impl-mozilla.htm

The Open–source PKI Book Version 2.4.6 Edition Copyright &copy 1999, 2000 by Symeon (Simos) Xenite

<HTML
><HEAD
><TITLE
>Mozilla Open Source PKI projects</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.55"><LINK
REL="HOME"
TITLE="The Open&#8211;source PKI Book"
HREF="ospki-book.htm"><LINK
REL="UP"
TITLE="Open-Source Implementations"
HREF="implementations.htm"><LINK
REL="PREVIOUS"
TITLE="Jonah: Freeware PKIX reference implementation"
HREF="impl-jonah.htm"><LINK
REL="NEXT"
TITLE="MISPC Reference Implementation"
HREF="impl-mispc.htm"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Open&#8211;source PKI Book: A guide to PKIs and Open&#8211;source Implementations</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="impl-jonah.htm"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 7. Open-Source Implementations</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="impl-mispc.htm"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="IMPL-MOZILLA"
>Mozilla Open Source PKI projects</A
></H1
><P
>  Currently, the software application that makes most use of PKI technology
  is the WWW browser. This importance was realised by Netscape and has lead
  to the creation of two libraries to aid the unified support of cryptography
  and security for both the browser and server software. These libraries are 
  the Network Security Services (NSS) and the Personal Security Manager (PSM) 
  and provide the functionality of a PKI.
  </P
><P
>  These libraries are also plagued with the export&#8211;control regulations
  and currently it is under consideration to receive an export license.
  However, in this case, there is an additional problem with the patents
  and the licenses that covers parts of the cryptographic software 
  that makes the release of the source code even more difficult.
  Currently, the source code distributed does not contain the full functionality
  and thus, cannot be compiled. The result of this procedure remains to be seen. 
  On the other hand, binary version of these libraries are both available and
  exportable from the US.
  For more information on the licensing and crypto issues, there is an appropriate
  <A
HREF="http://www.mozilla.org/crypto-faq.html"
TARGET="_top"
>Mozilla Crypto FAQ</A
>.
  </P
><P
>  These libraries (with the exclusion of code on crypto and patented components by 
  third&#8211;parties) are covered by the 
  <A
HREF="http://www.mozilla.org/MPL/"
TARGET="_top"
>Mozilla Public License</A
> and the 
  <A
HREF="http://www.gnu.org/copyleft/gpl.html"
TARGET="_top"
>GNU General Public License</A
>. 
  The use is free to choose under which of the two licenses to 
  use the source code, either the MPL terms or the GPL terms. 
  </P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="IMPL-MOZILLA-PSM"
>Personal Security Manager (<SPAN
CLASS="ACRONYM"
>PSM</SPAN
>)</A
></H2
><P
>  Personal Security Manager (PSM) is a client-independent desktop security module. 
  It performs PKI operations on behalf of desktop client applications, including 
  certificate and key management, SSL, S/MIME, cryptographic token support, and 
  centralized administration. 
  </P
><P
>  More information can be found at the
  <A
HREF="http://www.mozilla.org/projects/security/pki/psm/"
TARGET="_top"
>  Personal Security Manager (PSM)</A
> WWW page.
  </P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="IMPL-MOZILLA-NSS"
>Network Security Services (<SPAN
CLASS="ACRONYM"
>NSS</SPAN
>)</A
></H2
><P
>  Network Security Services (NSS) is a set of libraries designed to support 
  cross-platform development of security-enabled server applications.
  Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, 
  PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. 
  </P
><P
>  More information can be found at the 
  <A
HREF="http://www.mozilla.org/projects/security/pki/nss/"
TARGET="_top"
>  Network Security Services (NSS)</A
> WWW page.
  </P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="IMPL-MOZILLA-JAVASCRIPT"
>JavaScript API for Client Certificate Management</A
></H2
><P
>  As part of the Personal Security Manager, a new JavaScript API for Client
  Certificate Management has been implemented. The effect of this is that
  specific client PKI functionality can move to the browser, allowing
  implementations like <A
HREF="impl-openca.htm"
>the section called <I
>The OpenCA Project[TODO]</I
></A
> and <A
HREF="implementations.htm#IMPL-PYCA"
>the section called <I
>The pyCA Certification Authority</I
></A
>
  to fully take advantage of it.
  </P
><P
>  This is the functionality supported by PSM version 1.0.
  <P
></P
><OL
TYPE="1"
><LI
><P
>	User fill out enrollment form.
	</P
></LI
><LI
><P
>	User action initiates script (for example, pressing submit).
	</P
></LI
><LI
><P
>	The script calls the key&#8211;generation method.
	</P
></LI
><LI
><P
>	Encryption and Signing key&#8211;pairs are generated.
	</P
></LI
><LI
><P
>	The Encryption Private Key is wrapped with the the public key of the 
	Key Recovery Authority (<SPAN
CLASS="ACRONYM"
>KRA</SPAN
>).
	The public key of the KRA is passed in in the form of a certificate 
	as part of the script and is checked against a pre&#8211;installed
	certificate copy in the local certificate database.
	</P
></LI
><LI
><P
>	Both the Encryption and Signing Public keys, the wrapped encryption
	public key and a text string from the script are signed by the user's
	Signing Private Key. The text string can contain naming or enrollment
	information.
	</P
></LI
><LI
><P
>	The signed information is returned to the script (from the PSM).
	</P
></LI
><LI
><P
>	The script submits the signed information and other necessary information
	to the CA/RA.
	</P
></LI
><LI
><P
>	The CA/RA verify the signature of the signed information.
	</P
></LI
><LI
><P
>	The CA/RA validate the identity of the user.
	</P
></LI
><LI
><P
>	The CA/RA sends the wrapped Encryption Private Key to the KRA.
	</P
></LI
><LI
><P
>	The KRA sends escrow verification information back to the CA.
	</P
></LI
><LI
><P
>	The CA creates and signs the certificates.
	</P
></LI
><LI
><P
>	The CA sends the created certificates back to the PSM&#8211;capable
	browser.
	</P
></LI
><LI
><P
>	The certificates are stored.
	</P
></LI
></OL
>
  More information can be found at the 
  <A
HREF="http://docs.iplanet.com/docs/manuals/psm/11/cmcjavascriptapi.html"
TARGET="_top"
>  JavaScript API for Client Certificate Management</A
> WWW page.
  </P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="impl-jonah.htm"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="ospki-book.htm"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="impl-mispc.htm"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Jonah: Freeware PKIX reference implementation</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="implementations.htm"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>MISPC Reference Implementation</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>