Mozilla to get PKI source code

ChrisRijk wrote to us about the release of PKI information to Mozilla. The "Sun-Netscape Alliance" has that announced that it will give mozilla.org a bunch of PKI (Public Key Infrastructure) library source code and utilities. This was made possible due to looser regulation of encryption source code by the US Department of Commerce." A FAQ available at the Mozilla web site.

The Alliance?

[banky]

``The Alliance views security as a critical component to the global e- commerce market,'' said Mark Tolliver, president and general manager for the Sun-Netscape Alliance.

"After all, " he continued, "when you're striking from hidden bases against the evil Empire, you need all the security you can get."

Seriously, a great piece of news, but this Alliance stuff is starting to drive me bonkers.

The whole gov't side of this is ignorant

[GMontag]

Thank goodness that this alliance is moving forward with the encryption issue.

There has never been a GOOD reason to restrict this technology and there still is no GOOD reason to have any remaining restrictions.

So maybe I'm cynical...

[Score Whore]

...but the mozilla team doesn't need another reason to miss a date.

Hilarious designation

[pq]

Check out this guy's job title, as listed in the article:

The availability of industry proven PKI source code will be a tremendous benefit to developers,'' said Mitchell Baker, Chief Lizard Wrangler at mozilla.org.

That just made my afternoon - can I get a job title like that too?

Oh, and this looks like all-round good news for mozilla, Open Source and widespread encryption, too - there, that should complete my buzzword quotient for this post :)

mozilla kicks ass

[lubricated]

For those that don't believe me download last nights build. Mozilla is really starting to come together. The ui is quick and responsive. Alot of the drawing bugs that plauged mozilla in the past are gone. The skin now uses a bigger font. The memory footprint is down to about 18M. Every week I download mozilla and it pleasantly surprises me each time.

Finally!

[xenotrope]

Perhaps now we'll start seeing browsers and encryption improving each other and themselves at a better rate than they use to be. I'm tired of reinstalling Win98, and I'm tired of having to go to Windows Update to get a 128-bit version of IE5. My hat goes off to the Mozilla team.


---

PGP?

[blanalex]

Hey, if they add PKI, why not adding support for PGP?

Really good crypto

[Anonymous Coward]

It has long been recognized that a cryptographic system is only as good as the quality of the reviews and attacks it survives. Open source crypto, really open source, is an excellent next step. GPG, Gnu Privacy Guard [gnupg.org] is part of the equation, but its initial development all took place outside the US because of crypto export restrictions. It looks like the genie is truly out of the bottle. It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.

Additions and Modifications

[worth]

This is great, especially since this allows developers to contribute additions and other changes to the originial source code, thus improving its security. The article also mentions that this is the same security used by the current version of Netscape Communicator. Does anyone know if this will be 128-bit security?

For more information, you can find Mozilla's official press release here [prnewswire.com]. Also, check out the Mozilla crypto FAQ [mozilla.org]. It talks about PSM and various crypto-related questions.

nice, but...

[arafel]

don't expect wonders. The code they're releasing might contribute to the infrastructure (possibly), but it won't contain anything for actually doing the [de|en]cryption required for SSL etc. Check the FAQ (URL given in the post).

"Even more important, the release of source code from the Sun-Netscape Alliance will not include all the code needed to produce a complete SSL- or S/MIME-capable Mozilla product starting with only source code. Because of RSA intellectual property restrictions and the continued presence of proprietary code licensed from RSA Security, Inc., the Sun-Netscape Alliance will not be releasing the source code that actually performs the core encryption and decryption operations."

It's a definite step forward, though, I guess. Now if they could only make it faster... ')

Good news...?

[jd]

It's great that companies are making use of the new-found freedoms that the export restrictions have given them, and kudos to ALL involved in the decision to free up the security API.

On the other hand, does it really offer anything we don't already have? It's not like there's any shortage of SSL patches for Mozilla, out there, and I'm sure there's plenty of other security stuff, too. I wouldn't be the least-bit surprised if there's a patch for encrypting your laundry (useful in preventing your left socks being intercepted) whilst you wait.

Re:Can we lose the fscking commie logo?

[Anonymous Commando]

If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.

