I have been asked a few times recently what my largest issues are with Firefox and it’s PKI/TLS implementations, here is the short-list:

725351 – Support enforcing nested EKU constraints, do so by default.

579606 – Multiple OCSP requests should be performed in parallel

565047 – Implement TLS 1.1 (RFC 4346)

436414 – OCSP client should be able to use HTTP GET as well as POST

360420 – Implement OCSP Stapling in libSSL

399324 – Fetch missing intermediate certs (use AIA extension for incomplete cert chains)

378098 – Do not expire OCSP responses that say “revoked”

48597 – OCSP needs offline cache (persistent on-disk)

Kathleen at Mozilla has recently set up a page to track revocation related issues here.