These are our TODO lists for other vendors to fix their products:
Apple
- implement TLS-SNI
Microsoft
SHA2 Implementation (see HashInterop)
- Don´t encode the Subject in UCS-2 as soon as a * is included in PKCS#10 certificate requests from IIS.
- Implement TLS-SNI
Fix security issues from http://www.cs.dartmouth.edu/~sws/pubs/msz05.pdf
Solve the CodeSigning security hole for certificates without a ExtendedKeyUsage field (Don´t accept certificates for code-signing, that do not include the code signing bit)
- Provide a proper error message when IE tries to download a certificate for which it has no private key.
- Provide a proper error message when IE tries to download a certificate for which the root certificate isn´t loaded.
OpenSSL
- Add -inform and -outform option to ca command
- ca command delivers DER encoding with spkac request and PEM encoding with PKCS#10 requests
- Improve the standard config files not to use MD5 per default anymore#
- Improve the standard config files to use reasonable length keys
- Perhaps incorporate OpenCA's OCSPD into OpenSSL standard distribution
- Write a manual
Apache
- Document Vhost capabilities
Implement TLS-SNI properly bug 34607
OCSP Stapling bug 43822
- Provide a tool to easily secure the webspaces
- Improve the configuration files, to opportunistically secure the webpages with SSL
- Find a solution against the redundancy problem of SSL+Non-SSL webspaces in the Apache configuration
IETF
Clarify VhostTaskForce problems
Solve the CodeSigning security hole in RFC 3280 for certificates without a ExtendedKeyUsage field (Don´t accept certificates for code-signing, that do not include the code signing bit)
Sun
Solve the CodeSigning security hole for certificates without a ExtendedKeyUsage field (Don´t accept certificates for code-signing, that do not include the code signing bit)
Fix the JavaCard platform issues
Mozilla
- Provide a message box for the user and tell him that the certificate was loaded successfully, when a user loads the certificate. At the moment, nothing happens.
- Display generated private keys that don´t have a certificate associated with them yet (like Opera does)
- Implement TLS-SNI (done as far as I heard)
- Fix the bug of showing code-signatures personal codesiging certificates (that don't have a O= field) as unsigned
Debian
Package BoxBackup: http://debian.myreseau.org/dists/etch/main/binary-i386/ (it's in backports now)
LUKS / DM-CRYPT
- Implement emergency wiping
- Trigger emergency wiping on cooling or heating detection from mainboard temperature sensors
- Trigger emergency wiping on case opening sensors
- Trigger emergency wiping on /proc interface inputs from userspace
Subversion
Implement a mechanism to automatically set the mimetypes of newly added files (.pdf -> application/pdf , ...) on the server (not on the clients. There are too many clients to get them under control)