From: “Kipp E.B. Hickman” <kipp@warp.mcom.com>
To: cypherpunks@toad.com
Message Hash: d87fa4c9635b9b4984d84bc83a7b61da9c0331666eb5afd99b26aa3b5f7f2c4e
Message ID: <9412121231.ZM17395@warp.mcom.com>
Reply To: N/A
UTC Datetime: 1994-12-12 20:33:49 UTC
Raw Date: Mon, 12 Dec 94 12:33:49 PST
From: "Kipp E.B. Hickman" <kipp@warp.mcom.com>
Date: Mon, 12 Dec 94 12:33:49 PST
To: cypherpunks@toad.com
Subject: Re: Clarification of my remarks about Netscape
Message-ID: <9412121231.ZM17395@warp.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain
In article <9412111620.AA41983@eldamar.walker.org>, you write:
> Several people have asked me to clarify my recent comments about Netscape.
> I am more than happy to oblige.
>
> First of all, let me begin by saying that I am a biased observer, and that
> all of this is my personal opinion. My annoyance with Netscape is also
closer
> to the surface this week than it normally is, due to a variety of factors
> (including having just returned from the San Jose IETF meeting). My initial
> comment, and the ones that follow in this message, are thus more frank than
is
> my usual style on, say, public Usenet newsgroups.
>
> That being said, here are some of the data that has gone into my impressions
> of Netscape so far.
>
> (1) Netscape plays very fast and loose with HTML. Rather than participating
> in the existing standardization efforts, they have indiscriminately added
> "extensions" to it that are not supported by any other client software,
> and which in some cases go directly against HTML's markup-oriented
> structure. This only adds more confusion to an already muddy area,
> delays the prospects for a standard HTML specification, and divides the
> WWW into "WWW Classic" and "Netscape-compatible". Personally, as a
> strong proponent of universal interoperability, I find this
reprehensible.
> There is no need to bypass existing efforts just to add cosmetic value to
> your own software.
This has nothing to do with security...
> (2) The Netscape Secure Sockets proposal has an extremely poor security
model.
> It is not an end-to-end security model, but rather relies on transport
> level security, which is in my view dangerously inadequate for reasons
> which should be obvious to most of the folks on this list.
Clearly I'm an idiot. Explain it to me. And while you are at it, why don't you
email me your comments on the spec? I put my email address in there for that
very reason. Jeesh.
> It is also
> tied directly to the RSA certification hierarchy. Now, for those of us
> who have X.509 certificates rooted in the RSA Commercial Certification
> authority, that's fine, but it also means that any other WWW client that
> wishes to interoperate with Netscape's "secure servers" must license
> TIPEM from RSA Data Security, and consequently pay RSA's rather high
> royalties, unless the software is free (in which case RSAREF can be
used).
> This serves as a direct barrier to competition from other commercial
> vendors. This is not all bad--I happen to like RSADSI's products and
> technology--but promoting a transport-level security system instead of
> an end-to-end one is to my mind simply irresponsible.
This is an outright lie. We don't use TIPEM. You could build a
conformant SSL implementation using RSAREF and the freeware IDEA
cipher code. As for a barrier to competition. So what else is new? We
all have barriers to overcome before we can compete. Should we get rid of
TCP/IP as a barrier to using the web?
> There has been no peer review of Netscape's security model--it was simply
> implemented by fiat, without regard for the IETF standards process. I
> find that this leaves a very bad taste in my mouth. I also heard similar
> sentiments from a wide variety of other attendees at the IETF, including
> members of the IP Security working group, people who attended the Secure
> HTTP BOF, and others. This leads me to believe that it's not just a
> matter of me leaping to wild conclusions.
You are somewhat right here. In fact, this was done because we are a company
interested in surviving long enough to withstand the eventual attack
by microsoft. Instead of waiting several years before anything was agreed
upon and ending up with a kitchen sink protocol as all others these days
do, we took a simpler approach. And instead of hiding in a closet with
it, we brought it out to light. As a result we received critical review
from some decent members of the crypto community, including:
Martin Abadi
Mike Burrows
Alan Schiffman
Matt Robshaw
Burt Kaliski
to name a few. As for the IETF standards process, we are pushing the
document into the RFC process.
> (3) Netscape is viewed as a "loose cannon" by most of the other commercial
> players in the WWW arena, mainly because they have introduced a fair
> amount of FUD into the HTML standardization effort, while simultaneously
> promoting themselves as being standards-based. Members of Apple's
> "Cyberdog" project and Microsoft's web projects, who *are* trying to
> contribute to the standards process, had particularly excoriating things
> to say in this regard.
This is a matter of opinion. However, I believe that our opinions
don't matter in the long run because of the 800 pound gorilla
Microsoft. They will push something out, it will be proprietary, and
they will name the tune and ask us to play along. Now we can either
just sit back in our current comfy cozy standards based processes and
languish for a few years, and then SIGH and say "Gee wasn't that fun,
too bad microsoft shoved yet another piece of excrement down our
throats" or we can be "loose cannons", get something out there, try it
out and see what happens. The market will decide one way or the other.
> Now, as I said, I am biased and my comments about Netscape are strictly my
> person opinions. I will be perfectly willing to revise these opinions as I
> receive more data. For example, if Netscape takes a more active part in
> the standards process, works with RSA to secure wider availability of the
> underlying technology required by their proposals, and generally demonstrates
> a willingness to play nicely with other children, that would be great, and
> I'll just as strongly defend them as I am panning them now.
>
> However, in my view, they have not shown a good initial track record.
> Only time will tell.
>
>
> Amanda Walker
> InterCon Systems Corporation
>
>
---------------------------------------------------------------------
Kipp E.B. Hickman Netscape Communications Corp.
kipp@mcom.com http://www.mcom.com/people/kipp/index.html
--
---------------------------------------------------------------------
Kipp E.B. Hickman Netscape Communications Corp.
kipp@mcom.com http://www.mcom.com/people/kipp/index.html
Return to December 1994
Return to ““Perry E. Metzger” <perry@imsi.com>”