I live in the Baltimore/Washington area and work for the government sales group of IronKey. For more about me and what I'm doing, see the “Personal” section of this site and my blog.

Entries for 2005

CAs, certificates, and the SSL/TLS UI

In my previous posts I announced adoption of the new Mozilla policy on CA certificates and discussed the CA market and possible roles for CAs. In this post I present some of my personal thoughts about how the SSL/TLS UI used in Firefox and related products might evolve, based on past discussions in the n.p.m.crypto and n.p.m.security newsgroups and conversations I've had at different times with various CAs and browser suppliers. ...

The business of CAs

As I mentioned in my previous post about the new policy on CA certificates, one major issue is to what extent we should distinguish among the different types of certificates issued by different Certification Authorities, both in terms of the policy and also in terms of the SSL/TLS UI used in Firefox and other products. In today's SSL/TLS certificate market CAs sell certificates with different claims as to the "assurance" of the certificate, but Firefox and other browsers have a "one UI fits all" approach, where any SSL/TLS connection to a web site receives the same UI treatment (the infamous padlock) regardless of how and to what extent the CA validates the holder of the site's certificate.

After many years of the status quo there are now forces operating that may change this situation. I think that in order to understand the issues around the SSL/TLS UI we have to look not only at the security-specific issues (e.g., the nature and severity of threats, and the mechanisms by which we might defend against them), but also at the environment in which CAs are likely to be operating, and how their role might evolve over time based on the likely forces of change that are present in that environment. ...

Mozilla CA certificate policy approved

Back in April 2005 I submitted a draft policy document to the Mozilla Foundation regarding how we determine which Certification Authorities (CAs) have root certificates included in Mozilla-based products distributed by the Foundation. Since that time a lot has happened; in particular the Mozilla Foundation reorganized to move its product development and distribution activities into the new Mozilla Corporation, and I took on a part-time position with the "new" Mozilla Foundation as Director of Policy.

Now that I'm a Director of Policy I thought I should go ahead and actually do something policy-related, so I'm now officially announcing the new Mozilla CA Certificate Policy; I'll be formally using this henceforth when dealing with CAs who'd like to get their certificates into Firefox, Thunderbird, etc. (I've already been doing this informally.) ...

Feedback is now welcome

After much struggle I've finally managed to get my blog to support comments and TrackBacks. (This is what I get for using "roll your own" blogging software). I'll blog some more later about how I did this, for any Blosxom users who happen to be interested; in the meantime please report any problems to me, either as comments on this post (if you're able to) or via email.

UPDATE: I now have a blog post describing the new Blosxom plugin I wrote to support comments and TrackBacks.

Asymmetric competition

In previous posts I've discussed the theory of disruptive innovation (sometimes referred to as disruptive technology) created by Clayton Christensen and his associates, whether Firefox is a disruptive innovation in the sense Christensen uses, and the value network for Firefox. In this post I discuss potential "asymmetric competition" between the Mozilla project and Microsoft; much of my discussion is in the context of Firefox and IE, but my comments are meant to encompass the project as a whole. ...

The Mozilla Foundation reorganization

The Mozilla Foundation has just announced a reorganization in which it's created a new wholly-owned subsidiary, the Mozilla Corporation. In this post I wanted to provide my thoughts about the reorganization, why it's being done, and what I think it means for the Mozilla project and the Mozilla Foundation. ...

Petra Haden Sings: The Who Sell Out

On my old web site (in the pre-blog days) I had a page with brief reviews of various books and music. Now that my blog is up and (sort of) working I've decided to revive that practice. For my first entry I've chosen Petra Haden Sings: The Who Sell Out. ...

The Firefox value network

In previous posts I discussed the basics of Clayton Christensen's disruptive innovation theory and considered whether Firefox is a disruptive innovation. In this post I try to describe the "value network" for Firefox, using Christensen's definition: "[a firm's] upstream suppliers; its downstream customers, retailers, and distributors; and its partners and ancillary industry players" (Seeing What's Next, p. 63). I also discuss how the Firefox value network overlaps (or not) with the value networks of Microsoft and others. ...

