Mozilla to get PKI source code

← Back to Stories (view on slashdot.org)

Mozilla to get PKI source code

Posted by Hemos on Tuesday January 18, 2000 @07:38AM from the more-code-out-sooner dept.

ChrisRijk wrote to us about the release of PKI information to Mozilla. The "Sun-Netscape Alliance" has that announced that it will give mozilla.org a bunch of PKI (Public Key Infrastructure) library source code and utilities. This was made possible due to looser regulation of encryption source code by the US Department of Commerce." A FAQ available at the Mozilla web site.

10 of 98 comments (clear)

Min score:

Reason:

Sort:

The Alliance? by banky · 2000-01-18 02:46 · Score: 3

``The Alliance views security as a critical component to the global e- commerce market,'' said Mark Tolliver, president and general manager for the Sun-Netscape Alliance.

"After all, " he continued, "when you're striking from hidden bases against the evil Empire, you need all the security you can get."

Seriously, a great piece of news, but this Alliance stuff is starting to drive me bonkers.

--
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
1. Re:The Alliance? by Anonymous Coward · 2000-01-18 03:23 · Score: 3
  
  I am starting to think in my head:
  
  alliance=cartel
  alliance=syndicate
  
  Of course, everybody knows it's really just Anything-but-Microsoft.
  
  Luckily Saddam Hussein doesn't have any way to issue blows against Microsoft, or we'd be shipping him tanks already.
Really good crypto by Anonymous Coward · 2000-01-18 02:53 · Score: 4

It has long been recognized that a cryptographic system is only as good as the quality of the reviews and attacks it survives. Open source crypto, really open source, is an excellent next step. GPG, Gnu Privacy Guard is part of the equation, but its initial development all took place outside the US because of crypto export restrictions. It looks like the genie is truly out of the bottle. It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.
1. Re:Really good crypto by Kaa · 2000-01-18 03:33 · Score: 5
  
  It isn't the governments of the world that I fear when I protect my data. It isn't worth much to them. This will help protect it from the people who want a piece of my bank account.
  
  Well, first of all it depends on the tendencies of your government and the size of your bank account -- some people worry more about one, and some people worry more about the other.
  
  Second, the security of your bank account is 99% dependent on security policies of your bank that you can do zilch about (other than taking your account to another bank, that is). Remember, these are the same people who think that a social security number and a mother's maiden name authenticates a person.
  
  Third, you usually have recourse against banks (if they lose your money, they have to make it up to you), but not against governments (if you spend a year in prison as a suspect in a criminal investigation and then let go because it wasn't you, the best you can hope for is an apology).
  
  Fourth, you have your priorities bass-ackwards. If your bank account gets raided, all you lose is money. If a government takes a dislike to you, your problems are likely to be rather more significant.
  
  And as to "It isn't worth much to them.", remember that governments are interested not in money, but in power. Don't think of how much money can somebody who knows your data can make. Think about how much power will he have over you.
  
  Kaa
  
  --
  
  Kaa
  Kaa's Law: In any sufficiently large group of people most are idiots.
2. Re:Really good crypto by Wah · 2000-01-18 09:01 · Score: 3
  
  >>How much power anyone has over you is your
  >>choice. Nobody can -make- you do anything.
  >>What -you- do is always your choice
  
  >That's a banal triviality. Yes, my muscles are
  >under my control, so technically I only do what
  >I want to. That is neither useful, nor
  >interesting observation.
  
  Not at all, it is an important (if basic) point.
  
  >If somebody shoots and kills me, that is power over me.
  
  Not power over you, power applied to you. If they did it because you wouldn't give them what they wanted, who retains the power?
  
  Funny how you would mention this the day after MLK day, he sure lost a lot of power after he died, same for Jesus.
  
  "You can kill a man, but you can't kill what he stands for." -CSM
  
  We're all gonna die anyway, if I get to choose when and for what, that's power.
  
  I'm not saying that physical power is immaterial, far from it, but Power (with a capital P) is far more complex than being stronger or having a bigger gun.
  
  (hey, at least my .sig is on-topic...for this post ;)
  
  --
  +&x
nice, but... by arafel · 2000-01-18 03:03 · Score: 3

don't expect wonders. The code they're releasing might contribute to the infrastructure (possibly), but it won't contain anything for actually doing the [de|en]cryption required for SSL etc. Check the FAQ (URL given in the post).

