Sun-Netscape Alliance Releases Public Key Infrastructure to Mozilla.org
Tuesday January 18th, 2000
According to a press release today, The Sun-Netscape Alliance is contributing the source code of the Netscape Security Services (NSS) and Personal Security Manager (PSM) to mozilla.org. Mozilla.org will provide the structure for disseminating the code and incorporating contributions. The open source release will not only put tested public-key code in the hands of more developers, but it will also provide the oversight necessary to ensure its stability and security in the future.
It is unclear how this will impact Mozilla -- the RSA code is still private. We should have more information for you in a few hours.
You can read the press release here.
UPDATE: New news on the release (thanks to Frank Hecker for the links). This press release goes into further detail. Mitchell Baker of mozilla.org states that "This contribution provides Mozilla with a high-quality open source security component for the browser." The release also states that "the source code contributed by the Sun-Netscape Alliance can be used to provide Secure Sockets Layer (SSL) support in the Mozilla browser".
Next, we have an updated crypto FAQ at mozilla.org. According to the FAQ, "the release of source code from the Sun-Netscape Alliance will not include all the code needed to produce a complete SSL- or S/MIME-capable Mozilla product starting with only source code." Because of RSA intellectual property restrictions, they "will not be releasing the source code that actually performs the core encryption and decryption operations." But the news gets better. "The Mozilla binaries combined with the iPlanet Personal Security Manager binaries will implement SSL support; S/MIME support will be available sometime in the future when S/MIME integration with Mozilla is completed." Even though the source for the actual encryption/decryption will not be available, it will make it into Mozilla. There's a lot more to read there, so check it out.
Finally, you can get much more info on the new projects at the mozilla.org security page.
Tuesday January 18th, 2000 1:34 PM
I wonder if they'll also contribute additional developer and QA staff.
(posted with 1/18 mozilla build)
Tuesday January 18th, 2000 1:46 PM
Why the big "no source code" about RSA? RSA is a publicly-documented algorithm; there are no "secrets" in it -- in fact, if it relied on secrecy to maintain its security, it wouldn't be any good at all. So why can't they just rewrite the RSA code and keep it open, too? If there's one piece of code that I would want to go through the public review process of open-source, this is it!!
#4 Re: RSA?
Tuesday January 18th, 2000 2:26 PM
Because, as the FAQ points out, almost inevitably that code will infringe on RSA's patents in the US. Meaning it's perfectly legitimate outside the US to clone it clean, but US people can't touch it. Which basically puts us back where we were before January 14th. :)
Anyway, I'm willing to wait for September 20th.... If RSA isn't allowed to re-up their patent, we could put a clean-room implementation in that day and, even if the patent was renewed later, ex post facto laws would save us, insofar as I know. :) Of course, IANAL.
Tuesday January 18th, 2000 2:05 PM
I wonder if jwz will come back to the slums and do an S/MIME implementation (he did the 4.x one) :-)
Tuesday January 18th, 2000 2:43 PM
Looks like Cryptozilla will be back soon!
and Mike Shaver picked the right time and company to join. (Am thinking Freedom+Mozilla integration?)
#6 PKI Details
Friday January 21st, 2000 1:20 PM
I'd like to know a bit more about this...
Mozilla was supposed to be the replacement for Communicator, now it seems to be branching into a server domain. I'm sure Mozilla will just incorporate the PKI-client stuff, but I'm confused as to the CA side of things - What exactly has been open-sourced? The Client stuff? The server stuff? Is it a one-cert or two-cert PKI? Is iPlanet going to market the CAs? Is there going to be a directory server with this? LDAP or X.500?
This could be really interesting...
#7 Re: PKI Details
Sunday January 23rd, 2000 2:56 AM
To clarify: Two main things are being open-sourced: Network Security Services (NSS) and Personal Security Manager (PSM). NSS is a base security/PKI library incorporating SSL and S/MIME support, as well as support for various PKI operations. NSS is used as a security library in various of the Sun/Netscape Alliance server products and in Communicator 4.x. NSS is also used as a security/PKI library by PSM. PSM is specifically intended as a client-side PKI product intended to be called from Mozilla and products based on Mozilla code; among other things, it allows those clients to do certificate enrollment with a CA using the CRMF/CMMF protocols. (It also supports what you called "two-cert PKI".)
The Sun/Netscape Alliance sells a commercial CA product, the Netscape Certificate Management System, and a commercial LDAP directory server, the Netscape Directory Server; see http://www.iplanet.com/products/infrastructure/dir_security/. These products are not open source (although they are based on open standards like LDAP, X.509v3, CRMF/CMMF, etc.). If you wanted to create an open source CA product you would need more than just NSS and PSM.
#8 Re: Re: PKI Details
Sunday January 23rd, 2000 2:58 AM
Sorry, I can never get used to the MZ way of handling links; to repeat, you can find information on the Netscape Certificate Management System and the Netscape Directory Server at http://www.iplanet.com/products/infrastructure/dir_security/
#9 Re: PKI Details
Monday January 24th, 2000 7:01 AM
OK - that helps. Thanks.