Re: BofA+Netscape

[Adam Shostack <adam@bwh.harvard.edu>]

Marc Andreessen wrote:

| In article <199412091814.NAA07757@hermes.bwh.harvard.edu>, adam@bwh.harvard.edu (Adam Shostack) wrote:
| 
| >         It my personal feeling that Netscape doesn't have the right
| > talent mix to develop secure software.  For example, they may well get
| > the RSA parts right, and then store the passphrase in a text file,
| > 'for ease of use.'
| 
| My goodness, that's a bit malicious and unsubstantiated, isn't it?

	Maybe, but one, you substantiate it yourself, and two, I did
say it is my personal feeling.  I'll expand on it slightly by pointing
to the fact that there have been potentially serious bugs in Mosiac.
Thats understandable, writing really secure software that does lots of
stuff based on potentially malicious input is a tough task.  The fact
that it is understandable does not make it acceptable.n

	Until you hire the experts mentioned below, I'll continue to
assume that your talent mix does not include said experts.


	In message <199412112232.WAA24075@neon.mcom.com> Marc
Andreessen  writes:

	>Absolutely.  We certainly welcome any level of comments and
	>criticism about the SSL protocol and our implementation, and
	>we're recruiting for one or two more security experts to join
	>us -- we'll be doing quite a bit of more advanced crypto over
	>the next couple years, if all goes well.  If anyone's
	>interested, please drop me a note.  

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
						       -Hume