1995-09-25 - Netscape as vehicle for cypherpunk agenda/the cypherpunk bully pulpit

Header Data

From: sameer <sameer@c2.org>
To: cypherpunks@toad.com
Message Hash: 6e5f4c51f6c37fee9fe453baf25a6c14bb57432e058204b2e4cbba8dc65a6e65
Message ID: <199509251741.KAA04656@infinity.c2.org>
Reply To: N/A
UTC Datetime: 1995-09-25 17:46:18 UTC
Raw Date: Mon, 25 Sep 95 10:46:18 PDT

Raw message

From: sameer <sameer@c2.org>
Date: Mon, 25 Sep 95 10:46:18 PDT
To: cypherpunks@toad.com
Subject: Netscape as vehicle for cypherpunk agenda/the cypherpunk bully pulpit
Message-ID: <199509251741.KAA04656@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain


	I was thinking recently how the events of the past week or so
have turned me into a sort of a Netscape advocate. Granted, there are
bugs in Netscape, and there probably will be more bugs uncovered
(someone needs to write an exploit if they want themself & Ray to get
a T-shirt btw), but Netscape is interested in fixing problems and the
new 2.0 is doing encrypted email, probably with a really nice
interface (Haven't seen it yet, of course) and they are working to
make the 128-bit version downloadable. (The 128bit version is
available overseas already anyway, I hear.)

	The really big sticking point I see, however, is the
certification authorities. There is a single point of failure here and
that is at Verisign. This becomes a large problem I think if the en
rypted email that Netscape does requires personal x509 certificates (I
read that Versign is issuing those for $9/each.) This is a problem
because for one thing I don't think Versign will want to issue certs
to psudonyms, and Netscape may not talk encrypted email to
non-certified people. (I am not sure)

	The solution to this, of course, is to allow Navigator to
accept alternate certification hierarchies, so we can setup a
Cypherpunks cert agency or a c2.org cert agency, which -will- sign
nym's keys, etc. The question exists though, as to whether or not
Netscape will allow for alternate agencies in Navigator.

	I haven't seen any mention of this feature in 2.0, so if the
feature exists in 2.0, then great! Otherwise, unless Netscape is going
to allow for alternte cert agencies on a specific timescale, I think
we have to do something about it in order to force the issue.

	Along the same lines of what happened recently-- because of
the exposed hole and the pressure put on Netscape, management was
finally willing to let some of the code be available for public
review. If something happened to show how relying on a single point of
failure such as Verisign was bad and resulted in much press &
publicity, then perhaps Netscape management would be convinced to
allow for alternate cert hierarchies..

	Some sort of hack which demonstrates this would be great. I am
feeling uncreative and can't think of anything effective short of
stealing Verisign's private key, but that would be pretty damn tough.

-- 
sameer						Voice:   510-601-9777
Community ConneXion				FAX:	 510-601-9734
An Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org (or login as "guest")			sameer@c2.org




Thread