Mozilla Open Source PKI projects

Currently, the software application that makes most use of PKI technology is the WWW browser. This importance was realised by Netscape and has lead to the creation of two libraries to aid the unified support of cryptography and security for both the browser and server software. These libraries are the Network Security Services (NSS) and the Personal Security Manager (PSM) and provide the functionality of a PKI.

These libraries are also plagued with the export–control regulations and currently it is under consideration to receive an export license. However, in this case, there is an additional problem with the patents and the licenses that covers parts of the cryptographic software that makes the release of the source code even more difficult. Currently, the source code distributed does not contain the full functionality and thus, cannot be compiled. The result of this procedure remains to be seen. On the other hand, binary version of these libraries are both available and exportable from the US. For more information on the licensing and crypto issues, there is an appropriate Mozilla Crypto FAQ.

These libraries (with the exclusion of code on crypto and patented components by third–parties) are covered by the Mozilla Public License and the GNU General Public License. The use is free to choose under which of the two licenses to use the source code, either the MPL terms or the GPL terms.

Personal Security Manager (PSM)

Personal Security Manager (PSM) is a client-independent desktop security module. It performs PKI operations on behalf of desktop client applications, including certificate and key management, SSL, S/MIME, cryptographic token support, and centralized administration.

More information can be found at the Personal Security Manager (PSM) WWW page.

Network Security Services (NSS)

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

More information can be found at the Network Security Services (NSS) WWW page.

JavaScript API for Client Certificate Management

As part of the Personal Security Manager, a new JavaScript API for Client Certificate Management has been implemented. The effect of this is that specific client PKI functionality can move to the browser, allowing implementations like the Section called The OpenCA Project[TODO] and the Section called The pyCA Certification Authority to fully take advantage of it.

This is the functionality supported by PSM version 1.0.

  1. User fill out enrollment form.

  2. User action initiates script (for example, pressing submit).

  3. The script calls the key–generation method.

  4. Encryption and Signing key–pairs are generated.

  5. The Encryption Private Key is wrapped with the the public key of the Key Recovery Authority (KRA). The public key of the KRA is passed in in the form of a certificate as part of the script and is checked against a pre–installed certificate copy in the local certificate database.

  6. Both the Encryption and Signing Public keys, the wrapped encryption public key and a text string from the script are signed by the user's Signing Private Key. The text string can contain naming or enrollment information.

  7. The signed information is returned to the script (from the PSM).

  8. The script submits the signed information and other necessary information to the CA/RA.

  9. The CA/RA verify the signature of the signed information.

  10. The CA/RA validate the identity of the user.

  11. The CA/RA sends the wrapped Encryption Private Key to the KRA.

  12. The KRA sends escrow verification information back to the CA.

  13. The CA creates and signs the certificates.

  14. The CA sends the created certificates back to the PSM–capable browser.

  15. The certificates are stored.

More information can be found at the JavaScript API for Client Certificate Management WWW page.