Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla to Include Crypto

Posted by Roblimo on from the keeping-secrets-with-a-lizard dept.

Willy Wonka passed us the news that Mozilla's M14 release will include crypotography on the branch. If you'd care to add your eyeballs to the debugging process, please do: Christine Begle posts in the n.p.m.seamonkey newsgroup, "We need help from the Mozilla community to test the crypto-enabled M14 candidate builds. Some tests and test plans will be posted to mozilla.org sometime on Tuesday." That's today, folks.

15 of 161 comments (clear)

  1. Re:RSA algorithm is what will become public domain by Frank+Hecker · · Score: 4
    The RSA binaries won't be public domain.

    To clarify this a little more: the security library for Netscape Communicator (which will also be in the iPlanet PSM binaries that will work with Mozilla) incorporates proprietary code from RSA Security, and some of that code implements the RSA public key algorithm, on which RSA Security has a patent in the U.S.

    Once the RSA patent expires then other people in the U.S. may write and release code implementing the RSA algorithm without requiring a patent license from RSA. However the code supplied by RSA Security will still be proprietary. What the expiration of the patent will allow is creation of an alternative RSA implementation which is open source and can be freely used with the Mozilla source base.

    I believe the patent on the RSA algorithm expires this autumn.

    September 20, 2000 (which actually is in the summer, but just barely). And yes, patents normally are for 17 years.

  2. What will it have? Find the answers. by jelwell · · Score: 4

    I'm seeing a lot of posts that ask about this or that. Try downloading Mozilla. Mozilla currently supports Javascript up to 1.5 and CSS 1 & 2. Download the build - give it a shot.

    The SSL code will be included in the tip - not the mozilla tree. This means - no one will see the code that is owned by RSA. So using cvs on the tree wont get you all the crypto code - it will probably download at least one small binary file that includes the patented RSA code. Which later this year will fall into public domain.

    Don't forget to help out on the Mozilla project - Mozilla runs great on Mac, Linux, Win32 and all sorts of variant UNIX operating systems as well as OS's I've never even heard of.
    Joseph Elwell.

  3. I'd like to appeal to everyone... by moonboy · · Score: 4

    I'd like to appeal to everyone. If you like Linux and especially Open Source Software, please download this release of Mozilla (and future releases as well) and use it, abuse it, and break it. Then, report those bugs! This is going to be one of the biggest coups for Open Source Software and show a lot of detractors that OSS is a viable method for developing quality software. It will also blow away a lot of FUD concerning security issues, etc. of OSS (because it's open.) Thanks.

    kuro5hin.org

    --

    Co-founder and designer at Music Nearby: http://musicnearby.com
  4. I might add by luge · · Score: 4

    One important note: the crypto in M14 will not be Open Source. Rather, M14 will incorporate hooks which will be usable with a binary-only crypto module from iPlanet (the offspring of the Netscape-Mozilla alliance.) For more on the situation, read this mozillazine post.

    --

    IAAL,BIANLY

    1. Re:I might add by BigBaldGuy · · Score: 5

      Hi. I'm one of the developers who is working on getting the crypto stuff out of our internal tree and into the M14 branch.

      It is true that for the moment, this branch will only be useful with a binary-only module that we are cranking out for both 4.x and Netscape 6 browsers.

      However, as you will see here, we are in the process of getting all the source code that we legally can out there. We made tarballs available a few weeks ago, and though that code doesn't build, at least you can get an idea of how the binary piece works.

      We're still working on patent issues, as you might guess, along with a number of other things, before we can have a fully working build in the mozilla tree. But we're getting there.

      Mark Welch -- Crypto/PKI developer -- Sun|Netscape Alliance

    2. Re:I might add by puetzk · · Score: 5

      I (the person who built the M13 binaries for Linux/PowerPC) am working on this. While I can't have the source either, I think I have a netscape employee who is going too be helping on PowerPC at least. Other people on other platforms, go to irc.mozilla.org #mozcrypto and I expect you will find helpful people who want this to work just as much as you do.

      Chant with me... September 30th... (RSA's patent will expire and SSL won't be such a legal PITA). Right now it has to be binary-only or not at all, due to legal restrictions.

      --
      The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
    3. Re:I might add by john_boy · · Score: 5

      Ugh. This isn't a flame; unlike some others, I'm not going to go ape just because I can't get the source to a couple of the components of one of the apps I run.

