Slashdot Mirror
Mozilla to get PKI source code
ChrisRijk wrote to us about the release of PKI information to Mozilla. The "Sun-Netscape Alliance" has that announced that it
will give mozilla.org a bunch of PKI (Public Key Infrastructure)
library source code and utilities. This was made possible due to
looser regulation of encryption source code by the US Department of
Commerce." A FAQ available at the Mozilla web site.
``The Alliance views security as a critical component to the global e- commerce market,'' said Mark Tolliver, president and general manager for the Sun-Netscape Alliance.
"After all, " he continued, "when you're striking from hidden bases against the evil Empire, you need all the security you can get."
Seriously, a great piece of news, but this Alliance stuff is starting to drive me bonkers.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Thank goodness that this alliance is moving forward with the encryption issue.
There has never been a GOOD reason to restrict this technology and there still is no GOOD reason to have any remaining restrictions.
Eve Fairbanks says I drive a hybrid!LOL
...but the mozilla team doesn't need another reason to miss a date.
The availability of industry proven PKI source code will be a tremendous benefit to developers,'' said Mitchell Baker, Chief Lizard Wrangler at mozilla.org.
That just made my afternoon - can I get a job title like that too?
Oh, and this looks like all-round good news for mozilla, Open Source and widespread encryption, too - there, that should complete my buzzword quotient for this post :)
"I will take the Ring," he said, "though I do not know the way."
For those that don't believe me download last nights build. Mozilla is really starting to come together. The ui is quick and responsive. Alot of the drawing bugs that plauged mozilla in the past are gone. The skin now uses a bigger font. The memory footprint is down to about 18M. Every week I download mozilla and it pleasantly surprises me each time.
It has been statistically shown that helmets increase the risk of head injury.
Perhaps now we'll start seeing browsers and encryption improving each other and themselves at a better rate than they use to be. I'm tired of reinstalling Win98, and I'm tired of having to go to Windows Update to get a 128-bit version of IE5. My hat goes off to the Mozilla team.
---
---
Remember when "Truth, Justice, & the American Way" wasn't contradictory?
Hey, if they add PKI, why not adding support for PGP?
#DEFINE QUESTION (2b)||(!2b) -- William Shakespeare
It has long been recognized that a cryptographic system is only as good as the quality of the reviews and attacks it survives. Open source crypto, really open source, is an excellent next step. GPG, Gnu Privacy Guard is part of the equation, but its initial development all took place outside the US because of crypto export restrictions. It looks like the genie is truly out of the bottle. It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.
This is great, especially since this allows developers to contribute additions and other changes to the originial source code, thus improving its security. The article also mentions that this is the same security used by the current version of Netscape Communicator. Does anyone know if this will be 128-bit security?
For more information, you can find Mozilla's official press release here. Also, check out the Mozilla crypto FAQ. It talks about PSM and various crypto-related questions.
don't expect wonders. The code they're releasing might contribute to the infrastructure (possibly), but it won't contain anything for actually doing the [de|en]cryption required for SSL etc. Check the FAQ (URL given in the post).
"Even more important, the release of source code from the Sun-Netscape Alliance will not include all the code needed to produce a complete SSL- or S/MIME-capable Mozilla product starting with only source code. Because of RSA intellectual property restrictions and the continued presence of proprietary code licensed from RSA Security, Inc., the Sun-Netscape Alliance will not be releasing the source code that actually performs the core encryption and decryption operations."
It's a definite step forward, though, I guess. Now if they could only make it faster... ')
On the other hand, does it really offer anything we don't already have? It's not like there's any shortage of SSL patches for Mozilla, out there, and I'm sure there's plenty of other security stuff, too. I wouldn't be the least-bit surprised if there's a patch for encrypting your laundry (useful in preventing your left socks being intercepted) whilst you wait.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.
I believe the voting was anonymous, so good luck on getting the name of the person who decided. And don't get so hung up on the "communist" aspect of it - think "revolutionary" instead.
________________________
Corporate Jenga: You take a blockhead from the bottom and you put him on top...
When is M13 due out?
---
This comment powered by Mozilla!
