Personal Website of Yakov Shafranovich

« PalmOne Announces the Treo 650         Surviving the Slashdot Effect »

Sender-ID Back from the Dead

(This entry has been Slashdotted and published on Circle-ID).

With the closure of IETF’s MARID group a month ago, many of us have left Microsoft’s Sender-ID standard for the dead. After being rejected by the Apache Foundation and the Debian Project over licensing issues, and causing the closure of MARID for some of the same issues (in addition to already long running technical ones), some thought that Microsoft may have just buried it and gone on to better things like IETF’s new MAILSIG group (in formation). But just like the ghost of Hamlet’s father it just refuses to die and now it looks like it is coming back to life in a new reincarnation. According to this story, Microsoft’s Sender-ID standard is back to life after being picked on by lawyers and techies. It has been revised to allow backwards compatability support with SPF, license tweaks to allow “no license required” use of Sender-ID for SPF-like MAIL FROM checking, and has also been resubmitted to the IETF for approval as an experimental RFC. There are also rumors of changes to the actual patent application but so far they remain unsubstantiated.

In any case, IETF’s drafts repository so far shows no signs of a new draft, neither does the IETF IPR page indicate any licensing changes but that takes a few days sometimes. HOWEVER, the FAQ listed on Microsoft’s Sender-ID site has been updated with these two changes:

Based on industry feedback, the Sender ID Framework has been enhanced to include support for validating two different identities; the Purported Responsible Address (PRA) derived from message headers and the Envelope From Address (MAILFROM) obtained from the SMTP protocol MAIL command.
…
Q5: Who needs to execute a license with Microsoft? A: It s important to note that the license is only relevant to those organizations (ISP, large enterprises)who will be checking e-mails using the PRA check alternative of the Sender ID Framework need to secure a license. Those simply publishing their Sender ID records do not need this license.

A more suprising development happening today together with this is the related press release from AOL endorsing the “new” Sender-ID. It seems that the sticking point was backwards compatability with SPF:

On September 15th, AOL announced that it would not move forward with the deployment of Sender ID technology, because we had reservations at that time about the specific version that had been submitted. Namely, the fact that Sender ID at that time lacked ‘backwards compatibility’, which meant that all of the development work AOL and many others had put into the email authentication testing process would be cast aside by the new version of Sender ID.

However, a previous statement from AOL’s spokesman specifically pointed to the licensing issue:

“Given recent concerns expressed by the Internet Engineering Task Force (IETF), coupled with the tepid support for Sender ID in the open source community, AOL has decided to move forward with SPF,” Nicholas Graham, AOL spokesperson, told internetnews.com via e-mail.

Sounds like the open source community is not much of an issue anymore to AOL, which was alluded in their earlier statement:

For AOL, the concerns of the open source community are an important but not critical reason for withdrawing full support of the Sender ID technology

However a more important issue at hand, is the last paragraph of AOL’s press release:

“AOL also looks forward to presenting these views and others at the Federal Trade Commission’s (FTC) email authentication summit in November, along with our industry partners.”

The FTC and NIST are holding a joint summit on email authentication in two weeks in Washington, DC (during the same week as IETF’s 61st conference). They hinted earlier this year that if the industry does not come up with a standard for authentication, the feds might impose one. If Microsoft comes to the FTC with AOL in tow, this may tip the balance in favor of Sender-ID as the “ultimate” industry standard. So Microsoft et al. just might be circling the wagons now in preparation for the summit.

And those pesky open source people? Some of the comments filed with the FTC in preparation for the summit have clearly indicated to the FTC that licensing is a major issue. That was also one of the questions asked by the commission in their original Federal Register notice:

8. Whether any of the proposed authentication standards are proprietary and/or patented.
9. Whether any of the proposed authentication standards would require the use of goods or services protected by intellectual property laws.

While Microsoft et. al. may choose to say “who cares about the open ource camp anyway”, perhaps even to the FTC itself, lets not forget an important point - as pointed out in one of my earlier articles, the four major MTAs that run majority of Internet’s email are all open source. Even non-MTA software used for fighting spam such as Apache’s SpamAssassin are used widely and even open source email clients like Mozilla’s Thunderbird are gaining support. So while the open source community may have been easy to ignore years ago, today open source influence is felt in every piece of Internet’s infrastructure from the desktop to the server.

So as the ghost of Sender-ID rises from its earlier grave, we may be tempted to ask Microsoft about its future plans for this standard. Having being snubbed by the IETF through MARID closure, why is it that Microsoft is insisting on pursuing this standard without giving in an inch to the open source community on licensing issues? Perhaps the software patents issue has gone so far that companies are taking out defensive patents for the sake of patents, and Microsoft is just doing this to defend itself? Or perhaps having failed to ram Sender-ID through the IETF, Microsoft is now using its extensive lobbying power to convince the FTC to mandate Sender-ID? We may never know, but one thing is for certain - this battle is not over yet.

Tags: ietf, ipr, microsoft, patents, senderid —

Permalink | Trackback URL | This post has