I believe the voting was anonymous, so good luck on getting the name of the person who decided. And don't get so hung up on the "communist" aspect of it - think "revolutionary" instead.
________________________

Re:mozilla kicks ass

[phutureboy]

I second what you said, plus would like to add that everyone can help improve it by submitting good bug reports.

If you need help with submitting a bug report, every tuesday evening is Bug Day on IRC - I think it's in #mozilla. see mozilla.org for more details.

I'm really looking forward to the final release of Mozilla. It's going to change a lot of things. I'm hoping that it will help to make Linux as good a platform for surfing as it already is for serving.

--

When is M13?

[FascDot Killed My Pr]

When is M13 due out?
---
This comment powered by Mozilla!

Re:nice, but...

[Anonymous Commando]

Wait a few months - according to the FAQ you referenced, RSA's patent expires in September 2000, and then it sounds like there will be a much better chance of having a full implementation of the encryption code in Mozilla.

I won't make any comments on whether there will be a "release" quality version of Mozilla by September...
________________________

Re:Hilarious designation

[mochaone]

damn you to all hell !!!! I wanted to mention that title. oh well, you beat me fair and square.

Re:PGP?

[Jor]

I would rather want to see GnuPG here,
since it is both free as in beer and
free as in speech. (Not crippled by US export
limitations and patent issues)


--

Weak links

[Tau Zero]

This is only significant if the sites which take encrypted data actually go to the effort to protect it. Keeping people's orders, including credit-card numbers, in a file with a standard name in cleartext is going to send e-commerce security to hell in a handbasket. Worse, this is one of the easier problems to deal with, because when your security is cracked you tend to find out about it.

Encryption is touted as a way to protect privacy and human rights. Unlike a slip-up which reveals credit-card numbers to a cracker, the sort of people who want the goods on dissidents and the like won't be asking for ransoms for the data or making fraudulent purchases. The connection between the security lapse and the late-night phone calls, break-ins, beatings, and other dirty tricks will be impossible to see. It's a new ocean out there, full of shoals hidden beneath the dark water. We must not put too much trust in our handiwork until it has well and truly proven itself sound.
--

And so it begins....

[ajs]

This is the shot, lady's and gentemen. Come back 6 months later, and you will see the world of eCommerce, encryption and security transformed. Here's to the US government moving slightly toward rational policy.

Can't wait to get a copy of Red Hat 6.2 and see what they've tucked into it....

YAY!

[um... Lucas]

Thanks to the improved export regulations, US based open source products can now incorporate the same "easily" crackable crypto that for export versions of commercial software do! Though I guess something is better than nothing.

Hopefully what this will do, is leave hooks in the code, so people can implement stronger crypto, if they have the tools and desire.

Re:When is M13?

[lubricated]

in a couple days. The code freeze was supposedly yesterday.

Re:Additions and Modifications

[roca]

It will be strong crypto.

Re:So maybe I'm cynical...

[Frank Hecker]

To clarify this: First, the code being released is being created by a separate group of developers from the main Mozilla developers at AOL/Netscape; it's from the security engineering team that creates the security/crypto infrastructure for the Sun/Netscape Alliance server products as well as for Netscape Communicator. Second, the security stuff is not tightly embedded in present Mozilla like it was in Mozilla Classic and Netscape Communicator 4.x; it's more like an add-on architecture through a defined set of general-purpose APIs in main Mozilla.

So it's not like the security/crypto work is taking lots of developers away from other Mozilla work.

Re:Hilarious designation

[BitPoet]

So, just create one for yourself.

My official title is "BitPoet"

Of course, our CEO is the "BitMeister"
the head of sales is the "Minister of Commerce"
the head of marketing is "Marketing Guy"

The list goes on.

Anyone else?

Re:nice, but...

[roca]

RSA isn't that much code. It should be almost no effort to produce an "international" patch with the required functions.

Also, note that Netscape will be releasing a precompiled binary containing a licensed implementation of the RSA code. So non-US developers will be able to build their own binaries, and US users can download and use Netscape's.

Re:The Alliance?

[Anonymous Coward]

I am starting to think in my head:

alliance=cartel
alliance=syndicate

Of course, everybody knows it's really just Anything-but-Microsoft.

Luckily Saddam Hussein doesn't have any way to issue blows against Microsoft, or we'd be shipping him tanks already.

Re:YAY!

[roca]

You are wrong. This is full-strength crypto. It is not easily crackable; it's as good as it gets.