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Encryption is touted as a way to protect privacy and human rights. Unlike a slip-up which reveals credit-card numbers to a cracker, the sort of people who want the goods on dissidents and the like won't be asking for ransoms for the data or making fraudulent purchases. The connection between the security lapse and the late-night phone calls, break-ins, beatings, and other dirty tricks will be impossible to see. It's a new ocean out there, full of shoals hidden beneath the dark water. We must not put too much trust in our handiwork until it has well and truly proven itself sound.
--
Time is Nature's way of keeping everything from happening at once... the bitch.
This is the shot, lady's and gentemen. Come back 6 months later, and you will see the world of eCommerce, encryption and security transformed. Here's to the US government moving slightly toward rational policy.
Can't wait to get a copy of Red Hat 6.2 and see what they've tucked into it....
Thanks to the improved export regulations, US based open source products can now incorporate the same "easily" crackable crypto that for export versions of commercial software do! Though I guess something is better than nothing.
Hopefully what this will do, is leave hooks in the code, so people can implement stronger crypto, if they have the tools and desire.
Here's an idea Click on this link.
Munky_v2
Jay
Every company these days has at least one!
Cheers,
ZicoKnows@hotmail.com
If nobody are willing to do the work, the work will not be done.
So, it's great that there Mozilla/NN5 will be "beefier", but isn't it a little late to be still adding things to Mozilla?
Is there any word as to what this will do to the expected release date? Right now that's more important to me than last-minute creeping featurism.
Has anyone generated the first derivative of projected release date? Such a statistic actually DOES serve a useful purpose since it tells you if the delays are in control or are running away from you. Using Einsteinian notation for derivatives (dot = dX/dt, dotdot = d2X/dt2):
Now, you can get into second derivatives :-) at which point you can see if things are still slipping away, even if dot(release date) is negative, or if things are staying on target [i.e., dotdot(release date) == 0].
(I used to think about this in regards to a telescope that was soon-to-be-finished when I started grad school, and was soon-to-be-finished when I finished grad school. It did manage to cross over to "finished" and AFAIK is producing wonderful results.)
If I was currently a moderator, I would.
It's too damn easy to forget that power is much more valuable than money, above a certain level.
Remember that what's inside of you doesn't matter because nobody can see it.
I am writing this reply to whoever moderated my first comment. How can it be redundant if it is the first post???
Munky_v2
Jay
At least not any that work all the time.
Americans can be called *anything*, since they come from every country and culture on the planet. And they don't hesitate to invent either.
Second, the new encryption regulations also appear to allow export of full-strength ("128-bit") encryption binaries, although with somewhat more hassle and restrictions than with open source encryption source code. (Note that binaries built from open source get no special break in the regulations vs. binaries built from proprietary code.) The relevant sections in the regulations are 740.17(a)(2) and (a)(3), and 742.15(b)(2).
The new regs appeared very firmly against allowing the export of binaries which allowed for greater than certain key lengths.
Reading the Mozilla FAQ, it makes it clear that there are still a number of issues - they can't post the source due because foreigners can get at it that way, and they can't post the source because Americans can't have it either, because of the RSA patent issue.
I assume they haven't stripped all the debug/symbol stuff out yet. I can't imagine they would ship an 18M footprint release. The boys in Redmond would jump all over that.
Slashdot poster uses word "looser" correctly. .mpg at 11.
Weblogging Considered Harmful:
Debug symbols don't get loaded into memory when an executable runs; they stay on disk.
However, as you also said, it could be that the current builds contain a lot of extra debugging crap which is bloating the footprint...
Will Price from Network Associates (the owners of PGP) has posted to n.p.m.crypto several times offering to integrate PGP into the lizard; maybe now it will happen sooner rather than later.
You are still wrong. Fortunately this will become clear when the strong-crypto binaries and source code appear on Mozilla.org.
First, Slashdotters should realize that key management is basically a harder, and more important, problem than the cryptography itself. More "secure systems" get broken because of bad key management than because the ciphers get cracked. A PKI module that can do good key management, and can get a decent user interface so that users don't screw it up, is worth more in the long term than access to the RSA algorithm.
That said, it sure sounds like this PKI is focussed on the nasty X.509 style PKI that's basically a support infrastructure for old style centralized security systems. Verisign, DoD, and so on. I'll be glad when PGP/GPG style web of trust gets direct support.
