1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
If you want to contribute (implement something from the current list, or
anything), contact the developer's mailing list (gnutls-dev@lists.gnupg.org),
in order to avoid having people working on the same thing.
Current list:
* Check opera (which sends an closure alert during the handshake
which we do not read).
* Modify the verification function, gnutls_x509_crt_list_verify(),
to check the list in reverse order, to save unneeded checks and
avoid possible attacks.
* Make the current ciphering code a bit more abstract to
allow easy integration with TLS hardware.
* Allow adding multiple subject alternative names.
* Allow verifying of certificates on their reception.
* Enforce the constraints for verify_peers() or similar, to openpgp
verification functions as well. This needs to be checked a bit.
* Verify added CRLs
* Add functions to import certificates, private keys, etc. from
files similar to gnutls_x509_crt_import().
* Print information about the certificate's public key in certtool
output.
* Document the format for the supported DN attributes.
* Add support for Certificate Extensions Profile for Qualified
Certificates (rfc3039)
* Audit the code
* Add gnutls_certificate_set_openpgp_keyring()
function, similar to gnutls_certificate_set_openpgp_key().
* Use subkeys with the 0x20 flag in openpgp keys (if present),
instead of the main key.
* Add function to extract the signers of an openpgp key. Should
be similar to gnutls_x509_crt_get_dn_oid().
* Add function to verify an openpgp key against a plain key.
- Clean up name space of helper functions in library (memmem,
firstElement, bit_mask, ...) for platforms that libtool's
-export-symbols-regex doesn't work.
- Allow sending V2 Hello messages. It seems that some (old) broken
implementations require that.
- Add Kerberos support
- Certificate chain validation improvements:
- Implement "correct" DN comparison (instead of memcmp).
- Support critical key usage KeyCertSign and cRLSign.
- Support path length constraints.
- RFC 3280 compliant certificate path validation.
- Add Pre-Shared-Key support.
(+) Means high priority
(*) Means medium priority
(-) Means low priority (ie. nobody is interested to develop that)
|