Re:HELP

[Munky_v2]

Here's an idea Click on this link [debian.org].


Munky_v2

What about a BitCh?

[Zico]

Every company these days has at least one!

Cheers,
ZicoKnows@hotmail.com

Re:Good news...?

[roca]

I haven't heard of any SSL patches for Mozilla to date. Do you have any references? I don't think so. The Cryptozilla hack done by Eric Young and others early in '98 was more a proof of concept than anything else, and their code is completely useless in the rewritten codebase.

It's true that someone could have, and could still, produce an SSL plugin for Mozilla based on OpenSSL or something like that. They haven't though. But the big breakthrough is that we can now talk about the issues, standardize the APIs, and leverage a lot of the code Netscape has already written. Also Netscape will be releasing binaries which will give US users access to an RSA-licensed implementation.

Re:Really good crypto

[Kaa]

It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.

Well, first of all it depends on the tendencies of your government and the size of your bank account -- some people worry more about one, and some people worry more about the other.

Second, the security of your bank account is 99% dependent on security policies of your bank that you can do zilch about (other than taking your account to another bank, that is). Remember, these are the same people who think that a social security number and a mother's maiden name authenticates a person.

Third, you usually have recourse against banks (if they lose your money, they have to make it up to you), but not against governments (if you spend a year in prison as a suspect in a criminal investigation and then let go because it wasn't you, the best you can hope for is an apology).

Fourth, you have your priorities bass-ackwards. If your bank account gets raided, all you lose is money. If a government takes a dislike to you, your problems are likely to be rather more significant.

And as to "It isn't worth much to them.", remember that governments are interested not in money, but in power. Don't think of how much money can somebody who knows your data can make. Think about how much power will he have over you.

Kaa

Just submit the patches...

[Per Abrahamsen]

The answer is in the FAQ [mozilla.org]. PGP support will be added as soon as someone submits the patches. PKI was added because someone ("Alliance") submitted the code.

If nobody are willing to do the work, the work will not be done.

Release Date migration?

[waldeaux]

So, it's great that there Mozilla/NN5 will be "beefier", but isn't it a little late to be still adding things to Mozilla?

Is there any word as to what this will do to the expected release date? Right now that's more important to me than last-minute creeping featurism.

Has anyone generated the first derivative of projected release date? Such a statistic actually DOES serve a useful purpose since it tells you if the delays are in control or are running away from you. Using Einsteinian notation for derivatives (dot = dX/dt, dotdot = d2X/dt2):

1. If dot(release date) is above 0 then the project is moving away, and unless measures are taken, you'll never see it completed.
2. If dot(release date) = 0, then it's barely contained, insofar as that the true release date is at infinity (basically it means that for every day that passes, one day is added to the release date). Whether or not "infinity" is acceptable is a different story.
3. dot(release date) less than 0 means that you will eventually see the project completed.

Now, you can get into second derivatives :-) at which point you can see if things are still slipping away, even if dot(release date) is negative, or if things are staying on target [i.e., dotdot(release date) == 0].

(I used to think about this in regards to a telescope that was soon-to-be-finished when I started grad school, and was soon-to-be-finished when I finished grad school. It did manage to cross over to "finished" and AFAIK is producing wonderful results.)

Re:nice, but...

[simeon_pimpmaster]

But you cut off the quote too soon!

" The Mozilla binaries combined with the iPlanet Personal Security Manager binaries will implement SSL support; S/MIME support will be available sometime in the future when S/MIME integration with Mozilla is completed." - mozillaZine.org [mozillazine.org]

So, the hooks will be there, and there will be a binary implementation given away. So, when does that RSA patent expire again?

Re:Hilarious designation

[Wesley Felter]

That reminds me of jwz; I think his title used to be "mozilla.org loose cannon".

And Mitchell Baker's not a guy IIRC, but you'd be forgiven for not knowing that.

Re:Release Date migration?

[Royster]

Is there any word as to what this will do to the expected release date?

Not a thing. This is an incomplete plug-in for an already established API sontributed by persons outside the core Mozilla development team. A link to the plan for the next few months was posted on /. in just the past week.

