Mozilla Foundation activities, week ending 2006/04/07

This is my report on activities of the Mozilla Foundation for the week ending April 7, 2006. A lot of what went on last week won't be announced until subsequent weeks; of the other stuff the most notable activities related to the Mozilla Foundation web site and a PKI conference I attended.

Projects for the week

Here's a partial listing of what I and others at the Foundation did the week ending April 7:

  • mozillafoundation.org. Zak Greant has been doing minor fixes to the Mozilla Foundation pages on mozilla.org, and creating a new set of pages for mozillafoundation.org (not yet online).

    Next actions: I'll work with Zak to get my own access to his mozillafoundation.org prototype, and add various documents to it (e.g., the CA certificate policy).

  • PKI R&D Workshop. I attended the PKI R&D Workshop at NIST in Gaithersburg MD, and participated on a panel discussion on browser security. Note also that Bob Relyea of Red Hat spoke about work by Red Hat and Sun to support elliptic curve cryptography in the NSS crypto library and hence in Firefox and other Mozilla-based products, as well as in server products from Red Hat and Sun. For more information see Bob's presentation; the rest of the workshop presentations and papers are also available online.

    Next action(s): None at this time.

Upcoming activities

Here's what I'll be doing and where I'll be in the coming months.

  • I'll be in Mountain View in June for a Mozilla Foundation board meeting.

This concludes the report.

Comments

Cameron wrote at 2006-04-11 21:33:

Ewww. I mean.. can't we just have all the stuff at one url? Two is acceptable (user vs developer) but 3? :|

Frank Hecker wrote at 2006-04-11 23:30:

There are multiple URLs because there are multiple organizations and multiple constituencies; one of the reasons for having mozilla.com (besides the existence of the Mozilla Corporation) is that users got confused going to mozilla.org and seeing all the project-related stuff. In practice mozillafoundation.org is likely going to be a very "slim" site; it's main purpose is simply to store stuff that is specific to the Mozilla Foundation as opposed to the project, mainly information relating to the Foundation as an organization (e.g., info on the board of directors, articles of incorporation, and the like). I think all of the stuff of interest to developers, including all of the policy- and license-related info, can and should stay on www.mozilla.org.

Chris Cook wrote at 2006-04-22 13:49:

Concerning the Mozilla Foundation "Enterprise Model" you might consider the emerging "Capital Partnership" approach.

Basically the Mozilla Foundation could become what I call the "Trustee" or "Custodian" Member of the "Mozilla Partnership" and "own" the Mozilla intellectual property in perpetuity with strategic governance rights set out in the Partnership and maybe other functions (eg dispute resolution).

The Mozilla Partnership would be either a US LLC or (probably better) a UK LLP (which bears no relationship to a US LLP - see www.opencapital.net for details).

Mozilla Partnership would then have three other "Members": (a) "User" Members - who simply consent to the Mozilla Partnership agreement; (b) a "Management" Member - which is a co-operative consortium which does whatever admin and management is necessary - ie making the tactical decisions in line with and subject to the Trustee's strategic direction, (c) "Investor" Members - who put in the necessary resources in money or "money's worth" of time, services etc etc and possibly getting an agreed revenue share (if there is any revenue).

A Mozilla Partnership agreement/protocol would be interesting since it is BOTH "closed" - in that only Members can use Mozilla, AND "Open" in that anyone who wants to sign up may be a member.

Also such a Mozilla Partnership would be non-hierarchical and without the "two tier" "owner"/"manager" conflict of any other corporate form, particularly "Not-for-profit" Foundations.

ie a non-toxic "co-operative" proprietary protocol within an "Open" Corporate (as I call the UK LLP).

An outcome of this would be that Mozilla could be simply integrated with commercial "Partner" applications on a revenue-sharing basis.

Bottom line is that the Mozilla Foundation becomes embedded as a pure Trustee in a Mozilla "Co-operative of Co-operatives" or "Partnership of Partnerships".

All on the same url of course, as you would drill down in respect of each stakeholder grouping's area of interest.

Trackbacks

Financial Cryptography mentioned this post in "News and Views - Mozo, Elliptics, eBay + fraud, na´ve use of TLS and/or tokens...":

Firefox, the free open-source Web browser from Mozilla Corp., quietly gained enough users in March to finally grab 10% of the Web browser market, according to a report released yesterday by Web audience-measurement firm NetApplications.com. Funny, I thought that happened long ago.... On the even better news front, Frank Hecker is now posting weekly diaries of action at the Mozilla Foundation. This is an excellent idea, as they are stuck between a rock and a hard place - a non-profit with lots of money and no obvious way to govern it. Here's a snippet of some relevance to FC but the real news is that Mozilla do seem to be taking the search for governance seriously. PKI R&D Workshop. I attended the PKI R&D Workshop at NIST in Gaithersburg MD, and participated on a panel discussion on browser security. Note also that Bob Relyea of Red Hat spoke about work by Red Hat and Sun to support elliptic curve cryptography in the NSS crypto library and hence in Firefox and other Mozilla-based products, as well as in server products from Red Hat and Sun. For more information see Bob's presentation; the rest of the workshop presentations and papers are also available online. Presumably Red Hat and Sun are interested in supporting the NIST Suite B because of potential USG sales. It will be interesting to watch how this falls out - will the endorsement of NIST (and in the background, the NSA) push elliptic curve cryptography forward to adoption? Or will the patent free (and therefore cheap) alternatives we already have maintain their open dominance? A great post by Cubicle on fraud over at eBay. He talks about how the company has drifted and postured to the point where they are now providing infrastructural support for scammers - because it is the scammers that pay their fees. Cubicle has it right. Either you take on fraud by the horns, or it takes you on in very nasty ways. eBay and PayPal chose the latter course, and will always provide a high-cost, low reliability experience for the users. Luckily they got there in an environment when the competition wouldn't stay the course, but things have changed in the payments business lately. Signs are that they recognise the party's over, and Paypal are madly diversifying their base into credit cards and cell/mobile payments. http://business.guardian.co.uk/story/0,,1751793,00.html http://news.com.com/irs+to+search+paypal+records+for+tax+evaders/2100-1030_3-6060920.html Security Is Harder Than You Think, by John Viega and Matt Messier Many developers see buffer overflows as the biggest security threat to software and believe that there is a simple two-step process to secure software: switch from C or C++ to Java, then start using SSL (Secure Sockets Layer) to protect data communications. It turns out that this na´ve tactic isn't sufficient. In this article, we explore why software security is harder than people expect, focusing on the example of SSL. Viega and Messier talk about how using SSL to get security is likely to be a bit of a fantasy. I'd agree - saying that you use TLS for your security model has generally correlated with a lightweight approach. Likewise, Bruce Schneier writes in Interactions of the ACM that two factor tokens are "too little, too late." Although people are now happy to point out that the SSL, certificate infrastructure, and the browser security model out there is like swiss cheese, there still seems to be a sense that if the developers and the implementers just read the right books and just did the job fully, then we would have security ... I think the major point here is that ACMQueue and Interactions are happy to print articles pointing out the flaws which is probably a necessary step if we are to move forward....

Submit a comment

Please enter comments as plain text only; no HTML tags are allowed. All comments and trackbacks are moderated, and will not be displayed until approved by the moderator.

Comments are closed for this story.

Trackbacks are closed for this story.