Slashdot Mirror
Mozilla to get PKI source code
ChrisRijk wrote to us about the release of PKI information to Mozilla. The "Sun-Netscape Alliance" has that announced that it
will give mozilla.org a bunch of PKI (Public Key Infrastructure)
library source code and utilities. This was made possible due to
looser regulation of encryption source code by the US Department of
Commerce." A FAQ available at the Mozilla web site.
That's great news for the Mozilla team!!!
Munky_v2
Jay
``The Alliance views security as a critical component to the global e- commerce market,'' said Mark Tolliver, president and general manager for the Sun-Netscape Alliance.
"After all, " he continued, "when you're striking from hidden bases against the evil Empire, you need all the security you can get."
Seriously, a great piece of news, but this Alliance stuff is starting to drive me bonkers.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Thank goodness that this alliance is moving forward with the encryption issue.
There has never been a GOOD reason to restrict this technology and there still is no GOOD reason to have any remaining restrictions.
Eve Fairbanks says I drive a hybrid!LOL
...but the mozilla team doesn't need another reason to miss a date.
The availability of industry proven PKI source code will be a tremendous benefit to developers,'' said Mitchell Baker, Chief Lizard Wrangler at mozilla.org.
That just made my afternoon - can I get a job title like that too?
Oh, and this looks like all-round good news for mozilla, Open Source and widespread encryption, too - there, that should complete my buzzword quotient for this post :)
"I will take the Ring," he said, "though I do not know the way."
For those that don't believe me download last nights build. Mozilla is really starting to come together. The ui is quick and responsive. Alot of the drawing bugs that plauged mozilla in the past are gone. The skin now uses a bigger font. The memory footprint is down to about 18M. Every week I download mozilla and it pleasantly surprises me each time.
It has been statistically shown that helmets increase the risk of head injury.
Perhaps now we'll start seeing browsers and encryption improving each other and themselves at a better rate than they use to be. I'm tired of reinstalling Win98, and I'm tired of having to go to Windows Update to get a 128-bit version of IE5. My hat goes off to the Mozilla team.
---
---
Remember when "Truth, Justice, & the American Way" wasn't contradictory?
seriously folks, america is really shooting itself in the foot over this one. all the best new crypto software developers won't be choosing america, and the choice of the world won't be american.
just my $$10 worth.
these opinions have nothing to do with my employer.
Hey, if they add PKI, why not adding support for PGP?
#DEFINE QUESTION (2b)||(!2b) -- William Shakespeare
It has long been recognized that a cryptographic system is only as good as the quality of the reviews and attacks it survives. Open source crypto, really open source, is an excellent next step. GPG, Gnu Privacy Guard is part of the equation, but its initial development all took place outside the US because of crypto export restrictions. It looks like the genie is truly out of the bottle. It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.
This is great, especially since this allows developers to contribute additions and other changes to the originial source code, thus improving its security. The article also mentions that this is the same security used by the current version of Netscape Communicator. Does anyone know if this will be 128-bit security?
For more information, you can find Mozilla's official press release here. Also, check out the Mozilla crypto FAQ. It talks about PSM and various crypto-related questions.
don't expect wonders. The code they're releasing might contribute to the infrastructure (possibly), but it won't contain anything for actually doing the [de|en]cryption required for SSL etc. Check the FAQ (URL given in the post).
"Even more important, the release of source code from the Sun-Netscape Alliance will not include all the code needed to produce a complete SSL- or S/MIME-capable Mozilla product starting with only source code. Because of RSA intellectual property restrictions and the continued presence of proprietary code licensed from RSA Security, Inc., the Sun-Netscape Alliance will not be releasing the source code that actually performs the core encryption and decryption operations."
It's a definite step forward, though, I guess. Now if they could only make it faster... ')
On the other hand, does it really offer anything we don't already have? It's not like there's any shortage of SSL patches for Mozilla, out there, and I'm sure there's plenty of other security stuff, too. I wouldn't be the least-bit surprised if there's a patch for encrypting your laundry (useful in preventing your left socks being intercepted) whilst you wait.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.
I believe the voting was anonymous, so good luck on getting the name of the person who decided. And don't get so hung up on the "communist" aspect of it - think "revolutionary" instead.
