I have been asked a few times recently what my largest issues are with Firefox and it’s PKI/TLS implementations, here is the short-list:
725351 – Support enforcing nested EKU constraints, do so by default.
579606 – Multiple OCSP requests should be performed in parallel
565047 – Implement TLS 1.1 (RFC 4346)
436414 – OCSP client should be able to use HTTP GET as well as POST
360420 – Implement OCSP Stapling in libSSL
399324 – Fetch missing intermediate certs (use AIA extension for incomplete cert chains)
378098 – Do not expire OCSP responses that say “revoked”
48597 – OCSP needs offline cache (persistent on-disk)
Kathleen at Mozilla has recently set up a page to track revocation related issues here.