Firefox and innovation

In a previous post I discussed Clayton Christensen's "disruptive innovation" theory (as popularized in The Innovator's Dilemma and other books) and how it applied to the rise and fall of Netscape. In this post I turn to more recent events, and attempt to answer at least some of the five questions with which I ended previously:

  • Is Firefox more of a sustaining innovation or a disruptive innovation?

  • In what sense is the Mozilla project pursuing (or could pursue) disruptive strategies, whether based on low cost or competing against nonconsumption?

  • What might "competing against nonconsumption" entail in the context of Firefox and the Mozilla project?

  • What is the value network for Firefox and the Mozilla project, and how does it overlap with the value network for IE and Microsoft?

  • Are the Mozilla project and Firefox potentially vulnerable to a co-optation strategy by Microsoft, as Netscape was? ...

Mozilla CA certificate policy submitted for consideration

I have just submitted a Mozilla CA certificate policy 1.0 release candidate to the Mozilla Foundation and mozilla.org staff for consideration as an official 1.0 policy. This version of the policy is basically the draft 12 version with two changes:

  • I explicitly marked the policy as a release candidate.
  • I made a minor change to the last sentence in clause 7 to clarify the meaning of the sentence. ...

Draft 12 of Mozilla CA certificate policy

I've just posted a new draft 12 of the proposed Mozilla CA certificate policy, and absent strong objections plan to submit this to the Mozilla Foundation for approval as a 1.0 policy. The two substantive changes in this draft are as follows:

  • To address some of the concerns expressed about CAs issuing "duff" certificates (defined loosely as certificates that are dubious from a security or technical point of view) I've expanded clause 4 to add examples of certificate-related problems that might cause us to reject a CA's application for inclusion or to consider removing an already-included CA certificate.

  • To address a concern about certificates of different "assurance levels" being issued under the same CA root (or intermediate), I've added a new clause 13 that recommends CA consider using separate root or intermediate CAs when issuing certificates according to different policies. ...

Draft 11 of Mozilla CA certificate policy

I've just posted a new draft 11 of the proposed Mozilla CA certificate policy. The only substantive changes are as follows:

  • I strengthened the language in paragraph 4 to cover rejecting CA requests if we believe it's appropriate to do so.

  • I modified paragraph 6 to add a requirement relating to verification of certificate signing requests, and added a new paragraph 7 to describe minimum verification requirements for each type of certificate. (See below for more on this.)

  • I added a new paragraph 14 noting that the Mozilla Foundation will designate someone to handle CA requests, with mozilla.org staff being the "supreme court" for any disputes. ...

JWZ considered disruptive

I've previously thought of Jamie Zawinski not just as an excellent hacker but also as a marketing talent, creator of the original mozilla.org "brand". (Imagined conversation: "You know, these open source and free software types are all radical anarchists or Marxist hippies; they'll really go for a brand image that reminds them of trashing a WTO meeting" "Well, Jamie, you're the expert...") Now based on his "groupware bad" rant it turns out that JWZ is also a leading-edge corporate competitive strategist; maybe the people getting Harvard Business School MBAs could take a break and hang out at the DNA Lounge instead. ...

Patch for atomfeed plugin (UTC dates)

I recently experienced a strange problem with the Atom feed on my weblog. My weblog server is running on U.S. Eastern time as the basic time zone, but the story dates in the Atom feed should be expressed in UTC/GMT; the atomfeed plugin has code that supposedly should do any necessary conversions. On my local test blog (running under OS X 10.3 using Perl 5.8.1) this worked fine, but on my real blog (running on Red Hat Enterprise Linux 3 using Perl 5.8.0) the dates in the Atom feed were incorrect; they were five hours earlier than what they should be, suggesting that they didn't get converted to UTC/GMT. After some investigation this turned out to be due to non-portable code in the atomfeed plugin. ...

Feel the love: Love/Hate brand scores for Firefox, etc.

I happened to stumble upon a blog post by Jennifer Rice on "Love/Hate brand scores". She did a thoroughly unscientific comparison of common brands based on querying Google for "I love Foo" and "I hate Foo" (similar to Googlefight, but taking the idea a bit further). I've recomputed her results and included some brands and products of interest to us. ...

