A simple API for AEAD ciphers: The current API for AEAD ciphers does not take advantage of the inherent simplicity in AEAD ciphers (e.g., decryption + tag verification at the same step). Provide an API that simplifies usage of such ciphers. The current API design.
System-keys API: Provide an API to access keys from the system storage, if available. That should, as first step, allow accessing keys from windows key store (and also windows supported smart cards). The current API design.
[#] Privilege separation for private key operations: During the development of openconnect vpn server, we realized the need for separating private key operations for typical SSL operations. That resulted in ocserv to a special security module that handles the private key operations of a less privileged worker process. That could be generalized so that more applications can use it. The advantage of such a design is that a bug on the TLS/ASN.1 parsing code would not leak the server's private key, and thus counter attacks of the heartbleed type. In plain english, this approach will avoid putting all the eggs in the same basket for a software application. While the original plan was to support privilege separation within GnuTLS, further investigation shows that this is not necessary. There are fine projects like caml-crush which provide isolation for PKCS #11 modules like softhsm, protecting the same types of attacks we intended to. For that reason, and the fact that PKCS #11 support is integrated into GnuTLS, we would like to suggest to users of applications linked with gnutls to consider using solutions like caml-crush, to protect sensitive keys..
Chacha cipher + poly1305 MAC: An AEAD combination of chacha with the poly1305 authenticator for performance in software implementations. A former variant of it is already being used by google's servers for communication between them and chrome. That in addition would allow the use of fast stream cipher in DTLS. Depends on having a new nettle release which updates to the latest draft of Chacha-poly1305. Implemented with temporary code points in the latest draft
Add support for getrandom() and getentropy(): It proved that opening the /dev/urandom file descriptor on constructor has caused issues in servers that for some reason run close() on every available file descriptor. Using the system call interfaces would solve these issues, and simplify the code in the rng handling.
Port to nettle 3.0: Unfortunately nettle 3.0 breaks the API and we need to convert to it in order to use the new features of it. That switch should be combined with the chacha-poly1305 AEAD cipher inclusion.
[#] Drop the unbound dependency in libdane: That dependency requires either openssl or nss; and both are unacceptable. The current plan is to convert libdane to a non-validating dnssec library that depends on a validating server running on localhost - e.g., unbound or dnsmasq. Such library currently does not exist, but there is patch for c-ares. Postponed since there is no other DNSSEC library we could use