1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
If you want to contribute (implement something from the current list, or
anything), contact the developer's mailing list (gnutls-dev@lists.gnupg.org),
in order to avoid having people working on the same thing.
Current list:
* Allow adding multiple subject alternative names.
* Verify added CRLs (is it really needed?)
* Document the format for the supported DN attributes.
* Audit the code
+ Support PKCS#8 AES and DES-MD5 (tests/enc3pkcs8.pem) encrypted keys.
- Support OpenSSL encrypted PKCS#1 RSA keys, for compatibility (new
applications should use PKCS#8 instead).
- Allow verifying of certificates on their reception.
- Add gnutls_certificate_set_openpgp_keyring()
function, similar to gnutls_certificate_set_openpgp_key().
- Use subkeys with the 0x20 flag in openpgp keys (if present),
instead of the main key.
- Add function to extract the signers of an openpgp key. Should
be similar to gnutls_x509_crt_get_dn_oid().
- Add function to verify an openpgp key against a plain key.
- Clean up name space of helper functions in library (memmem,
firstElement, bit_mask, ...) for platforms that libtool's
-export-symbols-regex doesn't work.
- Allow sending V2 Hello messages. It seems that some (old) broken
implementations require that.
- Add Kerberos ciphersuites
- Certificate chain validation improvements:
- Implement "correct" DN comparison (instead of memcmp).
- Support critical key usage KeyCertSign and cRLSign.
- Support path length constraints.
- RFC 3280 compliant certificate path validation.
- Add progress handler gnutls_{dh,rsa}_params_generate2, to allow
application to give progress feedback to user.
- Support non-blocking gnutls_{dh,rsa}_params_generate2 for when there
is not enough entropy available.
- Implement Datagram-TLS (DTLS).
- Short-cut the certificate verification algorithm before the
root if a middle-CA is trusted.
- Update libgnutls-extra.m4 to use modern autoconf constructs.
- Support for hardware SSL accelerators
- Exhaustive test suite, using NIST's PKI Test vectors,
see http://csrc.nist.gov/pki/testing/x509paths_old.html
and http://csrc.nist.gov/pki/testing/x509paths.html
- Clean up certtool. Perhaps separate the different functions into
separate tools. Probably a rewrite is necessary.
- Enable certtool's template files to allow arbitrary
OIDs to be specified for x509v3's extended key usage attribute.
- Make it possible to extract the internal state of a session, to
be able to execve a new process that take over the current
living socket (using the fcntl close-on-exec flag) and
continue the TLS session as well.
- Implement draft-salowey-tls-ticket-05, useful for (e.g.) EAP-FAST.
(+) Means high priority
(*) Means medium priority
(-) Means low priority (ie. nobody is interested to develop that)
|