Two more milestones are planned: M13 is in feature freeze and should be out within a week after all the regressions are fixed. M14 feature freeze is 2/15, that should be alpha for Seamonkey. A Netscape branded beta should follow that (i.e. with all of the other pieces like SSL included). The last step is a final Mozilla followed by a final Netscape.

Re:Really good crypto

[0xdeadbeef]

If you need encryption to hide secrets from your government, you're already screwed. They'll simply steal the keys off your machines, or coerce the information out of you.

Re:YAY!

[um... Lucas]

Where did you learn this? According to the press release, this was enabled by the eased export regulations, which still clearly limit the strength cryptographic software for export (they upped symetric encryption to 64 bits, and assyemetric to 1024 bits and eliptic curves to 112 bits).

Further, according to the FAQ, you will not be able to download the actually code, because of RSA's patent. Therefore, only boxed copies purchased from Sun or whoever will include this functionality. And it seems that the actual mechanism that does the crypto will still remain quite closed (but it will be revisited on 9/20/2000 when RSA's patent expires.

So no, i don't think I'm at all wrong.

Re:Hilarious designation

[pq]

Mitchell Baker's not a guy IIRC, but you'd be forgiven for not knowing that.

Oops! I guess the "t" in the Mitchell threw me off there... Some day, I'll understand American naming conventions - but that's not anytime soon.

Really good points -- moderate up

[jabbo]

If I was currently a moderator, I would.

It's too damn easy to forget that power is much more valuable than money, above a certain level.

Re:mozilla kicks ass

[mmakunas]

I still have not been able to get it to run on NT since last spring. It crashes upon start. I even followed the recomendation in the Release notes for this problem but without any luck.

Re:This is great!!!

[Munky_v2]

I am writing this reply to whoever moderated my first comment. How can it be redundant if it is the first post???


Munky_v2

Re:Hilarious designation

[Bork]

Canadian Shaver - international incident

Got that from just reading a artice on him here: Cnet [cnet.com]

There *are* no american naming conventions

[Gorimek]

At least not any that work all the time.

Americans can be called *anything*, since they come from every country and culture on the planet. And they don't hesitate to invent either.

Re:Hilarious designation

[Bork]

yesyesyes - its Mike Shaver Mike Shaver!

Hey - Copy and plaster works well, Brain does not

Re:mozilla kicks ass

[asa]

If you have problems with Mozilla or you'd like to report a bug but don't know how drop in to BugDay! on #mozillazine irc.mozilla.org every Tuesday afternoon into evening. There are lots of people there to help. If you don't know where to start ask me.

BugDay is a weekly collaborative bug hunting and reporting event hosted by mozillaZine (check out http://www.mozillazine.org if you haven't yet) on IRC. If you'd like to see Mozilla get better faster, then be a part of it.

Asa

(posted with today's build of mozilla)

Re:Really good crypto

[jd]

I'd make the following counter-arguments:

• Money is power. Control the money and you control the power. This is as true today as it has ever been. This is why the British are so bothered by the cracker who has tried holding almost the entire country to ransom. The odds are very good that the cracker can cripple Britain long before anyone actually finds them.
• Information, alone, is actually pretty valueless. What anyone can do with it depends a lot on it's useful lifespan, it's completeness, it's accuracy, what it is, how easy it is to cross-reference, and how many organisations need to co-operate to get anything useful out. Now, all of those variables are much more under -your- control than any mysterious agency. You can be as hard to exploit as -you- choose.
• How much power anyone has over you is your choice. Nobody can -make- you do anything. What -you- do is always your choice. Yes, it's often a question of setting priorities, and choosing which option you like best (or dislike least), but it IS, ultimately, a choice you make. If you decide to always do your own thing, and never mind the consequences, then nobody in the world will ever have any power over you at all. How can they? You would have chosen to make any action they take a lesser priority than your will. I don't advocate that, I'm merely using that as an illustration that power is an illusion created by the person you believe yourself to have power over.

Key lengthes permitted by new export regulations

[Frank Hecker]

First, the new export regulations do not limit the encryption strength of open source encryption source code exported from the U.S. under the new section 740.13(e) of the regulations. As a U.S. developer you can host such source code on your web site, etc., no matter what key length it implements.

Second, the new encryption regulations also appear to allow export of full-strength ("128-bit") encryption binaries, although with somewhat more hassle and restrictions than with open source encryption source code. (Note that binaries built from open source get no special break in the regulations vs. binaries built from proprietary code.) The relevant sections in the regulations are 740.17(a)(2) and (a)(3), and 742.15(b)(2).