Second, there was some gnashing of teeth here that SSL won't be in Mozilla. Justly so. But hey, there's really no problem ... just don't confuse "SSL" with "RSA Encryption and Signatures". They really aren't the same ... even though with Verisign buying out Thawte (maybe), it looks like the main signer of non-RSA certs may have been co-opted. (Sigh; I really want freedom of choice for public key algorithms, particularly now that TWINKLE makes RSA look weaker and weaker.)
With the new US regulations, folk could incorporate a version of the OpenSSL toolkit, sans RSA support. (And at about 12:01am on September 20, check the RSA support into CVS.)
The patent-free flavors of SSL use algorithms much like those used by GPG. There is a public key signature algorithm (DSS/DSA), a key exchange algorithm (Diffie-Hellman), and various flavors of DES (and Triple-DES) for bulk data encryption. OpenSSL includes support for Blowfish (way faster) and other patent-free ciphers, as well as TLS (a somewhat more secure SSL that mandates patent-free encryption options; it's the IETF standard). There's a recent IETF draft showing how to incorporate OpenPGP keys and ciphers (such as CAST128) into TLS.
Third, please don't get hung up on RSA. Everyone's security will be better when there's a choice of public key algorithms for use in authentication and encryption. OpenPGP (such as GPG), SSL, and TLS can all be used just fine without anyone having to get a wedgie about RSA (or deal with their nasty lawyers -- give me a normal lawyer any day).
In short: there's a lot of good news here, and if you want it, this is sufficient to move a good SSL into Mozilla right away. Whatever you do, don't let the licensing agreements that Sun, Netscape, and so on have with RSA force you to hold off till you can use that particular public key algorithm.
Oh, I would agree, there was nothing of meaning in the post. My point was that it can't be redundant if it's the first post, that's all. But now I am going to say something "informative". I really do think that this is a great thing for the Mozilla team. Here's why:
It is always a good thing when we as open source developers can get our hands on cool technology (without having to go to court over it. This may be what we need to move SSL and over all Internet security beyond where it is now. I also have no doubt that the OSS community will improve upon the security model, and may build it into Apache, thus making the most secure web server ever.
Munky_v2
Jay
If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.
The spinner thingy was choosen through a competition (twice), but not the logo. JWZ created the mozilla.org site, so he might have also created the logo, but I'm just guessing there.
It would appear to be great - but only as long as you live outside of the US. We need to remember that the core algorithm (see note below!) in both SSL and S/MIME is RSA. RSA is still patented (but only in the US...) so Mozilla will have to be careful to ensure that RSA is appropriately licensed (not an easy task - note the PGP hassle). Roll on 20/9/00 when the RSA patent finally expires, eh? Of course, RSALabs have then indicated that RSA is a tradename and as such will have to be licensed :( (Note:) ElGamal / DH has now become the "MUST" algorithm in these two RFCs, but RSA remains a "SHOULD". AFAIK, all current implementations (and CAs etc) still only support RSA - so ElGamal / DH are f'cking useless anyway....
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
That issue is and has been dead for months.
There will be no native widgets, because they A) can't be styled by CSS, and B) require far more platform-specific code than cross-platform widgets. Anyone's free to make a platform-native wrapper to Mozilla, but Mozilla's widgets will be cross-platform.
With that certainty out of the way, here's the good news. David Hyatt and others (Mike Pinkerton comes to mind, regarding the Mac side of the issue) have undertaken the goal of getting the XP widgets to look closer to the native widgets than they do right now. Hyatt is making what's known as XBL (the eXtensible Bindings Language) for just such a purpose. The first checkin of an implementation of XBL was allowing the styling of the scrollbars (this happened about a week ago). Pete Collins, a non-Netscape independent developer, has produced scrollbars that look pretty close to the default GTK setup (yes, yes, I know GTK+ is themable; it's not hard at all to make the scrollbars change appearance now). I'm sure someone will do Mac and Windows scrollbars, or whatever other platform desires a native-looking scrollbar. Do I really know how much this'll help the XP look appear native? Nah. But from Pete's initial code for the GTK scrollbar, it looks REAL promising.