... | ... | @@ -8,7 +8,7 @@ Released date: Possibly mid-April 2015 |
|
|
|
|
|
* [x] **System-keys API:** Provide an API to access keys from the system storage, if available. That should, as first step, allow accessing keys from windows key store (and also windows supported smart cards). [The current API design.](https://gitlab.com/gnutls/gnutls/blob/master/lib/includes/gnutls/system-keys.h#L27)
|
|
|
|
|
|
* [#] **Privilege separation for private key operations:** During the development of openconnect vpn server, we realized the need for separating private key operations for typical SSL operations. That resulted in ocserv to a special security module that handles the private key operations of a less privileged worker process. That could be generalized so that more applications can use it. The advantage of such a design is that a bug on the TLS/ASN.1 parsing code would not leak the server's private key (thus counter heartbleed type of attacks). That part would be restricted to UNIX/POSIX systems so it may be released as a different library. **This most likely will be based on some external solution, like [caml-crush](https://github.com/ANSSI-FR/caml-crush) or [p11-kit](http://lists.freedesktop.org/archives/p11-glue/2014-December/000523.html) both based on PKCS #11 modules**.
|
|
|
* [#] **Privilege separation for private key operations:** During the development of openconnect vpn server, we realized the need for separating private key operations for typical SSL operations. That resulted in ocserv to a special security module that handles the private key operations of a less privileged worker process. That could be generalized so that more applications can use it. The advantage of such a design is that a bug on the TLS/ASN.1 parsing code would not leak the server's private key (thus counter heartbleed type of attacks). That part would be restricted to UNIX/POSIX systems so it may be released as a different library. **This most likely will be based on some external solution, like [caml-crush](https://github.com/ANSSI-FR/caml-crush) or [p11-kit](http://lists.freedesktop.org/archives/p11-glue/2014-December/000523.html); both are based on PKCS #11 which is well supported**.
|
|
|
|
|
|
* [x] **Transparent support for internationalized DNS names:** Add support for [RFC6125 recommendations](https://tools.ietf.org/html/rfc6125#section-6.4.2).
|
|
|
|
... | ... | |