      But whenever I hear 'binary-only,' it turns out to mean Linux-x86 only. As someone who runs Linux (yes, real Linux, new kernels and all) on a PowerPC, this won't be the first almost-must-have goodie denied to me -- and I'm sure folks who run on other open source OSes, even on the x86, can relate.

      John

  5. Re:If it's not Open Source, it's crap! by Mike+Shaver · · Score: 4

    When you're done banding together to implement RSA without violating their patents, please drop us a line. (Have fun storming the castle!)

  6. Re:PGP...vote for it then. by VValdo · · Score: 4
    Join bugzilla.

    it's bug #22687

    Vote early (and as the old joke goes, vote often)

    W
    -------------------

    --
    -------------------
    This is my SIG. There are many like it, but this one is mine.
  7. Re:If it's such a coup... by Zico · · Score: 4

    Besides, we don't want Mozilla to be like the bug-laden products of some companies out there...do we?

    Don't pick on RedHat like that -- they're still Open Source and could use our support now that their stock's been tanking.

    Cheers,
    ZicoKnows@hotmail.com

  8. Restrictions? Well, none! by griffjon · · Score: 4
    Well, that's not strictly true. No export to the T-7 (the 7 state supportors of terrorism; Iran, Iraq, etc.), and the code has to be fwd'd to BXA:

    (B) For post-export reports and certification letters, you may submit them electronically to crypt@bxa.doc.gov (suggested file formats include spreadsheets, tabular text or structured text), or to the Department of Commerce, Bureau of Export Administration, Office of Strategic Trade and Foreign Policy Controls, 14th Street and Pennsylvania Avenue, N.W., Room 2705, Washington, DC 20230, Attn: Encryption Reports. A copy must also be mailed to Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-6000.

    http://www.bxa.doc.gov/Encryption/qanda.htm


    http://www.bxa.doc.gov/Encryption/licchart.htm
    Product
    Previous Licensing Mechanism
    Update99 Licensing Mechanism
    Technical Review
    Reporting

    Source Code (publicly available, unrestricted)
    IL/ELA
    TSU
    No3,4
    No

    Source Code (publicly available with restrictions)
    IL/ELA
    ENC
    No3,4
    Yes

    Notes:
    3. No review of foreign products(s)
    4. BXA Notification at time of export is required
    --
    Returned Peace Corps IT Volunteer
  9. Do any distributions ship with Mozilla? by dsplat · · Score: 4
    Once this is stable, it could be the answer to secure open source e-commerce. Apache on the server and Mozilla on the client. Both open for peer review, which is the only thing in crypto that gives much assurance of security. To quote the Crypto-Gram Newsletter, September 15, 1999:

    As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice.

    --
    The net will not be what we demand, but what we make it. Build it well.
  10. Re:Mozilla... reaching critical mass? by lostboy · · Score: 4

    From the ngLayout FAQ:

    For XML formatting, why is Gecko supporting CSS rather than XSL in the first release?

    Simple: CSS1 is a finished, fully adopted, and mature two-year-old standard; XSL isn't done yet. As Tim Bray, the coeditor of the XML standard, has written:

    "Microsoft's XSL efforts are very impressive, but (readers will pardon us being something of a broken record on this subject) XSL is in the future. We are convinced that from the point of view of the largest number of users, the most important things that Microsoft could do in IE 5 would be:
    1.Ensure interoperability of XML and stylesheets with other browsers, and
    2.Build in conformance to existing, stable, well-understood standards such as CSS 1.0.

    Innovation, of course, is fine and necessary, and we salute Microsoft's leadership in this area. But innovation needs to be built on a foundation of interoperability and playing by existing well-understood rules." He further adds that "It seems obvious to me that for anyone who wants to deploy XML in production mode right now, XML + CSS is the way to go ..." ("Microsoft Outlines XML Support in IE5 Beta 2" at http://www.xml.com/xml/pub/98/10/ie5-2.html)

    -=snip=-

    I understand their reasoning, but damnit, I want my XSL! It's very weird giving XML demos in IE.

  11. Re:Crypto .. exportability by evil_one · · Score: 4

    Since the U.S. govt slackened off some of the export regulations, the crypto can be available as long as it is not knowingly exported to a restricted country. Also, since mozilla is using hooks to a binary - the same way the shockwave flash plugin works - one can develop one's own crypto modules if so desired.

    --
    Desperation is a stinky cologne
  12. www.mozillazine.org vs. Censorware by John+Hurliman · · Score: 5

    Curses! http://www.mozillazine.org is blocked by SurfWatch! Just when I was about to get a stable browser that works, the filtering companies decide open source software is against their morals :-(