________________________
Corporate Jenga: You take a blockhead from the bottom and you put him on top...
When is M13 due out?
---
This comment powered by Mozilla!
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
"Have you, or any member of your family, ever been a communist?"
Encryption is touted as a way to protect privacy and human rights. Unlike a slip-up which reveals credit-card numbers to a cracker, the sort of people who want the goods on dissidents and the like won't be asking for ransoms for the data or making fraudulent purchases. The connection between the security lapse and the late-night phone calls, break-ins, beatings, and other dirty tricks will be impossible to see. It's a new ocean out there, full of shoals hidden beneath the dark water. We must not put too much trust in our handiwork until it has well and truly proven itself sound.
--
Time is Nature's way of keeping everything from happening at once... the bitch.
This is the shot, lady's and gentemen. Come back 6 months later, and you will see the world of eCommerce, encryption and security transformed. Here's to the US government moving slightly toward rational policy.
Can't wait to get a copy of Red Hat 6.2 and see what they've tucked into it....
Thanks to the improved export regulations, US based open source products can now incorporate the same "easily" crackable crypto that for export versions of commercial software do! Though I guess something is better than nothing.
Hopefully what this will do, is leave hooks in the code, so people can implement stronger crypto, if they have the tools and desire.
>Any ideas?
Yeah, here's an idea:
go find a hp support newsgroup and post your crap there.
It's almost hard to remember that far back, but Netscape 4 (Communicator) came out in June 1997. Over two and a half years later, we're still wondering when version 5 will come out. For God's sakes men, it's a frigging browser. Ridiculous.
Cheers,
ZicoKnows@hotmail.com
Here's an idea Click on this link.
Munky_v2
Jay
Every company these days has at least one!
Cheers,
ZicoKnows@hotmail.com
If nobody are willing to do the work, the work will not be done.
So, it's great that there Mozilla/NN5 will be "beefier", but isn't it a little late to be still adding things to Mozilla?
Is there any word as to what this will do to the expected release date? Right now that's more important to me than last-minute creeping featurism.
Has anyone generated the first derivative of projected release date? Such a statistic actually DOES serve a useful purpose since it tells you if the delays are in control or are running away from you. Using Einsteinian notation for derivatives (dot = dX/dt, dotdot = d2X/dt2):
Now, you can get into second derivatives :-) at which point you can see if things are still slipping away, even if dot(release date) is negative, or if things are staying on target [i.e., dotdot(release date) == 0].
(I used to think about this in regards to a telescope that was soon-to-be-finished when I started grad school, and was soon-to-be-finished when I finished grad school. It did manage to cross over to "finished" and AFAIK is producing wonderful results.)
It means that in a month or two all Sun employees will get "250 free hours* (*first month only)" along with their new @aol.com email addresses.
I think one of two things:
1. "Revolution" as in spinning around in place.
2. "Revolting" as in... umm.. revolting day-glo colors.
WYATT
YOUR NO DAISY!
YOUR NO DAISY AT ALL!!!
If I was currently a moderator, I would.
It's too damn easy to forget that power is much more valuable than money, above a certain level.
Remember that what's inside of you doesn't matter because nobody can see it.
At least not any that work all the time.
Americans can be called *anything*, since they come from every country and culture on the planet. And they don't hesitate to invent either.
Now, if only I could get Mozilla to work again. Milestone 10 worked fine on my system (win95) with a few bugs... but I downloaded M12 today, and it won't let me do anything. Mozilla.exe crashes as soon as I hit the "next" button on the profile generator, and Viewer.exe either immediately crashes or crashes as soon as I try to open a page other than the test page that automatically opens.
:)
*sigh* At least when I figure out what the problem is I'll have access to the encryption too.
On the bright side, when Netscape crashes on this computer it takes down the whole system... Mozilla at least leaves me with a stable system.
(don't bother flaming about the Win95 thing... I'm talking about a work computer, I don't have much control.)
Second, the new encryption regulations also appear to allow export of full-strength ("128-bit") encryption binaries, although with somewhat more hassle and restrictions than with open source encryption source code. (Note that binaries built from open source get no special break in the regulations vs. binaries built from proprietary code.) The relevant sections in the regulations are 740.17(a)(2) and (a)(3), and 742.15(b)(2).
