Mozilla to get PKI source code

ChrisRijk wrote to us about the release of PKI information to Mozilla. The "Sun-Netscape Alliance" has that announced that it will give mozilla.org a bunch of PKI (Public Key Infrastructure) library source code and utilities. This was made possible due to looser regulation of encryption source code by the US Department of Commerce." A FAQ available at the Mozilla web site.

The Alliance?

[banky]

``The Alliance views security as a critical component to the global e- commerce market,'' said Mark Tolliver, president and general manager for the Sun-Netscape Alliance.

"After all, " he continued, "when you're striking from hidden bases against the evil Empire, you need all the security you can get."

Seriously, a great piece of news, but this Alliance stuff is starting to drive me bonkers.

Re:The Alliance?

I am starting to think in my head:

alliance=cartel
alliance=syndicate

Of course, everybody knows it's really just Anything-but-Microsoft.

Luckily Saddam Hussein doesn't have any way to issue blows against Microsoft, or we'd be shipping him tanks already.

Hilarious designation

[pq]

Check out this guy's job title, as listed in the article:

The availability of industry proven PKI source code will be a tremendous benefit to developers,'' said Mitchell Baker, Chief Lizard Wrangler at mozilla.org.

That just made my afternoon - can I get a job title like that too?

Oh, and this looks like all-round good news for mozilla, Open Source and widespread encryption, too - there, that should complete my buzzword quotient for this post :)

Re:Hilarious designation

[BitPoet]

So, just create one for yourself.

My official title is "BitPoet"

Of course, our CEO is the "BitMeister"
the head of sales is the "Minister of Commerce"
the head of marketing is "Marketing Guy"

The list goes on.

Anyone else?

mozilla kicks ass

[lubricated]

For those that don't believe me download last nights build. Mozilla is really starting to come together. The ui is quick and responsive. Alot of the drawing bugs that plauged mozilla in the past are gone. The skin now uses a bigger font. The memory footprint is down to about 18M. Every week I download mozilla and it pleasantly surprises me each time.

Re:mozilla kicks ass

[phutureboy]

I second what you said, plus would like to add that everyone can help improve it by submitting good bug reports.

If you need help with submitting a bug report, every tuesday evening is Bug Day on IRC - I think it's in #mozilla. see mozilla.org for more details.

I'm really looking forward to the final release of Mozilla. It's going to change a lot of things. I'm hoping that it will help to make Linux as good a platform for surfing as it already is for serving.

--

Re:mozilla kicks ass

[asa]

If you have problems with Mozilla or you'd like to report a bug but don't know how drop in to BugDay! on #mozillazine irc.mozilla.org every Tuesday afternoon into evening. There are lots of people there to help. If you don't know where to start ask me.

BugDay is a weekly collaborative bug hunting and reporting event hosted by mozillaZine (check out http://www.mozillazine.org if you haven't yet) on IRC. If you'd like to see Mozilla get better faster, then be a part of it.

Asa

(posted with today's build of mozilla)

Re:mozilla kicks ass

[Yarn]

Its significantly improved since the last milestone. I was running 1999082316 (M12 debian package) and I thought you were exaggerating. The latest build (2000011811) is a lot quicker. Redraws about 5x speed, subjectively (dragging another window over it test). I'm not so keen on the large text, but that's just a matter of finding a CSS.

Really good crypto

It has long been recognized that a cryptographic system is only as good as the quality of the reviews and attacks it survives. Open source crypto, really open source, is an excellent next step. GPG, Gnu Privacy Guard is part of the equation, but its initial development all took place outside the US because of crypto export restrictions. It looks like the genie is truly out of the bottle. It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.

Re:Really good crypto

[Kaa]

It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.

Well, first of all it depends on the tendencies of your government and the size of your bank account -- some people worry more about one, and some people worry more about the other.

Second, the security of your bank account is 99% dependent on security policies of your bank that you can do zilch about (other than taking your account to another bank, that is). Remember, these are the same people who think that a social security number and a mother's maiden name authenticates a person.

Third, you usually have recourse against banks (if they lose your money, they have to make it up to you), but not against governments (if you spend a year in prison as a suspect in a criminal investigation and then let go because it wasn't you, the best you can hope for is an apology).

Fourth, you have your priorities bass-ackwards. If your bank account gets raided, all you lose is money. If a government takes a dislike to you, your problems are likely to be rather more significant.