"Even more important, the release of source code from the Sun-Netscape Alliance will not include all the code needed to produce a complete SSL- or S/MIME-capable Mozilla product starting with only source code. Because of RSA intellectual property restrictions and the continued presence of proprietary code licensed from RSA Security, Inc., the Sun-Netscape Alliance will not be releasing the source code that actually performs the core encryption and decryption operations."

It's a definite step forward, though, I guess. Now if they could only make it faster... ')
Re:Can we lose the fscking commie logo? by Anonymous+Commando · 2000-01-18 03:05 · Score: 3

If memory serves me correctly (not always), the logo was chosen through an open submission / voting system - artists/graphics geeks submitted ideas for Mozilla logos, people voted, most popular was selected.
I believe the voting was anonymous, so good luck on getting the name of the person who decided. And don't get so hung up on the "communist" aspect of it - think "revolutionary" instead.
________________________

--
Corporate Jenga: You take a blockhead from the bottom and you put him on top...
Re:So maybe I'm cynical... by Frank+Hecker · 2000-01-18 03:19 · Score: 5

To clarify this: First, the code being released is being created by a separate group of developers from the main Mozilla developers at AOL/Netscape; it's from the security engineering team that creates the security/crypto infrastructure for the Sun/Netscape Alliance server products as well as for Netscape Communicator. Second, the security stuff is not tightly embedded in present Mozilla like it was in Mozilla Classic and Netscape Communicator 4.x; it's more like an add-on architecture through a defined set of general-purpose APIs in main Mozilla.
So it's not like the security/crypto work is taking lots of developers away from other Mozilla work.
Just submit the patches... by Per+Abrahamsen · 2000-01-18 03:38 · Score: 3

The answer is in the FAQ. PGP support will be added as soon as someone submits the patches. PKI was added because someone ("Alliance") submitted the code.
If nobody are willing to do the work, the work will not be done.
3 Things by Big+Jojo · 2000-01-18 11:10 · Score: 3

First, Slashdotters should realize that key management is basically a harder, and more important, problem than the cryptography itself. More "secure systems" get broken because of bad key management than because the ciphers get cracked. A PKI module that can do good key management, and can get a decent user interface so that users don't screw it up, is worth more in the long term than access to the RSA algorithm.
That said, it sure sounds like this PKI is focussed on the nasty X.509 style PKI that's basically a support infrastructure for old style centralized security systems. Verisign, DoD, and so on. I'll be glad when PGP/GPG style web of trust gets direct support.
Second, there was some gnashing of teeth here that SSL won't be in Mozilla. Justly so. But hey, there's really no problem ... just don't confuse "SSL" with "RSA Encryption and Signatures". They really aren't the same ... even though with Verisign buying out Thawte (maybe), it looks like the main signer of non-RSA certs may have been co-opted. (Sigh; I really want freedom of choice for public key algorithms, particularly now that TWINKLE makes RSA look weaker and weaker.)
With the new US regulations, folk could incorporate a version of the OpenSSL toolkit, sans RSA support. (And at about 12:01am on September 20, check the RSA support into CVS.)
The patent-free flavors of SSL use algorithms much like those used by GPG. There is a public key signature algorithm (DSS/DSA), a key exchange algorithm (Diffie-Hellman), and various flavors of DES (and Triple-DES) for bulk data encryption. OpenSSL includes support for Blowfish (way faster) and other patent-free ciphers, as well as TLS (a somewhat more secure SSL that mandates patent-free encryption options; it's the IETF standard). There's a recent IETF draft showing how to incorporate OpenPGP keys and ciphers (such as CAST128) into TLS.
Third, please don't get hung up on RSA. Everyone's security will be better when there's a choice of public key algorithms for use in authentication and encryption. OpenPGP (such as GPG), SSL, and TLS can all be used just fine without anyone having to get a wedgie about RSA (or deal with their nasty lawyers -- give me a normal lawyer any day).
In short: there's a lot of good news here, and if you want it, this is sufficient to move a good SSL into Mozilla right away. Whatever you do, don't let the licensing agreements that Sun, Netscape, and so on have with RSA force you to hold off till you can use that particular public key algorithm.