Sun-Netscape Alliance Releases Public Key Infrastructure to Mozilla.org
Tuesday January 18th, 2000
According to a press release today, The Sun-Netscape Alliance is contributing the source code of the Netscape Security Services (NSS) and Personal Security Manager (PSM) to mozilla.org. Mozilla.org will provide the structure for disseminating the code and incorporating contributions. The open source release will not only put tested public-key code in the hands of more developers, but it will also provide the oversight necessary to ensure its stability and security in the future.
It is unclear how this will impact Mozilla -- the RSA code is still private. We should have more information for you in a few hours.
You can read the press release here.
UPDATE: New news on the release (thanks to Frank Hecker for the links). This press release goes into further detail. Mitchell Baker of mozilla.org states that "This contribution provides Mozilla with a high-quality open source security component for the browser." The release also states that "the source code contributed by the Sun-Netscape Alliance can be used to provide Secure Sockets Layer (SSL) support in the Mozilla browser".
Next, we have an updated crypto FAQ at mozilla.org. According to the FAQ, "the release of source code from the Sun-Netscape Alliance will not include all the code needed to produce a complete SSL- or S/MIME-capable Mozilla product starting with only source code." Because of RSA intellectual property restrictions, they "will not be releasing the source code that actually performs the core encryption and decryption operations." But the news gets better. "The Mozilla binaries combined with the iPlanet Personal Security Manager binaries will implement SSL support; S/MIME support will be available sometime in the future when S/MIME integration with Mozilla is completed." Even though the source for the actual encryption/decryption will not be available, it will make it into Mozilla. There's a lot more to read there, so check it out.
Finally, you can get much more info on the new projects at the mozilla.org security page.
Because, as the FAQ points out, almost inevitably that code will infringe on RSA's patents in the US. Meaning it's perfectly legitimate outside the US to clone it clean, but US people can't touch it. Which basically puts us back where we were before January 14th. :)
Anyway, I'm willing to wait for September 20th.... If RSA isn't allowed to re-up their patent, we could put a clean-room implementation in that day and, even if the patent was renewed later, ex post facto laws would save us, insofar as I know. :) Of course, IANAL.