In article <9412111620.AA41983@eldamar.walker.org>, you write:
Several people have asked me to clarify my recent comments about Netscape. I am more than happy to oblige.
First of all, let me begin by saying that I am a biased observer, and that all of this is my personal opinion. My annoyance with Netscape is also closer to the surface this week than it normally is, due to a variety of factors (including having just returned from the San Jose IETF meeting). My initial comment, and the ones that follow in this message, are thus more frank than is my usual style on, say, public Usenet newsgroups.
That being said, here are some of the data that has gone into my impressions of Netscape so far.
(1) Netscape plays very fast and loose with HTML. Rather than participating in the existing standardization efforts, they have indiscriminately added "extensions" to it that are not supported by any other client software, and which in some cases go directly against HTML's markup-oriented structure. This only adds more confusion to an already muddy area, delays the prospects for a standard HTML specification, and divides the WWW into "WWW Classic" and "Netscape-compatible". Personally, as a strong proponent of universal interoperability, I find this reprehensible. There is no need to bypass existing efforts just to add cosmetic value to your own software.
This has nothing to do with security...
(2) The Netscape Secure Sockets proposal has an extremely poor security model. It is not an end-to-end security model, but rather relies on transport level security, which is in my view dangerously inadequate for reasons which should be obvious to most of the folks on this list.
Clearly I'm an idiot. Explain it to me. And while you are at it, why don't you email me your comments on the spec? I put my email address in there for that very reason. Jeesh.
It is also tied directly to the RSA certification hierarchy. Now, for those of us who have X.509 certificates rooted in the RSA Commercial Certification authority, that's fine, but it also means that any other WWW client that wishes to interoperate with Netscape's "secure servers" must license TIPEM from RSA Data Security, and consequently pay RSA's rather high royalties, unless the software is free (in which case RSAREF can be
used).
This serves as a direct barrier to competition from other commercial vendors. This is not all bad--I happen to like RSADSI's products and technology--but promoting a transport-level security system instead of an end-to-end one is to my mind simply irresponsible.
This is an outright lie. We don't use TIPEM. You could build a conformant SSL implementation using RSAREF and the freeware IDEA cipher code. As for a barrier to competition. So what else is new? We all have barriers to overcome before we can compete. Should we get rid of TCP/IP as a barrier to using the web?
There has been no peer review of Netscape's security model--it was simply implemented by fiat, without regard for the IETF standards process. I find that this leaves a very bad taste in my mouth. I also heard similar sentiments from a wide variety of other attendees at the IETF, including members of the IP Security working group, people who attended the Secure HTTP BOF, and others. This leads me to believe that it's not just a matter of me leaping to wild conclusions.
You are somewhat right here. In fact, this was done because we are a company interested in surviving long enough to withstand the eventual attack by microsoft. Instead of waiting several years before anything was agreed upon and ending up with a kitchen sink protocol as all others these days do, we took a simpler approach. And instead of hiding in a closet with it, we brought it out to light. As a result we received critical review from some decent members of the crypto community, including: Martin Abadi Mike Burrows Alan Schiffman Matt Robshaw Burt Kaliski to name a few. As for the IETF standards process, we are pushing the document into the RFC process.
(3) Netscape is viewed as a "loose cannon" by most of the other commercial players in the WWW arena, mainly because they have introduced a fair amount of FUD into the HTML standardization effort, while simultaneously promoting themselves as being standards-based. Members of Apple's "Cyberdog" project and Microsoft's web projects, who *are* trying to contribute to the standards process, had particularly excoriating things to say in this regard.
This is a matter of opinion. However, I believe that our opinions don't matter in the long run because of the 800 pound gorilla Microsoft. They will push something out, it will be proprietary, and they will name the tune and ask us to play along. Now we can either just sit back in our current comfy cozy standards based processes and languish for a few years, and then SIGH and say "Gee wasn't that fun, too bad microsoft shoved yet another piece of excrement down our throats" or we can be "loose cannons", get something out there, try it out and see what happens. The market will decide one way or the other.
Now, as I said, I am biased and my comments about Netscape are strictly my person opinions. I will be perfectly willing to revise these opinions as I receive more data. For example, if Netscape takes a more active part in the standards process, works with RSA to secure wider availability of the underlying technology required by their proposals, and generally demonstrates a willingness to play nicely with other children, that would be great, and I'll just as strongly defend them as I am panning them now.
However, in my view, they have not shown a good initial track record. Only time will tell.
Amanda Walker InterCon Systems Corporation
--------------------------------------------------------------------- Kipp E.B. Hickman Netscape Communications Corp. kipp@mcom.com http://www.mcom.com/people/kipp/index.html -- --------------------------------------------------------------------- Kipp E.B. Hickman Netscape Communications Corp. kipp@mcom.com http://www.mcom.com/people/kipp/index.html