Several people have asked me to clarify my recent comments about Netscape. I am more than happy to oblige. First of all, let me begin by saying that I am a biased observer, and that all of this is my personal opinion. My annoyance with Netscape is also closer to the surface this week than it normally is, due to a variety of factors (including having just returned from the San Jose IETF meeting). My initial comment, and the ones that follow in this message, are thus more frank than is my usual style on, say, public Usenet newsgroups. That being said, here are some of the data that has gone into my impressions of Netscape so far. (1) Netscape plays very fast and loose with HTML. Rather than participating in the existing standardization efforts, they have indiscriminately added "extensions" to it that are not supported by any other client software, and which in some cases go directly against HTML's markup-oriented structure. This only adds more confusion to an already muddy area, delays the prospects for a standard HTML specification, and divides the WWW into "WWW Classic" and "Netscape-compatible". Personally, as a strong proponent of universal interoperability, I find this reprehensible. There is no need to bypass existing efforts just to add cosmetic value to your own software. (2) The Netscape Secure Sockets proposal has an extremely poor security model. It is not an end-to-end security model, but rather relies on transport level security, which is in my view dangerously inadequate for reasons which should be obvious to most of the folks on this list. It is also tied directly to the RSA certification hierarchy. Now, for those of us who have X.509 certificates rooted in the RSA Commercial Certification authority, that's fine, but it also means that any other WWW client that wishes to interoperate with Netscape's "secure servers" must license TIPEM from RSA Data Security, and consequently pay RSA's rather high royalties, unless the software is free (in which case RSAREF can be used). This serves as a direct barrier to competition from other commercial vendors. This is not all bad--I happen to like RSADSI's products and technology--but promoting a transport-level security system instead of an end-to-end one is to my mind simply irresponsible. There has been no peer review of Netscape's security model--it was simply implemented by fiat, without regard for the IETF standards process. I find that this leaves a very bad taste in my mouth. I also heard similar sentiments from a wide variety of other attendees at the IETF, including members of the IP Security working group, people who attended the Secure HTTP BOF, and others. This leads me to believe that it's not just a matter of me leaping to wild conclusions. (3) Netscape is viewed as a "loose cannon" by most of the other commercial players in the WWW arena, mainly because they have introduced a fair amount of FUD into the HTML standardization effort, while simultaneously promoting themselves as being standards-based. Members of Apple's "Cyberdog" project and Microsoft's web projects, who *are* trying to contribute to the standards process, had particularly excoriating things to say in this regard. Now, as I said, I am biased and my comments about Netscape are strictly my person opinions. I will be perfectly willing to revise these opinions as I receive more data. For example, if Netscape takes a more active part in the standards process, works with RSA to secure wider availability of the underlying technology required by their proposals, and generally demonstrates a willingness to play nicely with other children, that would be great, and I'll just as strongly defend them as I am panning them now. However, in my view, they have not shown a good initial track record. Only time will tell. Amanda Walker InterCon Systems Corporation