summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/hx509/TODO
blob: ecdfa8d5b6a199bb1ca6dc3371a2cc3332134a81 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Handle private_key_ops better, esp wrt ->key_oid

Better support for keyex negotiation, DH and ECDH.

x501 name
	parsing
	comparing (ldap canonlisation rules)

DSA support
DSA2 support

Rewrite the pkcs11 code to support the following:

	* Reset the pin on card change.
	* Ref count the lock structure to make sure we have a
          prompter when we need it.
	* Add support for CK_TOKEN_INFO.CKF_PROTECTED_AUTHENTICATION_PATH

x509 policy mappings support

CRL delta support

Qualified statement
	https://bugzilla.mozilla.org/show_bug.cgi?id=277797#c2


Signed Receipts
	http://www.faqs.org/rfcs/rfc2634.html
	chapter 2

tests
	nist tests
		name constrains
		policy mappings
		http://csrc.nist.gov/pki/testing/x509paths.html

	building path using Subject/Issuer vs SubjKeyID vs AuthKeyID
	negative tests
		all checksums
		conditions/branches

pkcs7
	handle pkcs7 support in CMS ?

certificate request
	generate pkcs10 request
		from existing cert
	generate CRMF request
		pk-init KDC/client
		web server/client
		jabber server/client 
		email


x509 issues:

 OtherName is left unspecified, but it's used by other
 specs. creating this hole where a application/CA can't specify
 policy for SubjectAltName what covers whole space. For example, a
 CA is trusted to provide authentication but not authorization.