I just finished reading a report titled "U.S. Dept of Defense Open Technology Development roadmap" published at http://opentechdev.org/.

It says, among other things:

OSS and open source development methodologies are important to the National Security and National Interest of the
U.S. for the following reasons:

• Enhances agility of IT industries to more rapidly adapt and change to user needed capabilities.
• Strengthens the industrial base by not protecting industry from competition. Makes industry more likely to compete on ideas and execution versus product lock-in.
• Adoption recognizes a change in our position with regard to balance of trade of IT.
  
• Enables DoD to secure the infrastructure and increase security by understanding what is actually in the source code of software installed in DoD networks.
• Rapidly respond to adversary actions as well as rapid changes in the technology industrial base.

I'm glad to see more uptake of this philosophy, and glad to see it in print. 

The times are changing for the cryptography in your browser.

As many of you know, the SSL2 protocol has been superseded by the SSL3 protocol, and the TLS 1.0 and 1.1 protocols. As a result, we're working to remove the SSL2 protocol from the Mozilla clients. We'll be able to send the SSL3 hello message to the server when starting an SSL connection. The SSL3 hello will allow us to support a new type of cryptography, called Elliptic Curve Cryptography (ECC). It will also allow us to support Server Name Indication (SNI). [See this page for more information.]

Also, a number of ciphersuites with short (weak) key lengths (40-bits and 56-bits) have fallen out of vogue. They are just too weak to be trusted. So we're working to turn them off as well.

Microsoft is working on the same goals. Here is one of their blogs:
http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx

Here is the page we're using to track the few remaining SSL2-only sites that matter:
http://wiki.mozilla.org/Necko:SSL_v2_Sites

And here is Gerv's blog on the same subject:
http://weblogs.mozillazine.org/gerv/archives/2005/09/ssl2_must_die.html

If you run a web site that uses only SSL2, or one that only uses weak ciphers, it's time for you to upgrade your site!

As an aside, we're continuing to work on "mod_nss", an Apache web server module that allows administrators to use the NSS crypto libraries rather than OpenSSL. See here for more information:
http://directory.fedora.redhat.com/wiki/Mod_nss

Here's a little crypto news that's been on my mind lately.

The NSS crypto libraries, the first FIPS-validated open-source crypto implementation, is now well on it's way to completing it's 4rd round of FIPS 140 (Level 2) validation. On 1/20/2006 we received the certificates from NIST for AES, Triple DES, SHS, and HMAC.

This is an important milestone. We'll use the FIPS version of NSS in upcoming versions of Red Hat products like the Directory Server and Certificate System. We will also use these libraries in upcoming versions of Firefox and Thunderbird, allowing people in the U.S. Government to upgrade from older versions of the Netscape products (like Netscape Communictor 4.7 in some cases!).

I went through some old docs a few days ago, and was reminded that NSS received its first validation in 1997 as part of the Netscape products. In 2001 we open sourced NSS (after the U.S. export regs changes and the RSA patent expired). In that same year NSS also received its second round of FIPS 140 Level 2 validation, the first as an open source product.

If you've read this far, these links might interest you:
http://wiki.mozilla.org/FIPS_Validation
http://www.mozilla.org/projects/security/pki/nss/fips/
http://www.mozilla.org/projects/security/pki/nss/overview.html