I was thinking recently how the events of the past week or so have turned me into a sort of a Netscape advocate. Granted, there are bugs in Netscape, and there probably will be more bugs uncovered (someone needs to write an exploit if they want themself & Ray to get a T-shirt btw), but Netscape is interested in fixing problems and the new 2.0 is doing encrypted email, probably with a really nice interface (Haven't seen it yet, of course) and they are working to make the 128-bit version downloadable. (The 128bit version is available overseas already anyway, I hear.) The really big sticking point I see, however, is the certification authorities. There is a single point of failure here and that is at Verisign. This becomes a large problem I think if the en rypted email that Netscape does requires personal x509 certificates (I read that Versign is issuing those for $9/each.) This is a problem because for one thing I don't think Versign will want to issue certs to psudonyms, and Netscape may not talk encrypted email to non-certified people. (I am not sure) The solution to this, of course, is to allow Navigator to accept alternate certification hierarchies, so we can setup a Cypherpunks cert agency or a c2.org cert agency, which -will- sign nym's keys, etc. The question exists though, as to whether or not Netscape will allow for alternate agencies in Navigator. I haven't seen any mention of this feature in 2.0, so if the feature exists in 2.0, then great! Otherwise, unless Netscape is going to allow for alternte cert agencies on a specific timescale, I think we have to do something about it in order to force the issue. Along the same lines of what happened recently-- because of the exposed hole and the pressure put on Netscape, management was finally willing to let some of the code be available for public review. If something happened to show how relying on a single point of failure such as Verisign was bad and resulted in much press & publicity, then perhaps Netscape management would be convinced to allow for alternate cert hierarchies.. Some sort of hack which demonstrates this would be great. I am feeling uncreative and can't think of anything effective short of stealing Verisign's private key, but that would be pretty damn tough. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org