If you want to contribute (implement something from the current list, or anything), contact the developer's mailing list (gnutls-dev@lists.gnupg.org), in order to avoid having people working on the same thing. Current list: * gnutls-cli: Allow separation of the connecting IP and the hostname to advertize or check. That is, allow specifying an IP to connect to and a hostname to check. * Allow setting a fixed key on the anonymous key exchange methods (to allow it being used with the tofu API). * Deprecate GNUTLS_E_CERTIFICATE_LIST_UNSORTED, and automatically sort input chains in gnutls_certificate_set_x509_key_*. * Allow the manipulation of certificates, i.e., allow to remove fields. * Add an authenticated-encryption API. * Think about supporting the groups in RFC3526 and RFC5114. If other implementations use them too we may be able to achieve some speedups in DH (by knowing q). * Handle the following X.509 extensions: 2.5.29.36: Policy Constraints 2.5.29.33: Policy Mappings 2.5.29.54: Inhibit Any-policy 2.5.29.46: Freshest CRL * Add support for RSA-PSS. This signature algorithm is seen in some passport CAs. Should be added in nettle and then in gnutls. - Add certificate image support (see RFC3709, RFC6170) - RFC 3280 compliant certificate path validation. - Reject extensions in v1 certificates. - Perform signature calculation in PKCS #11 using not plain RSA but rather the combination of RSA-SHA256, RSA-SHA1 etc. That will allow the usage of tokens that do not allow plain RSA. - Support PKCS#8 DES-MD5 (tests/enc3pkcs8.pem) encrypted keys. (openssl seems to use DES-MD5 to encrypt keys by default) - Add support for generating empty CRLs - Document the format for the supported DN attributes. - Audit the code - Support replacing individual algorithms via a PKCS #11 module - maybe use p11-kit for that. - Add function to extract the signers of an openpgp key. Should be similar to gnutls_x509_crt_get_dn_oid(). - Add function to verify an openpgp key against a plain key. - Clean up name space of helper functions in library (memmem, firstElement, bit_mask, ...) for platforms that libtool's -export-symbols-regex doesn't work. - Add Kerberos ciphersuites - Update the current test suite, using the newest NIST's PKI Test vectors, see http://csrc.nist.gov/pki/testing/x509paths.html - Make gnutls-cli-debug exit with better error messages if the handshake fails, rather than saying that the server doesn't support TLS. (+) Means high priority (*) Means medium priority (-) Means low priority (ie. nobody is interested to develop that)