1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
If you want to contribute (implement something from the current list, or
anything), contact the developer's mailing list (gnutls-dev@lists.gnupg.org),
in order to avoid having people working on the same thing.
Current list:
+ Support PKCS#8 AES and DES-MD5 (tests/enc3pkcs8.pem) encrypted keys.
* Improve or rewrite libtasn1 to make it easier to maintain.
* Make and use by gnutls a flexible interface for algorithms such
as public key, symmetric, PRNGs to allow for plugins that use other
libraries than libgcrypt or even hardware drivers. Flexible means
that it should allow replacing of some components without harming the
others (i.e. now with libgcrypt there is no way to replace the prng component
with something else since libgcrypt uses it internally.)
* Allow adding multiple subject alternative names (certtool + x509 library).
* Verify added CRLs (is it really needed?)
* Document the format for the supported DN attributes.
* Audit the code
- Support OpenSSL encrypted PKCS#1 RSA keys, for compatibility (new
applications should use PKCS#8 instead).
- Allow verifying of certificates on their reception.
- Add gnutls_certificate_set_openpgp_keyring()
function, similar to gnutls_certificate_set_openpgp_key().
- Use subkeys with the 0x20 flag in openpgp keys (if present),
instead of the main key.
- Add function to extract the signers of an openpgp key. Should
be similar to gnutls_x509_crt_get_dn_oid().
- Add function to verify an openpgp key against a plain key.
- Clean up name space of helper functions in library (memmem,
firstElement, bit_mask, ...) for platforms that libtool's
-export-symbols-regex doesn't work.
- Allow sending V2 Hello messages. It seems that some (old) broken
implementations require that.
- Add Kerberos ciphersuites
- Certificate chain validation improvements:
- Implement "correct" DN comparison (instead of memcmp).
- Support critical key usage KeyCertSign and cRLSign.
- Support path length constraints.
- RFC 3280 compliant certificate path validation.
- Add progress handler gnutls_{dh,rsa}_params_generate2, to allow
application to give progress feedback to user.
- Support non-blocking gnutls_{dh,rsa}_params_generate2 for when there
is not enough entropy available.
- Implement Datagram-TLS (DTLS).
- Short-cut the certificate verification algorithm before the
root if a middle-CA is trusted.
- Update libgnutls-extra.m4 to use modern autoconf constructs.
- Support for hardware SSL accelerators
- Exhaustive test suite, using NIST's PKI Test vectors,
see http://csrc.nist.gov/pki/testing/x509paths_old.html
and http://csrc.nist.gov/pki/testing/x509paths.html
- Clean up certtool. Perhaps separate the different functions into
separate tools. Probably a rewrite is necessary.
- Enable certtool's template files to allow arbitrary
OIDs to be specified for x509v3's extended key usage attribute.
- Make it possible to extract the internal state of a session, to
be able to execve a new process that take over the current
living socket (using the fcntl close-on-exec flag) and
continue the TLS session as well.
- Implement draft-salowey-tls-ticket-05, useful for (e.g.) EAP-FAST.
(+) Means high priority
(*) Means medium priority
(-) Means low priority (ie. nobody is interested to develop that)
|
