On Fri, Apr 8, 2011 at 3:49 PM, Sid Stamm <s...@mozilla.com> wrote: > After the few meetings and a couple of hours of discussion in the last > two days, we've made a short list of desired upgrades for NSS/PSM for > the near term. This message should hopefully serve as a summary of the > technical bits that -- based on the discussions -- seemed most urgent. > > Here they are, prioritized into three buckets: > - A (things we want soonest) > - B (things we want fairly soon) > - C (things we want, but after A and B are done) > > Bucket A: > - Move to libpkix for all cert validation (bug 479393) > - Complete active distrust in NSS (bug 470994) > - Implement callbacks to augment validation checking (bug 644640) > - Implement subscription-based blocklisting of certs via update ping > (remove need to ship patch) > > Bucket B: > - Implement OCSP Stapling (bug 360420) > - Implement date-based revocation (distrust certs after specific date) > - CA locking functionality in HSTS or via CAA
^^^^ There's significant interest in this feature from chrome-security as well. We have a prototype implementation of the backend in Chrome that you can drive through some UI, but we don't have any syntax for turning it on from the network yet. Let me know if you'd like to discuss further. Adam > Bucket C: > - Disable cert overrides for *very old* expired certs (might not be in > any CRLs anymore) > > Cheers, > Sid > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