Re:What about a BitCh?

[jovlinger]

grin!

Re:Key lengthes permitted by new export regulation

[um... Lucas]

The new regs appeared very firmly against allowing the export of binaries which allowed for greater than certain key lengths.

Reading the Mozilla FAQ, it makes it clear that there are still a number of issues - they can't post the source due because foreigners can get at it that way, and they can't post the source because Americans can't have it either, because of the RSA patent issue.

Re:Just submit the patches...

[justo]

but the question i think is who is heading up the work in this area? i'm sure a bunch of people would be interested in it, but there's not yet any organization to it...

Re:Mem size

[DerFeuervogel]

I assume they haven't stripped all the debug/symbol stuff out yet. I can't imagine they would ship an 18M footprint release. The boys in Redmond would jump all over that.

Re:mozilla kicks ass

[Yarn]

Its significantly improved since the last milestone. I was running 1999082316 (M12 debian package) and I thought you were exaggerating. The latest build (2000011811) is a lot quicker. Redraws about 5x speed, subjectively (dragging another window over it test). I'm not so keen on the large text, but that's just a matter of finding a CSS.

Re:Really good crypto

[Kaa]

Money is power. Control the money and you control the power.

Yes and no. Money could and often does convert to power, but there are plenty of exceptions and special cases. Three points, cameos if you wish, to illustrate:

(a) In the former Soviet Union, and, I assume, most of the so-called "communist" countries money did not lead to power. One got power basically by climbing in the party/government bureaucracy and not by accumulating cash (not to mention bank accounts). Generally, the less free (politically) the country is, the less important is money.

(b) Tobacco companies were (are) very rich. And what did it buy them besides a bunch of lawsuits and a gaggle of very expensive lawyers?

(c) "Power grows out of the barrel of a gun". There are more direct and more efficient ways to power than by money. If you don't live in the West (USA/Japan/Western Europe) you should be very much aware of this.

Information, alone, is actually pretty valueless.

What do you mean, alone? If somebody knows that I bought a can of soda today at the cafeteria, that is not very useful. If somebody has a database of all my purchases (think credit cards), it's very easy to build my profile and describe my lifestyle pretty accurately. Knowing that I, being married, bought a pack of condoms during a business trip can be quite effective for leaning on me for whatever reason. And no, I don't subscribe to the theory that all your actions should be what you would do if all the world were watching.

You can be as hard to exploit as -you- choose.

Yes, but there is a price. I can avoid credit cards, but I would have a lot of problems renting cars. I can avoid getting a passport, but then how do I travel abroad? I can post to Slashdot only through anonymizing proxies, but they are slow and can be a hassle.

It is possible to maintain levels of privacy and anonymity that would make it very difficult to collect info about you (short of putting a watch team on your tail), but they tend to be expensive in terms of time and effort. The great majority of people do not and will not pay the price.

How much power anyone has over you is your choice. Nobody can -make- you do anything. What -you- do is always your choice

That's a banal triviality. Yes, my muscles are under my control, so technically I only do what I want to. That is neither useful, nor interesting observation.

If you decide to always do your own thing, and never mind the consequences, then nobody in the world will ever have any power over you at all.

That statement does not have much connection to reality, does it? If somebody shoots and kills me, that is power over me. If the government decided to put me in prison, that is power over me. If a robber holds a gun to the head of my child, I will give him my PIN number -- that is also power over me.

power is an illusion created by the person you believe yourself to have power over.

Utter bullshit. First of all, there is pure physical reality power, for example, power to kill. If I shoot a gun at you and kill you, will your ghost still think it was all an illusion? If I have you locked in a cage and can feed you or let you starve, is it still an illusion?

Even setting aside all the manifestations of raw power and focusing just on persuasion, power is basically the ability to create proper stimuli (carrot or stick or both) to make you behave in the way I want. If you insist on do your own thing, and never mind the consequences, then all it means is that the stimuli were picked incorrectly (notice the side point of the value of information here?) or insufficient power was applied.

Try to think outside of the upper-middle or middle-class suburbia in the US. Imagine yourself living in, say, Uganda, and think about what power is.