And as to "It isn't worth much to them.", remember that governments are interested not in money, but in power. Don't think of how much money can somebody who knows your data can make. Think about how much power will he have over you.

Kaa

Re:Really good crypto

[jd]

I'd make the following counter-arguments:

• Money is power. Control the money and you control the power. This is as true today as it has ever been. This is why the British are so bothered by the cracker who has tried holding almost the entire country to ransom. The odds are very good that the cracker can cripple Britain long before anyone actually finds them.
• Information, alone, is actually pretty valueless. What anyone can do with it depends a lot on it's useful lifespan, it's completeness, it's accuracy, what it is, how easy it is to cross-reference, and how many organisations need to co-operate to get anything useful out. Now, all of those variables are much more under -your- control than any mysterious agency. You can be as hard to exploit as -you- choose.
• How much power anyone has over you is your choice. Nobody can -make- you do anything. What -you- do is always your choice. Yes, it's often a question of setting priorities, and choosing which option you like best (or dislike least), but it IS, ultimately, a choice you make. If you decide to always do your own thing, and never mind the consequences, then nobody in the world will ever have any power over you at all. How can they? You would have chosen to make any action they take a lesser priority than your will. I don't advocate that, I'm merely using that as an illustration that power is an illusion created by the person you believe yourself to have power over.

Re:Really good crypto

[Wah]

>>How much power anyone has over you is your
>>choice. Nobody can -make- you do anything.
>>What -you- do is always your choice

>That's a banal triviality. Yes, my muscles are
>under my control, so technically I only do what
>I want to. That is neither useful, nor
>interesting observation.

Not at all, it is an important (if basic) point.

>If somebody shoots and kills me, that is power over me.

Not power over you, power applied to you. If they did it because you wouldn't give them what they wanted, who retains the power?

Funny how you would mention this the day after MLK day, he sure lost a lot of power after he died, same for Jesus.

"You can kill a man, but you can't kill what he stands for." -CSM

We're all gonna die anyway, if I get to choose when and for what, that's power.

I'm not saying that physical power is immaterial, far from it, but Power (with a capital P) is far more complex than being stronger or having a bigger gun.

(hey, at least my .sig is on-topic...for this post ;)

Re:Really good crypto

[Wah]

A soldier walks by, he notices your blanket and takes a fancy to it. You refuse to give it up, so the soldier shoots you and takes the blanket. Who retains the power?

My friends, after they stone the soldier.

oh, you say, then they get shot. Well then their friends get the blanket, they get shot. repeat until everyone is dead or happy.

That example proves nothing.

Well, first of all Jesus is a special case, isn't he? I don't think Christianity considers him dead.

A lot of people don't think Elvis is dead either, but that don't mean he ain't. A special case perhaps (if you believe in his divine nature vs. a pretty solid philosopher) but still makes my point.

Second, you are confusing a person and his ideas.

I'm curious about how you seperate the two. Sure there is a difference (my ideas don't drive a car) but as this case illustrates, here a man _died_ for his ideas (standing up for them, as the case may be).

To draw a parallel, if the "towel" you mentioned earlier was Dr. King's dream. Can anybody take that away from him? It would seem to me, that the people (person) who tried, couldn't. It's still his, and is cele^H^H^H^Hrecognized throughout the country. It's _his_ towel.

If you break your leg on a hunting trip into the Canadian Northern Territories and have no way of communicating, your choices are: (1) Freeze/starve to death; (2) Shoot yourself. Where is power here?

Power and stupidity/fate mix as well as anything else, i.e. not that much. By saying that I would have the choice when to die, I was referring to a situation like the towel. If I thought the towel was worth dying for, I would, that's my choice, my Power (that'd be dumb as hell, but to each his own)

nice, but...

[arafel]

don't expect wonders. The code they're releasing might contribute to the infrastructure (possibly), but it won't contain anything for actually doing the [de|en]cryption required for SSL etc. Check the FAQ (URL given in the post).

"Even more important, the release of source code from the Sun-Netscape Alliance will not include all the code needed to produce a complete SSL- or S/MIME-capable Mozilla product starting with only source code. Because of RSA intellectual property restrictions and the continued presence of proprietary code licensed from RSA Security, Inc., the Sun-Netscape Alliance will not be releasing the source code that actually performs the core encryption and decryption operations."

It's a definite step forward, though, I guess. Now if they could only make it faster... ')

Good news...?

