During my first week at OpenSSL, I’ve been learning more about the organizational structure. A question has gnawed at me since I first learned about the job: Why was the Foundation split off from the Corporation? I can read about the decision, but as an outsider I don’t really have the background needed to truly understand how OpenSSL got here.

A brief history of OpenSSL

The OpenSSL project is synonymous with the SSL protocol developed by Netscape in 1995. This enabled secure communication between the Netscape Navigator browser and the Netscape Commerce Server.1 Unfortunately, some of the cryptographic algorithms required to implement the protocol were illegal to export from the US at the time.2 So two engineers from Australia, Eric A. Young and Tim J. Hudson developed SSLeay as an open-source library that could be used by developers around the world.

In 1998 the developers of SSLeay were hired by RSA Security and stopped working on the project. In order to continue to have an open source SSL library, a group of volunteers forked SSLeay to start OpenSSL. The new project relied on donations which amounted to ~$2,000 a year. Clearly that’s not enough to support even one programmer, so the project was largely developed by volunteers donating their time. So an integral part of the internet subsisted on a shoestring budget, the kindness of strangers and some consulting work.

Then the world of internet security changed. A subtle bug introduced in the OpenSSL code was revealed with the catchy label Heartbleed. It’s not often a bug can be clearly explained in a cartoon:

Are you still there, server? It’s me, Margaret.

Given the importance of the project, Heartbleed prodded many people and organizations to take action to reduce the odds of future vulnerabilities. In particular, the Linux Foundation started the Core Infrastructure Initiative which funded two full-time OpenSSL developers for three years. But the problem remained. How does a complicated and critically-important open-source project retain the expertise needed to fulfill its mission?

According to a 2023 post on the OpenSSL blog:

So since 2020, our main source of income is by selling support contracts. Companies can purchase a contract if they need technical help with OpenSSL or if they need access to support for older end of life versions such as OpenSSL 1.0.2. Another driver for taking out such contracts is FIPS, where companies may wish to have FIPS compliant products with OpenSSL by rebranding our OpenSSL 3 FIPS certificate.

So OpenSSL now has a sustainable source of income to pay for a team to manage the library for the foreseeable future.

Conway Judo

I’ve written about Conway’s Law in the past in the past, but I think it’s helpful to quote a summary from the paper it came from:

The very act of organizing a design team means that certain design decisions have already been made, explicitly or otherwise. Given any design team organization, there is a class of design alternatives which cannot be effectively pursued by such an organization because the necessary communication paths do not exist. Therefore, there is no such thing as a design group which is both organized and unbiased.

One reading of the final sentence implies that Conway’s Law always produces sub-optimal results. Would not an unbiased design group be preferred to a biased team? Well, we know of several exceptions such as adversarial legal systems in which the parties are represented by lawyers who specifically advocate for their interests. Yes both representatives are biased, but the system as a whole is designed to give both the prosecution and defense the best possible arguments for their side of the case.

WE can see another example in the sometimes unseemly world of politics: special-interest groups. By advocating for a specific policy, issue or cause, lobbyists behave in a biased way that benefits people who agree with the groups’ aims. As long as an organization avoids mission creep, bias gives the group’s purpose the best chance to overcome competing or opposing interests.

Everybody involved in OpenSSL cares about providing an excellent library of cryptography tools that will minimize catastrophic bugs such as Heartbleed. Securing a sustainable income stream to pay developers to work on the library aided that cause. But there’s always a risk that meeting the needs of paying customers could distract from the larger goal of providing security and privacy tools to everyone.

Last year OpenSSL turned off GitHub sponsorship for the project while it evaluated its own organizational structure. It’s hard to know what to do with donations when the project can sustain itself commercially. The practical answer was to split OpenSSL into two pieces:

As a result, the Foundation accepted GitHub sponsors again, which allows small donations. Those donations, in turn, fund parts of the mission that risk being overlooked in a unified structure. Our funding source changes our communication paths so that we can effectively work on features that might not have any commercial application.

  1. You can read the Netscape Commerce and Communications Servers Administrator’s Guide on the internet.↩︎

  2. As an act of civil disobedience, some people put copies of the RSA algorithm in their email signatures, on T-shirts and tatoos. It was a strange time.↩︎