Kaa

Amazing!

[Industrial Disease]

Slashdot poster uses word "looser" correctly. .mpg at 11.

Re:Mem size

[logicTrAp]

Debug symbols don't get loaded into memory when an executable runs; they stay on disk.
However, as you also said, it could be that the current builds contain a lot of extra debugging crap which is bloating the footprint...

Re:mozilla kicks ass

[z4ce]

You proformance increase was probaly also do to using Mozilla.org's build instead of Debian's I find Debian's mozilla builds are very unstable. Which is very strange for Debian, but I guess the Netscape boys @ mozilla.org have more expeirence compiling that code. I would recommend staying away from the Debian Mozilla packages and keeping with the mozilla build, even on milestones.

Re:mozilla kicks ass

[lubricated]

It is an acomplishment if you consider what the memory footprint used to be. Mozilla doesn't leak as much memory as it used to. IMHO Memory usage was/is the biggest problem with mozilla. UI is the second. Everything else is done or nearly done. Except maybe some of the mail/news stuff.

NAI is on it

[Wesley Felter]

Will Price from Network Associates (the owners of PGP) has posted to n.p.m.crypto several times offering to integrate PGP into the lizard; maybe now it will happen sooner rather than later.

Re:mozilla kicks ass

[Kye]

I've generally found the Mozilla people fairly good with handling startup bugs. I was suffering two of them. Jsut jump over to bugzilla and report it. (after checking for duplicate bugs first :)

Re:Really good crypto

[Wah]

>>How much power anyone has over you is your
>>choice. Nobody can -make- you do anything.
>>What -you- do is always your choice

>That's a banal triviality. Yes, my muscles are
>under my control, so technically I only do what
>I want to. That is neither useful, nor
>interesting observation.

Not at all, it is an important (if basic) point.

>If somebody shoots and kills me, that is power over me.

Not power over you, power applied to you. If they did it because you wouldn't give them what they wanted, who retains the power?

Funny how you would mention this the day after MLK day, he sure lost a lot of power after he died, same for Jesus.

"You can kill a man, but you can't kill what he stands for." -CSM

We're all gonna die anyway, if I get to choose when and for what, that's power.

I'm not saying that physical power is immaterial, far from it, but Power (with a capital P) is far more complex than being stronger or having a bigger gun.

(hey, at least my .sig is on-topic...for this post ;)

Re:mozilla kicks ass

[roca]

Mozilla is still full of memory leaks. They're being plugged but it takes time.

Re:Really good crypto

[ffatTony]

if you need encryption to hide secrets from your government, you're already screwed. They'll simply steal the keys off your machines, or coerce the information out of you.

Are you sure? I'm guessing that the government would have a hardtime w/ my machine, but you never know... and as for coercing it out of me ... I could take anything Old Bill and his cronies could dish out.

Re:Key lengthes permitted by new export regulation

[roca]

You are still wrong. Fortunately this will become clear when the strong-crypto binaries and source code appear on Mozilla.org.

Re:So maybe I'm cynical...

[dveditz]

..but the mozilla team doesn't need another reason to miss a date.

What, you thought AOL would pay for a browser that couldn't shop the web? SSL has been in the Netscape plan all along.

In a group ceremony last August Mozilla was used for its first web purchase, the boxed set of Knuth's The Art of Computer Programming from Amazon.com

Re:The Alliance?

[uh]

It could be worse, they could start calling themselves 'allies' :].

Re:nice, but...

[jsw]

The actual crypto algorithm code in Netscape's library is only a small percentage of the total code. It is something less than 10 percent. It will be trivial to immediately drop in implementations of DES, MD5, SHA, RC2, RC4 and diffie-hellman that are not based upon RSA's implementation. It is unclear from the updated FAQ if Mozilla will accept unencumbered algorithm implementations, so we will just have to wait and see. By the end of the year we can do the same with RSA.

The code as released may also work out of the box with a PKCS #11 module that implements all of the required algorithms. This is another "wait and see".

The real value of this release is to get all of the other stuff like protocols, certificate management, and the integration with the netscape browser.

I am particularly glad to see this release, since I wrote much of the code...