You are correct redundant is probably not appropriate. Uninformative is what I would have gone with. Same score :0).
The new regs appeared very firmly against allowing the export of binaries which allowed for greater than certain key lengths.
Reading the Mozilla FAQ, it makes it clear that there are still a number of issues - they can't post the source due because foreigners can get at it that way, and they can't post the source because Americans can't have it either, because of the RSA patent issue.
I assume they haven't stripped all the debug/symbol stuff out yet. I can't imagine they would ship an 18M footprint release. The boys in Redmond would jump all over that.
Slashdot poster uses word "looser" correctly. .mpg at 11.
Weblogging Considered Harmful:
Debug symbols don't get loaded into memory when an executable runs; they stay on disk.
However, as you also said, it could be that the current builds contain a lot of extra debugging crap which is bloating the footprint...
SUCK.
Have an opinion that may be a threat to the Slashdot status-quo? THWACK!!!
Don't believe me?
The first post on the article, moded down as redundant? WTF?
Offtopic? We *are* talking about the Netscape-Sun alliance here, aren't we? Even if your sense of humor doesn't agree with it, it ain't offtopic!
Oh No! Someone said he MIGHT USE IE over netscape if they don't ship a product! DEAR GOD NO!!!!!!!!!! *thwack*
Seriously people, moderation is here for a purpose. Don't use it to squelch unpopular opinions, and don't use it for personal vendettas. If you have questions, may I refer you here.
Thanks for your time.
Now if only they would get native widgets. Otherwise mozilla will look like a highly optimized piece of shit. It won't even match the rest of the operating system. When will they ever learn.
Will Price from Network Associates (the owners of PGP) has posted to n.p.m.crypto several times offering to integrate PGP into the lizard; maybe now it will happen sooner rather than later.
You are still wrong. Fortunately this will become clear when the strong-crypto binaries and source code appear on Mozilla.org.
First, Slashdotters should realize that key management is basically a harder, and more important, problem than the cryptography itself. More "secure systems" get broken because of bad key management than because the ciphers get cracked. A PKI module that can do good key management, and can get a decent user interface so that users don't screw it up, is worth more in the long term than access to the RSA algorithm.
That said, it sure sounds like this PKI is focussed on the nasty X.509 style PKI that's basically a support infrastructure for old style centralized security systems. Verisign, DoD, and so on. I'll be glad when PGP/GPG style web of trust gets direct support.
Second, there was some gnashing of teeth here that SSL won't be in Mozilla. Justly so. But hey, there's really no problem ... just don't confuse "SSL" with "RSA Encryption and Signatures". They really aren't the same ... even though with Verisign buying out Thawte (maybe), it looks like the main signer of non-RSA certs may have been co-opted. (Sigh; I really want freedom of choice for public key algorithms, particularly now that TWINKLE makes RSA look weaker and weaker.)
With the new US regulations, folk could incorporate a version of the OpenSSL toolkit, sans RSA support. (And at about 12:01am on September 20, check the RSA support into CVS.)
The patent-free flavors of SSL use algorithms much like those used by GPG. There is a public key signature algorithm (DSS/DSA), a key exchange algorithm (Diffie-Hellman), and various flavors of DES (and Triple-DES) for bulk data encryption. OpenSSL includes support for Blowfish (way faster) and other patent-free ciphers, as well as TLS (a somewhat more secure SSL that mandates patent-free encryption options; it's the IETF standard). There's a recent IETF draft showing how to incorporate OpenPGP keys and ciphers (such as CAST128) into TLS.
Third, please don't get hung up on RSA. Everyone's security will be better when there's a choice of public key algorithms for use in authentication and encryption. OpenPGP (such as GPG), SSL, and TLS can all be used just fine without anyone having to get a wedgie about RSA (or deal with their nasty lawyers -- give me a normal lawyer any day).
In short: there's a lot of good news here, and if you want it, this is sufficient to move a good SSL into Mozilla right away. Whatever you do, don't let the licensing agreements that Sun, Netscape, and so on have with RSA force you to hold off till you can use that particular public key algorithm.
If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.
The spinner thingy was choosen through a competition (twice), but not the logo. JWZ created the mozilla.org site, so he might have also created the logo, but I'm just guessing there.