From: "Perry E. Metzger" <perry@imsi.com>
Date: Thu, 20 Jul 95 00:48:00 PDT
To: tcmay@sensemedia.net (Timothy C. May)
Subject: Re: Netscape the Big Win
In-Reply-To: <ac330625030210040787@[205.199.118.202]>
Message-ID: <9507200747.AA15208@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



Timothy C. May writes:
> Integration of crypto into Netscape is thus the Big Win.

Crypto *is* integrated into Netscape. Unfortunately, the crypto is SSL
-- a complete waste of time.

Among other things, SSL only lets you authenticate to X.509
certificate roots that have been issued straight from the hands of Jim
Bidzos -- which effectively means that you can secure only connections
with Netscape commerce servers, and that you cannot authenticate both
ends of the communications link. Its also just plain bad -- there are
ugly holes in the security from what I can see. Netscape is, of
course, pushing it as a standard. Vomit.

Luckily, Netscape recently hired Tahir El Gammal (did I put too many
m's there?) and he's a smart guy. Unfortunately, he seems to be in a
position where he has to defend the fairly bad work they did already.

Other web security systems are also on their way out, of course. Our
own Eric Rescorla (who lurks most of the time) is the author of the
SHTTP specification.

> The relevance for Cypherpunks interested in writing code is that, in my
> carefully considered opinion, writing for Netscape and other Web browsers
> is the Big Win. Even over Windows (except Windows browsers, of course).

Netscape is a closed system. You can't write code for it unless you
work for Netscape.

Perry