We're Off and Running!
Posted by Craig H on 8 July 2009
Today we have reached a significant milestone for us Symbian security people, and for the Symbian Platform in general. The OS Security package source code is now available under the Eclipse Public License (EPL) and it is the very first package to be officially moved from the closed Symbian Foundation License (SFL) to be open sourced under the EPL.
I want to publicly thank everyone who pulled out the stops to make this happen, particularly Santosh Patil and William Roberts who did most of the heavy lifting, but also many others who were involved in the approval process inside and outside Symbian.
Why was this package the first to go through this process? There was a practical reason and a symbolic reason:
The practical reason is the export regulations in the UK, where the Symbian Platform source code is hosted. The rules and regulations weren’t really written with source code in mind, and we found that it wasn’t feasible to get an export license which permitted the SFL crypto library source code to be exported. Fortunately there is an exemption for software “in the public domain”, meaning that open source software isn’t export controlled, so moving it from SFL to EPL was the most straightforward way to make sure that the complete cryptographic functionality would be available to all.
The symbolic reason is to demonstrate that we really are serious about providing a platform that is both open and secure. We’ve always been open about the design of our platform security mechanisms. Now we’ve started being open about their implementation as well. Cryptographers know to distrust cryptographic algorithm implementations that aren’t open to peer review, so here are ours. Our algorithm implementations were actually derived from the public domain Crypto++ library some years ago, and our thanks go to Wei Dai for making that available.
One final note for those who dive in to the source code: you’ll notice that the crypto library source is in a directory called “weakcrypto”, but that’s for arcane historical reasons and it does actually include the full crypto library code. There are two project build files:
- crypto.mmp builds weak_cryptography.dll which limits symmetric keys to 56 bits and asymmetric keys to 512 bits (I suppose this might still be needed for some devices in some jurisdictions?)
- strong_crypto.mmp builds strong_cryptography.dll which has no arbitrary limit on key sizes.
Congratulations to all involved, and I’m now looking forward to the next package we can move to open source (the application installer would be my preference, but let’s see :-)).