--Jeff (formerly Electronic Munitions Specialist for Netscape)

3 Things

[Big Jojo]

First, Slashdotters should realize that key management is basically a harder, and more important, problem than the cryptography itself. More "secure systems" get broken because of bad key management than because the ciphers get cracked. A PKI module that can do good key management, and can get a decent user interface so that users don't screw it up, is worth more in the long term than access to the RSA algorithm.

That said, it sure sounds like this PKI is focussed on the nasty X.509 style PKI that's basically a support infrastructure for old style centralized security systems. Verisign, DoD, and so on. I'll be glad when PGP/GPG style web of trust gets direct support.

Second, there was some gnashing of teeth here that SSL won't be in Mozilla. Justly so. But hey, there's really no problem ... just don't confuse "SSL" with "RSA Encryption and Signatures". They really aren't the same ... even though with Verisign buying out Thawte (maybe), it looks like the main signer of non-RSA certs may have been co-opted. (Sigh; I really want freedom of choice for public key algorithms, particularly now that TWINKLE makes RSA look weaker and weaker.)

With the new US regulations, folk could incorporate a version of the OpenSSL [openssl.org] toolkit, sans RSA support. (And at about 12:01am on September 20, check the RSA support into CVS.)

The patent-free flavors of SSL use algorithms much like those used by GPG [gnupg.org]. There is a public key signature algorithm (DSS/DSA), a key exchange algorithm (Diffie-Hellman), and various flavors of DES (and Triple-DES) for bulk data encryption. OpenSSL includes support for Blowfish (way faster) and other patent-free ciphers, as well as TLS (a somewhat more secure SSL that mandates patent-free encryption options; it's the IETF standard). There's a recent IETF draft showing how to incorporate OpenPGP keys and ciphers (such as CAST128) into TLS.

Third, please don't get hung up on RSA. Everyone's security will be better when there's a choice of public key algorithms for use in authentication and encryption. OpenPGP (such as GPG), SSL, and TLS can all be used just fine without anyone having to get a wedgie about RSA (or deal with their nasty lawyers -- give me a normal lawyer any day).

In short: there's a lot of good news here, and if you want it, this is sufficient to move a good SSL into Mozilla right away. Whatever you do, don't let the licensing agreements that Sun, Netscape, and so on have with RSA force you to hold off till you can use that particular public key algorithm.

Re:This is great!!!

[Munky_v2]

Oh, I would agree, there was nothing of meaning in the post. My point was that it can't be redundant if it's the first post, that's all. But now I am going to say something "informative". I really do think that this is a great thing for the Mozilla team. Here's why:

It is always a good thing when we as open source developers can get our hands on cool technology (without having to go to court over it [opendvd.org]. This may be what we need to move SSL and over all Internet security beyond where it is now. I also have no doubt that the OSS community will improve upon the security model, and may build it into Apache, thus making the most secure web server ever.


Munky_v2

Re:Can we lose the fscking commie logo?

[Chris Siegler]

If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.

The spinner thingy was choosen through a competition (twice), but not the logo. JWZ created the mozilla.org site, so he might have also created the logo, but I'm just guessing there.

Re:Really good crypto

[takemiya]

If you need encryption to hide secrets from your government, you're already screwed. They'll simply steal the keys off your machines, or coerce the information out of you.

True, but that doesn't mean encrypting your secrets is pointless. Rather, it recommends everyone encrypt everything:

• They can't pull black bag jobs on all of us, and
• If everything is encrypted, They'll have a hard time figuring out what's worth going after.

Re:Really good crypto

[takemiya]

Money is power.

"Gold will not always get you good soldiers, but good soldiers will always get you gold." - Machiavelli

Re:nice, but...

[takemiya]

The patent on the RSA algorithm dies in September, yes (and there'll be a hell of a party), and it's dead simple to implement independently, but I'd bet Netscape contains plenty of copyrighted or otherwise-patented code that'd be rather more time-consuming to duplicate in the clean room.

I won't make any comments on whether there will be a "release" quality version of Mozilla by September...

Yes, for suitable values of "release"...

Re:This is great!!!

[ssimpson]

It would appear to be great - but only as long as you live outside of the US. We need to remember that the core algorithm (see note below!) in both SSL and S/MIME is RSA. RSA is still patented (but only in the US...) so Mozilla will have to be careful to ensure that RSA is appropriately licensed (not an easy task - note the PGP hassle). Roll on 20/9/00 when the RSA patent finally expires, eh? Of course, RSALabs have then indicated that RSA is a tradename and as such will have to be licensed :( (Note:) ElGamal / DH has now become the "MUST" algorithm in these two RFCs, but RSA remains a "SHOULD". AFAIK, all current implementations (and CAs etc) still only support RSA - so ElGamal / DH are f'cking useless anyway....

