions introduced in NSS 3.11 or 3.11.1,
  • fixes for the crashes or memory errors discovered by Coverity, and
  • two new root CA certificates.

NSS 3.11.5 (FIPS)

The version number 3.11.5 has been reserved for the NSS 3.11.x release that will pass FIPS 140-2 validation.

NSS 3.12

NSS 3.12 Major Features

libpkix: an RFC 3280 Compliant Certificate Path Validation Library

We are implementing libpkix, a new certificate path validation library that supports the certificate and CRL profile specified in RFC 3280.

libpkix will add to NSS several features that are long overdue, such as certificate policy, cross-certification (Federal Bridge CA), and delta CRLs.

New variants of CERT_VerifyCert will be added that use libpkix for certificate path validation.

SQLite-Based Multiaccess Certificate and Key Databases

Many client applications, such as Firefox, Thunderbird, Evolution, and OpenOffice.org, use NSS, but they each have their own certificate and key databases. As a result, for example, if you import and trust a certificate in Firefox, you will not see it in Thunderbird. This is because Berkeley DB 1.85, the database NSS currently uses, can't be used by multiple processes.

Although new versions of Berkeley DB (from Sleepycat Software) support multiprocess access, its open source license is incompatible with the Mozilla Public License (MPL).

We are planning to implement a multiaccess database using SQLite, which is in the "public domain". Other Mozilla teams are adopting SQLite, making it a logical choice for the NSS project as well.

Since libpkix is significant amount of work, it is likely that the multiaccess database feature will be postponed to NSS 3.13.

Note: This change will affect code inside the FIPS 140-2 defined cryptographic module boundaries. Therefore, we will need to document these changes and obtain a delta validation.

Proposed Shared Database Design Document is here.
Instructions to build the Shared DB.
Instructions to test the Shared DB alpha.

Component Refactoring

NSS is made up of several components, some of which can be separated out from each other for packaging (and potentially) building purposes. For NSS 3.12 we would like to make sure the following components are separable:

nssckbi (and ideally all of ckfw). It would be nice to ship nssckbi libraries separate from base NSS.

softoken/freebl. These are our fips components. we want to make sure they are totally separated from the rest of NSS.

A document on refactoring for NSS 3.11 is available here.

A document on refactoring for NSS 3.12 is available here.

Future Work: NSS 3.13 and Beyond

Biometrics

NSS needs to support external biometrics to unlock tokens. Today there are limitation in the PKCS#11 specifications which make it hard to replace the traditional smartcard PIN UI prompt with an external biometric operation. For example, we would like to unlock smartcards using a fingerprint reader or retina scanner.

Capture from NSS 3.12 planning

Some of these items are already documented above. Some (many) of these items will be put off to the next release.

  • LibPKIX support
    • EV Certificates
    • OCSP Cache
  • Shared DB
    • Could add requirement for a new FIPS validation
  • SSL
    • Server side SNI
    • Support curve based certificate selection for ECC certs.
    • Server side DHE
    • Support single use keys
    • OCSP stapling (requires OCSP Cache).
  • interoperability
    • capi PKCS 11
    • mac keychain PKCS 11
    • pem file PKCS 11
  • ECC for S/MIME
  • Language bindings for other languages (scripting languages like Perl and Python)
  • Improved tools
    • certutil
    • pkcs 7 cert packager
    • better diagnostics for pk12util
    • rationalized options
    • localization of tools
  • Phone home root certs
  • Better NSS documentations
    • tools (Unix man pages)
    • API's
    • HW security modules (PKCS #11 tools and test suites).

Schedules

NSS 3.11

  • Feature Complete: 8/31/2005
  • Beta: 9/12/2005
  • RTM: 12/16/2005
  • FIPS 140-2 validation: 2006 Q3

NSS 3.11.1

  • RTM: May 8, 2006

NSS 3.11.2

  • RTM: June 23, 2006

NSS 3.12

  • Feature Complete: TBD
  • Beta: TBD
  • RTM: TBD

NSS 3.13

  • Feature Complete: TBD
  • Beta: TBD
  • RTM: TBD
Retrieved from "https://wiki.allizom.org/index.php?title=NSS:Roadmap&oldid=64905"