1*ca1c9b0cSelricHandle private_key_ops better, esp wrt ->key_oid 2*ca1c9b0cSelric 3*ca1c9b0cSelricBetter support for keyex negotiation, DH and ECDH. 4*ca1c9b0cSelric 5*ca1c9b0cSelricx501 name 6*ca1c9b0cSelric parsing 7*ca1c9b0cSelric comparing (ldap canonlisation rules) 8*ca1c9b0cSelric 9*ca1c9b0cSelricDSA support 10*ca1c9b0cSelricDSA2 support 11*ca1c9b0cSelric 12*ca1c9b0cSelricRewrite the pkcs11 code to support the following: 13*ca1c9b0cSelric 14*ca1c9b0cSelric * Reset the pin on card change. 15*ca1c9b0cSelric * Ref count the lock structure to make sure we have a 16*ca1c9b0cSelric prompter when we need it. 17*ca1c9b0cSelric * Add support for CK_TOKEN_INFO.CKF_PROTECTED_AUTHENTICATION_PATH 18*ca1c9b0cSelric 19*ca1c9b0cSelricx509 policy mappings support 20*ca1c9b0cSelric 21*ca1c9b0cSelricCRL delta support 22*ca1c9b0cSelric 23*ca1c9b0cSelricQualified statement 24*ca1c9b0cSelric https://bugzilla.mozilla.org/show_bug.cgi?id=277797#c2 25*ca1c9b0cSelric 26*ca1c9b0cSelric 27*ca1c9b0cSelricSigned Receipts 28*ca1c9b0cSelric http://www.faqs.org/rfcs/rfc2634.html 29*ca1c9b0cSelric chapter 2 30*ca1c9b0cSelric 31*ca1c9b0cSelrictests 32*ca1c9b0cSelric nist tests 33*ca1c9b0cSelric name constrains 34*ca1c9b0cSelric policy mappings 35*ca1c9b0cSelric http://csrc.nist.gov/pki/testing/x509paths.html 36*ca1c9b0cSelric 37*ca1c9b0cSelric building path using Subject/Issuer vs SubjKeyID vs AuthKeyID 38*ca1c9b0cSelric negative tests 39*ca1c9b0cSelric all checksums 40*ca1c9b0cSelric conditions/branches 41*ca1c9b0cSelric 42*ca1c9b0cSelricpkcs7 43*ca1c9b0cSelric handle pkcs7 support in CMS ? 44*ca1c9b0cSelric 45*ca1c9b0cSelriccertificate request 46*ca1c9b0cSelric generate pkcs10 request 47*ca1c9b0cSelric from existing cert 48*ca1c9b0cSelric generate CRMF request 49*ca1c9b0cSelric pk-init KDC/client 50*ca1c9b0cSelric web server/client 51*ca1c9b0cSelric jabber server/client 52*ca1c9b0cSelric email 53*ca1c9b0cSelric 54*ca1c9b0cSelric 55*ca1c9b0cSelricx509 issues: 56*ca1c9b0cSelric 57*ca1c9b0cSelric OtherName is left unspecified, but it's used by other 58*ca1c9b0cSelric specs. creating this hole where a application/CA can't specify 59*ca1c9b0cSelric policy for SubjectAltName what covers whole space. For example, a 60*ca1c9b0cSelric CA is trusted to provide authentication but not authorization. 61*ca1c9b0cSelric 62