Re:nice, but...

[arafel]

Thanks for the update (and all the others). It looks like I skim-read the FAQ maybe a little too quickly - my bad. Sorry!

Re:Really good crypto

[Kaa]

>If somebody shoots and kills me, that is power over me.

Not power over you, power applied to you.

Yes, power over you. If you were going to find a cure for cancer, get married and raise kids, finally debug that piece of code -- now you cannot, you are dead. That IS power over you.

If they did it because you wouldn't give them what they wanted, who retains the power?

Imagine yourself in a refugee camp in Mozambique. A soldier walks by, he notices your blanket and takes a fancy to it. You refuse to give it up, so the soldier shoots you and takes the blanket. Who retains the power?

Funny how you would mention this the day after MLK day, he sure lost a lot of power after he died, same for Jesus.

Well, first of all Jesus is a special case, isn't he? I don't think Christianity considers him dead. Second, you are confusing a person and his ideas. MLK as a person had no power after he died. His ideas, on the other hand, grew by his death.

We're all gonna die anyway, if I get to choose when and for what, that's power.

It depends on the choices that you have. If you break your leg on a hunting trip into the Canadian Northern Territories and have no way of communicating, your choices are: (1) Freeze/starve to death; (2) Shoot yourself. Where is power here?

Kaa

Re:Native widgets

[FrodoB]

That issue is and has been dead for months.

There will be no native widgets, because they A) can't be styled by CSS, and B) require far more platform-specific code than cross-platform widgets. Anyone's free to make a platform-native wrapper to Mozilla, but Mozilla's widgets will be cross-platform.

With that certainty out of the way, here's the good news. David Hyatt and others (Mike Pinkerton comes to mind, regarding the Mac side of the issue) have undertaken the goal of getting the XP widgets to look closer to the native widgets than they do right now. Hyatt is making what's known as XBL (the eXtensible Bindings Language) for just such a purpose. The first checkin of an implementation of XBL was allowing the styling of the scrollbars (this happened about a week ago). Pete Collins, a non-Netscape independent developer, has produced scrollbars that look pretty close to the default GTK setup (yes, yes, I know GTK+ is themable; it's not hard at all to make the scrollbars change appearance now). I'm sure someone will do Mac and Windows scrollbars, or whatever other platform desires a native-looking scrollbar. Do I really know how much this'll help the XP look appear native? Nah. But from Pete's initial code for the GTK scrollbar, it looks REAL promising.

Re:Really good crypto

[Wah]

A soldier walks by, he notices your blanket and takes a fancy to it. You refuse to give it up, so the soldier shoots you and takes the blanket. Who retains the power?

My friends, after they stone the soldier.

oh, you say, then they get shot. Well then their friends get the blanket, they get shot. repeat until everyone is dead or happy.

That example proves nothing.

Well, first of all Jesus is a special case, isn't he? I don't think Christianity considers him dead.

A lot of people don't think Elvis is dead either, but that don't mean he ain't. A special case perhaps (if you believe in his divine nature vs. a pretty solid philosopher) but still makes my point.

Second, you are confusing a person and his ideas.

I'm curious about how you seperate the two. Sure there is a difference (my ideas don't drive a car) but as this case illustrates, here a man _died_ for his ideas (standing up for them, as the case may be).

To draw a parallel, if the "towel" you mentioned earlier was Dr. King's dream. Can anybody take that away from him? It would seem to me, that the people (person) who tried, couldn't. It's still his, and is cele^H^H^H^Hrecognized throughout the country. It's _his_ towel.

If you break your leg on a hunting trip into the Canadian Northern Territories and have no way of communicating, your choices are: (1) Freeze/starve to death; (2) Shoot yourself. Where is power here?

Power and stupidity/fate mix as well as anything else, i.e. not that much. By saying that I would have the choice when to die, I was referring to a situation like the towel. If I thought the towel was worth dying for, I would, that's my choice, my Power (that'd be dumb as hell, but to each his own)