From: Raph Levien <s_levien@research.att.com>
Date: Wed, 24 Jul 1996 00:35:22 +0800
To: jsw@netscape.com
Subject: Re: Netscape
In-Reply-To: <v02120d1dae1a1186fd2e@[192.0.2.1]>
Message-ID: <31F4C095.2886@research.att.com>
MIME-Version: 1.0
Content-Type: text/plain


Jeff Weinstein wrote:
> 
> Lucky Green wrote:
> >
> > At 13:38 7/22/96, Tom Weinstein wrote:
> >
> > >Yes, and that's what we're trying to do.  Get strong crypto in the hands
> > >of as many people as we can.  I can hardly wait until we get S/MIME in.
> >
> > What will Netscape do to about the 40bit RC-2 default and the signatures on
> > the outside of the encryption envelope design flaws in S/MIME? I can't
> > imagine Netscape releasing software that has these two properties.
> 
>   If you know that the recipient can read a message encrypted with
> 3DES, IDEA, or RC2-128, then you can send the message using one of
> these strong algorithms.  Given that you need someones public key
> to send them a message, there are several obvious ways to transmit
> information about what algorithms they accept along with it.

   Yes, we all know that. But which one will Netscape actually _do_?

   If there's one thing we've learned from PGP, it's that configuration 
and per-user key management are killers. The reason why I'm so excited 
about Netscape is that you guys have the _possibility_ to really get 
strong crypto to the masses. Whether you really do that or not is in 
your hands.

   I've made a proposal for solving the 40-bit protocol failure in 
S/MIME. There are other proposals out there too, with various strengths 
and weaknesses. The main advantage of mine is that it requires no 
additional infrastructure - i.e. VeriSign does not have to start 
including algorithm preferences in the DigitalID's they distribute.

   Will Netscape come through?

Raph