Andrew Loewenstern <andrew_loewenstern@il.us.swissbank.com> writes:

Jeff Weinstein <jsw@neon.netscape.com> writes:

...

Regardless of what Markoff implies, we do not intend to depend on security through obscurity.

Oh, can we now expect to see source to at least the security portions of Navigator and the Commerce server?

An excellent proposal. Well how about it Jeff/netscape? Save Ian and David the effort of reverse engineering it again (which it is obviously pointless, and more: mathematically impossible, to do), and get your self some free advice. Better to have free advice, and quickly now, rather than another disaster later, presume netscapes cred can't take too many more bashings before this starts affecting share prices etc. Posting the code for the random number generator would be an excellent start. Kirkov (sp?) principle and all. Or if that doesn't sit well with copyright interests, how about writing up an open spec about how the random number generator works? Then we can critique it. An algorithm should be something to be proud of, "it's secure, and see: this is how it works, here are the design criteria, here is how you would attempt to break it, and here is the best predicted attack's cost." Lets get something useful out of this, an open system is called for not just a quick switcheroo of another algorithm. Open systems, rule! (I thought netscape was big on open systems, reading some of the blurb, just now). I'm sure you'd get some useful, valuable feed back from publishing an open spec, is netscape still a progressive startup company with hot programmers running the show, or has it slipped into stuffy corporate realms already? Respectfully, Adam