1Handle private_key_ops better, esp wrt ->key_oid 2 3Better support for keyex negotiation, DH and ECDH. 4 5x501 name 6 parsing 7 comparing (ldap canonlisation rules) 8 9DSA support 10DSA2 support 11 12Rewrite the pkcs11 code to support the following: 13 14 * Reset the pin on card change. 15 * Ref count the lock structure to make sure we have a 16 prompter when we need it. 17 * Add support for CK_TOKEN_INFO.CKF_PROTECTED_AUTHENTICATION_PATH 18 19x509 policy mappings support 20 21CRL delta support 22 23Qualified statement 24 https://bugzilla.mozilla.org/show_bug.cgi?id=277797#c2 25 26 27Signed Receipts 28 http://www.faqs.org/rfcs/rfc2634.html 29 chapter 2 30 31tests 32 nist tests 33 name constrains 34 policy mappings 35 http://csrc.nist.gov/pki/testing/x509paths.html 36 37 building path using Subject/Issuer vs SubjKeyID vs AuthKeyID 38 negative tests 39 all checksums 40 conditions/branches 41 42pkcs7 43 handle pkcs7 support in CMS ? 44 45certificate request 46 generate pkcs10 request 47 from existing cert 48 generate CRMF request 49 pk-init KDC/client 50 web server/client 51 jabber server/client 52 email 53 54 55x509 issues: 56 57 OtherName is left unspecified, but it's used by other 58 specs. creating this hole where a application/CA can't specify 59 policy for SubjectAltName what covers whole space. For example, a 60 CA is trusted to provide authentication but not authorization. 61 62