[jd]

It's great that companies are making use of the new-found freedoms that the export restrictions have given them, and kudos to ALL involved in the decision to free up the security API.

On the other hand, does it really offer anything we don't already have? It's not like there's any shortage of SSL patches for Mozilla, out there, and I'm sure there's plenty of other security stuff, too. I wouldn't be the least-bit surprised if there's a patch for encrypting your laundry (useful in preventing your left socks being intercepted) whilst you wait.

Re:Good news...?

[roca]

I haven't heard of any SSL patches for Mozilla to date. Do you have any references? I don't think so. The Cryptozilla hack done by Eric Young and others early in '98 was more a proof of concept than anything else, and their code is completely useless in the rewritten codebase.

It's true that someone could have, and could still, produce an SSL plugin for Mozilla based on OpenSSL or something like that. They haven't though. But the big breakthrough is that we can now talk about the issues, standardize the APIs, and leverage a lot of the code Netscape has already written. Also Netscape will be releasing binaries which will give US users access to an RSA-licensed implementation.

Re:Can we lose the fscking commie logo?

[Anonymous+Commando]

If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.

I believe the voting was anonymous, so good luck on getting the name of the person who decided. And don't get so hung up on the "communist" aspect of it - think "revolutionary" instead.
________________________

Weak links

[Tau+Zero]

This is only significant if the sites which take encrypted data actually go to the effort to protect it. Keeping people's orders, including credit-card numbers, in a file with a standard name in cleartext is going to send e-commerce security to hell in a handbasket. Worse, this is one of the easier problems to deal with, because when your security is cracked you tend to find out about it.

Encryption is touted as a way to protect privacy and human rights. Unlike a slip-up which reveals credit-card numbers to a cracker, the sort of people who want the goods on dissidents and the like won't be asking for ransoms for the data or making fraudulent purchases. The connection between the security lapse and the late-night phone calls, break-ins, beatings, and other dirty tricks will be impossible to see. It's a new ocean out there, full of shoals hidden beneath the dark water. We must not put too much trust in our handiwork until it has well and truly proven itself sound.
--

Re:When is M13?

[lubricated]

in a couple days. The code freeze was supposedly yesterday.

Re:So maybe I'm cynical...

[Frank+Hecker]

To clarify this: First, the code being released is being created by a separate group of developers from the main Mozilla developers at AOL/Netscape; it's from the security engineering team that creates the security/crypto infrastructure for the Sun/Netscape Alliance server products as well as for Netscape Communicator. Second, the security stuff is not tightly embedded in present Mozilla like it was in Mozilla Classic and Netscape Communicator 4.x; it's more like an add-on architecture through a defined set of general-purpose APIs in main Mozilla.

So it's not like the security/crypto work is taking lots of developers away from other Mozilla work.

Re:HELP

[Munky_v2]

Here's an idea Click on this link.


Munky_v2

Just submit the patches...

[Per+Abrahamsen]

The answer is in the FAQ. PGP support will be added as soon as someone submits the patches. PKI was added because someone ("Alliance") submitted the code.

If nobody are willing to do the work, the work will not be done.

Release Date migration?

[waldeaux]

So, it's great that there Mozilla/NN5 will be "beefier", but isn't it a little late to be still adding things to Mozilla?

Is there any word as to what this will do to the expected release date? Right now that's more important to me than last-minute creeping featurism.

Has anyone generated the first derivative of projected release date? Such a statistic actually DOES serve a useful purpose since it tells you if the delays are in control or are running away from you. Using Einsteinian notation for derivatives (dot = dX/dt, dotdot = d2X/dt2):

1. If dot(release date) is above 0 then the project is moving away, and unless measures are taken, you'll never see it completed.
2. If dot(release date) = 0, then it's barely contained, insofar as that the true release date is at infinity (basically it means that for every day that passes, one day is added to the release date). Whether or not "infinity" is acceptable is a different story.
3. dot(release date) less than 0 means that you will eventually see the project completed.

Now, you can get into second derivatives :-) at which point you can see if things are still slipping away, even if dot(release date) is negative, or if things are staying on target [i.e., dotdot(release date) == 0].

(I used to think about this in regards to a telescope that was soon-to-be-finished when I started grad school, and was soon-to-be-finished when I finished grad school. It did manage to cross over to "finished" and AFAIK is producing wonderful results.)

