Re: BofA+Netscape

["Perry E. Metzger" <perry@imsi.com>]

Marc Andreessen says:
> I fully expect we'll be supporting other security standards and
> approaches as they emerge, and we certainly welcome realistic suggestions 
> on what we should do, when, and how.

I told you in Email, Mr. Andreessen, that new transport level security
protocols are useless now that IPSP has come near to standardization
and now that prototype implementations are nearly available. Many
people at IETF in other groups expressed far less interest in
proceeding with new security protocols now that there will be a
network layer security protocol. However, you did not appear to be
remotely interested. I suppose that you considered the comment I made
"unrealistic".

Personally, I consider to be unrealistic the notion that the same
group of programmers who a year or two ago thought that the way to
remove files on a Unix system was to use system(3) to call rm via the
shell will be standardizing security -- after all, they couldn't
produce a secure piece of software to begin with.

My current presumption is that since the same programmers who produce
Mosaic produced Netscape that, although pretty looking on the outside,
it is just as bad on the inside: like a beautful marble skyscraper
that is held together on the inside with chewing gum, toothpicks and
rusty bailing wire. I have discouraged clients from using Netscape in
the absense of source because there is no way to look for the security
holes that are surely lurking within it; unfortunately, the product is
just too pretty looking.

By all means, of course, work on any security system you like. The
burden will be on you to convince people to use it.


Perry