1994-12-11 - Clarification of my remarks about Netscape

Header Data

From: “Amanda Walker” <amanda@intercon.com>
To: cypherpunks@toad.com
Message Hash: 307c0e18af931c4439849ea1e8ea3071ae9847e071448bcdb06f92a45745365a
Message ID: <9412111620.AA41983@eldamar.walker.org>
Reply To: N/A
UTC Datetime: 1994-12-11 21:21:11 UTC
Raw Date: Sun, 11 Dec 94 13:21:11 PST

Raw message

From: "Amanda Walker" <amanda@intercon.com>
Date: Sun, 11 Dec 94 13:21:11 PST
To: cypherpunks@toad.com
Subject: Clarification of my remarks about Netscape
Message-ID: <9412111620.AA41983@eldamar.walker.org>
MIME-Version: 1.0
Content-Type: text/plain


Several people have asked me to clarify my recent comments about Netscape.
I am more than happy to oblige.

First of all, let me begin by saying that I am a biased observer, and that
all of this is my personal opinion.  My annoyance with Netscape is also closer
to the surface this week than it normally is, due to a variety of factors
(including having just returned from the San Jose IETF meeting).  My initial 
comment, and the ones that follow in this message, are thus more frank than is 
my usual style on, say, public Usenet newsgroups.

That being said, here are some of the data that has gone into my impressions
of Netscape so far.

(1) Netscape plays very fast and loose with HTML.  Rather than participating
    in the existing standardization efforts, they have indiscriminately added
    "extensions" to it that are not supported by any other client software,
    and which in some cases go directly against HTML's markup-oriented
    structure.  This only adds more confusion to an already muddy area,
    delays the prospects for a standard HTML specification, and divides the
    WWW into "WWW Classic" and "Netscape-compatible".  Personally, as a
    strong proponent of universal interoperability, I find this reprehensible.
    There is no need to bypass existing efforts just to add cosmetic value to
    your own software.

(2) The Netscape Secure Sockets proposal has an extremely poor security model.
    It is not an end-to-end security model, but rather relies on transport
    level security, which is in my view dangerously inadequate for reasons
    which should be obvious to most of the folks on this list.  It is also
    tied directly to the RSA certification hierarchy.  Now, for those of us
    who have X.509 certificates rooted in the RSA Commercial Certification
    authority, that's fine, but it also means that any other WWW client that
    wishes to interoperate with Netscape's "secure servers" must license
    TIPEM from RSA Data Security, and consequently pay RSA's rather high
    royalties, unless the software is free (in which case RSAREF can be used).
    This serves as a direct barrier to competition from other commercial
    vendors.  This is not all bad--I happen to like RSADSI's products and
    technology--but promoting a transport-level security system instead of
    an end-to-end one is to my mind simply irresponsible.

    There has been no peer review of Netscape's security model--it was simply
    implemented by fiat, without regard for the IETF standards process.  I
    find that this leaves a very bad taste in my mouth.  I also heard similar
    sentiments from a wide variety of other attendees at the IETF, including
    members of the IP Security working group, people who attended the Secure
    HTTP BOF, and others.  This leads me to believe that it's not just a
    matter of me leaping to wild conclusions.

(3) Netscape is viewed as a "loose cannon" by most of the other commercial
    players in the WWW arena, mainly because they have introduced a fair
    amount of FUD into the HTML standardization effort, while simultaneously
    promoting themselves as being standards-based.  Members of Apple's
    "Cyberdog" project and Microsoft's web projects, who *are* trying to
    contribute to the standards process, had particularly excoriating things
    to say in this regard.

Now, as I said, I am biased and my comments about Netscape are strictly my
person opinions.  I will be perfectly willing to revise these opinions as I
receive more data.  For example, if Netscape takes a more active part in
the standards process, works with RSA to secure wider availability of the
underlying technology required by their proposals, and generally demonstrates 
a willingness to play nicely with other children, that would be great, and 
I'll just as strongly defend them as I am panning them now.

However, in my view, they have not shown a good initial track record.
Only time will tell.


Amanda Walker
InterCon Systems Corporation






Thread