Our RSA Conference panel talk on implementing ECC in the TLS protocol went really well.  We had a very full room, and people stayed until the very end.  There were numerous questions from the audience during the formal Q&A section, and several people came up to talk to us informally. Overall, it was a great experience, and I thank my co-presenters from Microsoft, Certicom, Sun, and the NSA.  They also did a great job.

There were a few well known people in the audience.  Sitting in the front row was none other than Whitfield DIffie, a true pioneer in the cryptography world.   I might have been a little intimidated at having such a dignitary listening to me talk if not for two facts.  First, I was well prepared and had interesting performance graphs and non-obvious lessons learned.  Second, he fell asleep around the time I was talking.  Or maybe he was deep in thought, pondering the deep meaning of my talk.

Yeah, that's it.

I'll be on a panel at the RSA Conference next week, talking about ECC (Elliptic Curve Cryptography).  Certicom just published a press release about it.  If you're going to the conference, please stop by our talk!

The Firefox 2 Beta 1 milestone was released today. There are a number of changes in the cryptography of this release that are noteworthy:

1. When Firefox makes an OCSP request to validate a web server's certificate, it now uses whatever proxy you set up for normal HTTP traffic. (Bugzilla Bug 111384)
2. Support added for Elliptic Curve Cryptography (ECC) in TLS. There's a test server here.  Please be gentle with this server. If it starts to melt we'll have to take it offline.
   
3. SSL2 is off by default. (Bugzilla Bug 236933)
4. The weak ciphers (keys less than 64-bits long) are off by default.
5. It supports the TLS server name indication extension to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address. (See RFC http://www.ietf.org/rfc/rfc3546.txt)

Please run this software on a test machine.  It's a test release.  If you encounter any problems with the cryptography of this beta build, please file a bug here: https://bugzilla.mozilla.org/  (or contact me directly at blord at redhat)

The schedule for FF2 is at http://wiki.mozilla.org/Firefox2/Schedule and shows an August final release, but there's also a link to an online calendar that shows the final bits shipping at the end of September.

We continue to work towards FIPS 140-2 level 2 validation for the NSS crypto libraries.  When that effort is completed and NIST awards NSS the new validation certificates, people in the U.S. Government (and other places that value FIPS 140 validation) will be able to use the latest versions of Firefox and Thunderbird.