[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clarification of my remarks about Netscape
Several people have asked me to clarify my recent comments about Netscape.
I am more than happy to oblige.
First of all, let me begin by saying that I am a biased observer, and that
all of this is my personal opinion. My annoyance with Netscape is also closer
to the surface this week than it normally is, due to a variety of factors
(including having just returned from the San Jose IETF meeting). My initial
comment, and the ones that follow in this message, are thus more frank than is
my usual style on, say, public Usenet newsgroups.
That being said, here are some of the data that has gone into my impressions
of Netscape so far.
(1) Netscape plays very fast and loose with HTML. Rather than participating
in the existing standardization efforts, they have indiscriminately added
"extensions" to it that are not supported by any other client software,
and which in some cases go directly against HTML's markup-oriented
structure. This only adds more confusion to an already muddy area,
delays the prospects for a standard HTML specification, and divides the
WWW into "WWW Classic" and "Netscape-compatible". Personally, as a
strong proponent of universal interoperability, I find this reprehensible.
There is no need to bypass existing efforts just to add cosmetic value to
your own software.
(2) The Netscape Secure Sockets proposal has an extremely poor security model.
It is not an end-to-end security model, but rather relies on transport
level security, which is in my view dangerously inadequate for reasons
which should be obvious to most of the folks on this list. It is also
tied directly to the RSA certification hierarchy. Now, for those of us
who have X.509 certificates rooted in the RSA Commercial Certification
authority, that's fine, but it also means that any other WWW client that
wishes to interoperate with Netscape's "secure servers" must license
TIPEM from RSA Data Security, and consequently pay RSA's rather high
royalties, unless the software is free (in which case RSAREF can be used).
This serves as a direct barrier to competition from other commercial
vendors. This is not all bad--I happen to like RSADSI's products and
technology--but promoting a transport-level security system instead of
an end-to-end one is to my mind simply irresponsible.
There has been no peer review of Netscape's security model--it was simply
implemented by fiat, without regard for the IETF standards process. I
find that this leaves a very bad taste in my mouth. I also heard similar
sentiments from a wide variety of other attendees at the IETF, including
members of the IP Security working group, people who attended the Secure
HTTP BOF, and others. This leads me to believe that it's not just a
matter of me leaping to wild conclusions.
(3) Netscape is viewed as a "loose cannon" by most of the other commercial
players in the WWW arena, mainly because they have introduced a fair
amount of FUD into the HTML standardization effort, while simultaneously
promoting themselves as being standards-based. Members of Apple's
"Cyberdog" project and Microsoft's web projects, who *are* trying to
contribute to the standards process, had particularly excoriating things
to say in this regard.
Now, as I said, I am biased and my comments about Netscape are strictly my
person opinions. I will be perfectly willing to revise these opinions as I
receive more data. For example, if Netscape takes a more active part in
the standards process, works with RSA to secure wider availability of the
underlying technology required by their proposals, and generally demonstrates
a willingness to play nicely with other children, that would be great, and
I'll just as strongly defend them as I am panning them now.
However, in my view, they have not shown a good initial track record.
Only time will tell.
Amanda Walker
InterCon Systems Corporation