Re:Release Date migration?

[Royster]

Is there any word as to what this will do to the expected release date?

Not a thing. This is an incomplete plug-in for an already established API sontributed by persons outside the core Mozilla development team. A link to the plan for the next few months was posted on /. in just the past week.

Two more milestones are planned: M13 is in feature freeze and should be out within a week after all the regressions are fixed. M14 feature freeze is 2/15, that should be alpha for Seamonkey. A Netscape branded beta should follow that (i.e. with all of the other pieces like SSL included). The last step is a final Mozilla followed by a final Netscape.

Re:YAY!

[um...+Lucas]

Where did you learn this? According to the press release, this was enabled by the eased export regulations, which still clearly limit the strength cryptographic software for export (they upped symetric encryption to 64 bits, and assyemetric to 1024 bits and eliptic curves to 112 bits).

Further, according to the FAQ, you will not be able to download the actually code, because of RSA's patent. Therefore, only boxed copies purchased from Sun or whoever will include this functionality. And it seems that the actual mechanism that does the crypto will still remain quite closed (but it will be revisited on 9/20/2000 when RSA's patent expires.

So no, i don't think I'm at all wrong.

Really good points -- moderate up

[jabbo]

If I was currently a moderator, I would.

It's too damn easy to forget that power is much more valuable than money, above a certain level.

Re:Key lengthes permitted by new export regulation

[um...+Lucas]

The new regs appeared very firmly against allowing the export of binaries which allowed for greater than certain key lengths.

Reading the Mozilla FAQ, it makes it clear that there are still a number of issues - they can't post the source due because foreigners can get at it that way, and they can't post the source because Americans can't have it either, because of the RSA patent issue.

Re:Mem size

[logicTrAp]

Debug symbols don't get loaded into memory when an executable runs; they stay on disk.
However, as you also said, it could be that the current builds contain a lot of extra debugging crap which is bloating the footprint...

3 Things

[Big+Jojo]

First, Slashdotters should realize that key management is basically a harder, and more important, problem than the cryptography itself. More "secure systems" get broken because of bad key management than because the ciphers get cracked. A PKI module that can do good key management, and can get a decent user interface so that users don't screw it up, is worth more in the long term than access to the RSA algorithm.

That said, it sure sounds like this PKI is focussed on the nasty X.509 style PKI that's basically a support infrastructure for old style centralized security systems. Verisign, DoD, and so on. I'll be glad when PGP/GPG style web of trust gets direct support.

Second, there was some gnashing of teeth here that SSL won't be in Mozilla. Justly so. But hey, there's really no problem ... just don't confuse "SSL" with "RSA Encryption and Signatures". They really aren't the same ... even though with Verisign buying out Thawte (maybe), it looks like the main signer of non-RSA certs may have been co-opted. (Sigh; I really want freedom of choice for public key algorithms, particularly now that TWINKLE makes RSA look weaker and weaker.)

With the new US regulations, folk could incorporate a version of the OpenSSL toolkit, sans RSA support. (And at about 12:01am on September 20, check the RSA support into CVS.)

The patent-free flavors of SSL use algorithms much like those used by GPG. There is a public key signature algorithm (DSS/DSA), a key exchange algorithm (Diffie-Hellman), and various flavors of DES (and Triple-DES) for bulk data encryption. OpenSSL includes support for Blowfish (way faster) and other patent-free ciphers, as well as TLS (a somewhat more secure SSL that mandates patent-free encryption options; it's the IETF standard). There's a recent IETF draft showing how to incorporate OpenPGP keys and ciphers (such as CAST128) into TLS.

Third, please don't get hung up on RSA. Everyone's security will be better when there's a choice of public key algorithms for use in authentication and encryption. OpenPGP (such as GPG), SSL, and TLS can all be used just fine without anyone having to get a wedgie about RSA (or deal with their nasty lawyers -- give me a normal lawyer any day).

In short: there's a lot of good news here, and if you want it, this is sufficient to move a good SSL into Mozilla right away. Whatever you do, don't let the licensing agreements that Sun, Netscape, and so on have with RSA force you to hold off till you can use that particular public key algorithm.

Re:Can we lose the fscking commie logo?

[Chris+Siegler]

If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.

The spinner thingy was choosen through a competition (twice), but not the logo. JWZ created the mozilla.org site, so he might have also created the logo, but I'm just guessing there.