Hi everybody. After the few meetings and a couple of hours of discussion in the last two days, we've made a short list of desired upgrades for NSS/PSM for the near term. This message should hopefully serve as a summary of the technical bits that -- based on the discussions -- seemed most urgent.
Here they are, prioritized into three buckets: - A (things we want soonest) - B (things we want fairly soon) - C (things we want, but after A and B are done) Bucket A: - Move to libpkix for all cert validation (bug 479393) - Complete active distrust in NSS (bug 470994) - Implement callbacks to augment validation checking (bug 644640) - Implement subscription-based blocklisting of certs via update ping (remove need to ship patch) Bucket B: - Implement OCSP Stapling (bug 360420) - Implement date-based revocation (distrust certs after specific date) - CA locking functionality in HSTS or via CAA Bucket C: - Disable cert overrides for *very old* expired certs (might not be in any CRLs anymore) Cheers, Sid _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security