From: aba@dcs.exeter.ac.uk
Date: Tue, 19 Sep 95 09:55:48 PDT
To: cypherpunks@toad.com
Subject: Re: NYT on Netscape Crack
Message-ID: <155.9509191654@exe.dcs.exeter.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain



Andrew Loewenstern <andrew_loewenstern@il.us.swissbank.com> writes:
> Jeff Weinstein <jsw@neon.netscape.com> writes:
> >    Regardless of what Markoff implies, we do not intend to depend
> >  on security through obscurity.
> 
> Oh, can we now expect to see source to at least the security portions of  
> Navigator and the Commerce server?

An excellent proposal.

Well how about it Jeff/netscape?

Save Ian and David the effort of reverse engineering it again (which
it is obviously pointless, and more: mathematically impossible, to do),
and get your self some free advice.  Better to have free advice, and
quickly now, rather than another disaster later, presume netscapes
cred can't take too many more bashings before this starts affecting
share prices etc.

Posting the code for the random number generator would be an excellent
start.  Kirkov (sp?) principle and all.  Or if that doesn't sit well
with copyright interests, how about writing up an open spec about how
the random number generator works?  Then we can critique it.  An
algorithm should be something to be proud of, "it's secure, and see:
this is how it works, here are the design criteria, here is how you
would attempt to break it, and here is the best predicted attack's
cost."

Lets get something useful out of this, an open system is called for
not just a quick switcheroo of another algorithm.  Open systems, rule!
(I thought netscape was big on open systems, reading some of the
blurb, just now).

I'm sure you'd get some useful, valuable feed back from publishing an
open spec, is netscape still a progressive startup company with hot
programmers running the show, or has it slipped into stuffy corporate
realms already?

Respectfully,

Adam