Draft 10 of Mozilla CA certificate policy

I've posted a new draft 10 of the proposed Mozilla CA certificate policy. The only substantive changes are as follows:

  • I changed the language on disclosure of financial compensation (i.e., of independent evaluators by CAs) to read "publicly disclose" as opposed to "fully and publicly disclose"; in other words, I dropped the word "fully".

  • I added a section discussing revision of the policy, and noting that such revision would be done only after public discussions (similar to what we're doing now). ...

Full disclosure: for and against

In the course of our discussing the proposed Mozilla CA certificate policy, Ian Grigg happened to ask about the existing Mozilla policy on handling security bugs and how we tried to forge a compromise between people advocating full disclosure of security bugs and people who were opposed to that. (Ian was interested in this because he and Adam Shostack have been blogging on the "economics of disclosure".) I happened to look back at the Google archives of the discussions we had, and found some material that I thought was worth revising, reprinting, and commenting upon, especially for people who are not aware of how the current Mozilla policy came to be. ...

Draft 9 of Mozilla CA certificate policy

I've created a new draft 9 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: ...

Draft 8 of Mozilla CA certificate policy

I've created a new draft 8 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: ...

Draft 7 of Mozilla CA certificate policy

I've published a new draft of the proposed Mozilla CA certificate policy. For information on changes from the previous draft please see my posting in the netscape.public.mozilla.crypto newsgroup (aka the mozilla-crypto mailing list).

(Note that I have not yet completed writing the accompanying FAQ, but will try to do so in the coming weeks.) ...

Mozilla's ECCN for U.S. export control

A while ago someone wrote to mozilla.org staff asking "What is the ECCN for Mozilla?" For that small fraction of the world's population who knows what an ECCN is (an "Export Control Classification Number" for U.S. encryption export control regulations) and cares about what Mozilla's ECCN happens to be, here's the answer I gave. Note that this is not an "official" answer, but it's the closest thing to it you're likely to get. ...

Patch seemore plugin for full text feeds

I use the seemore plugin by Todd Larason to show only excerpts of entries on my main blog page, index pages for categories, and archive pages, while displaying the entire article on an individual entry's page. It's worked well, with one exception: When I created my RSS and Atom feeds I wanted the feeds to contain the full text of all entries, for the convenience of people using news readers. (Many of these applications display article text directly in the reader, removing the need to open a browser window to read the article.)

To do this I made a minor patch to the seemore plugin, which I thought others might find of interest as well. The patch essentially bypasses seemore processing for selected Blosxom flavours (in my case, the 'rss' and 'atom' flavours).

Patch for entries_cache_meta plugin (meta values)

I've been using the entries_cache_meta plugin by Jason Thaxter, mainly for the convenience of specifying the modification date within the entry file. After a while I decided I'd like to also use its "meta" capability, i.e., the ability to specify arbitrary variables in the entry header along with the modification time, e.g.,

The entry title
meta-mtime: 2005/01/17 12:18:00
meta-foo: Whatever you want

The entry text begins here...

and then reference the variables as, e.g., $meta::foo within the story template (as is possible with Rael Dornfest's original meta plugin). Unfortunately, I couldn't get this to work at all. ...

Enforcing proper use of trailing slashes

I've previously blogged about my canonicaluri plugin that checks to see whether the requested URI is in the canonical form for the type of page being requested, and if necessary does a browser redirect to the canonical form of the URI. However the canonicaluri plugin may be overkill for some people, for example, it presumes use of the extensionless plugin, so that canonical URIs for individual entries do not have file extensions for the default flavour. A simpler alternative to the canonicaluri plugin is the slashredir plugin, which only enforces proper usage regarding trailing slashes. ...

My new weblog

After a long period of neglecting my personal web site, I've decided to start my own weblog, with the goal of making it easier for me to publish new material and therefore (I hope) more likely that I'll actually write more.

My plan is to write about things that interest me, on the theory that they might interest at least a few other people. As part of that I'll occasionally discuss the volunteer work I've been doing for the Mozilla project.

While this site has been up and running for several weeks, today marks what I consider to be its official launch. The site design is frozen, at least for now, and I now have all the site features in place that I wanted to have, at least for an initial attempt. The major missing piece is a comments system; I've delayed doing this until or unless I can put some reasonable measures in place against comment spam.

After this date I won't introduce changes to the site without careful testing, in an effort not to break things. I also won't arbitrarily change the dates on entries, in order to avoid problems with news aggregators.

To-do list

As many people can attest, sometimes you spend more time (and have more fun) tinkering with the underpinnings of a web site instead of actually writing new content to be posted on it. In that spirit, here is my current list of things I'm planning to add to or change about my web site and blog. ...

Patch for atomfeed plugin ("modified" element for feed)

The "official" atomfeed plugin does not generate valid feeds for the current version (0.3) of the Atom specification because the output does not have a "modified" element for the feed as a whole, just "modified" elements for each story. Obviously the modification date/time for the feed can be interpreted as the date/time modified of the most recent story, so then it's just a matter of generating the proper output for the MODIFIED tags. ...

The lastmodified2 plugin

In a previous post I discussed the general problem of validating and caching dynamic content. In order to implement the strategy outlined in that post I decided to create a new version of the lastmodified plugin originally created by Bob Schumaker. The lastmodified plugin was a good base to build on; however it didn't do exactly what I wanted to do, and hence I couldn't resist trying to improve on it.

The following material documents the lastmodified2 plugin that I created, including my notes on how I implemented page validation according to my interpretation of the HTTP 1.1 specification. ...

Validating and caching dynamic content

One of the things I enjoy about setting up my own blog with the Blosxom software is learning about the deep details of web protocols and formats that I've never worried about before. (This might have been the case if I'd used another blogging system, but the hackable nature of Blosxom inspires, nay, almost demands it.) Lately I've been educating myself about HTTP conditional GET requests and validation and caching of dynamically-generated content.

In this post I discuss the subtleties of validating and caching dynamic content in general, and then in a separate post I tell how I created the lastmodified2 plugin for Blosxom, a rewrite of the lastmodified plugin. ...

Copyright and license

I've done a lot of work related to software licensing as part of the Mozilla relicensing project and when I worked at CollabNet. As a result of enduring endess wrangling about licensing terms I've been put off complex licensing schemes, and prefer to make my own works available under very liberal terms. ...

Emptymessage patch for Apache compatibility, etc.

When stock Blosxom sees a URL that doesn't correspond to an existing entry or list of entries, it simply puts up a "normal" page (i.e., using the standard heat and foot templates for that flavour) that doesn't have any actual content. I really don't like this behavior, and thus I decided to try out the emptymessage plugin created by Fletcher Penney. Unfortunately I wasn't entirely happy with its behavior either, and so I decided to patch it. ...

Markdown patch for varying empty element suffixes

As noted in a previous post I am a big fan of the Markdown text-to-HTML conversion tool. However nothing's perfect. I already discussed a bug involving link ids, and I subsequently found one other reason to patch Markdown, for sites like mine that generate both HTML 4.01 Strict and XML pages (an Atom feed in my case). ...

Using the Markdown plugin

In creating my blog I wanted to be able to go beyond plain text entries but avoid having to hand-code HTML. I looked at various schemes for marking up plain text to indicate the presence of links, ordered and unordered lists, preformatted text, etc. ...

Blosxom annotations

I've been investigating using the Blosxom weblog application for my personal blog, and felt disadvantaged by my lack of knowledge of Perl (the language in which Blosxom was written). I began making detailed notes while I was reading through the Blosxom code (blosxom.cgi); my note taking quickly got out of hand, and here are the results, for anyone who's interested: ...

Syndication feeds

If you'd like to receive full-text articles from this site as they are published, you can subcribe to one or more of the following feeds, in the formats indicated; simply cut and paste the URLs into your feed reader of choice. The Atom feeds are preferred; I maintain the RSS feeds only for older news aggregators that are not yet Atom-enabled. ...