Old ASRG Archives
June 9, 2005 – 7:20 pmAfter sitting on my desk for six months, I finally got around to posting some of the old ASRG email archives. They can be found here.
Industry/Standards cooperation
June 2, 2005 – 7:06 pm(This post was part of a separate “Standards Blog” which has been merged into my main blog)
One of the recurring themes in standards development is the inevitable tug of war between standards bodies and the industry. Many times, specific companies may come up with different ways to solve the same problem and then seek to standardize it either for IPR or PR advantage. However, often part of the process is giving up the right to control the standards process which may mean that the end result might bear no resemblence to the original product. For this reason, many companies are relucant to give up their ideas to become standards. At the same time, it is often happens that the members of the standards body are reluctant to accept ideas from a company since they have been burned badly in the past. This results in friction among standars bodies and the industry, which of course is not good for anyone.
Ideally, the two should work together since it is the industry support which gets a standard rolling. Some of the best examples of that are bodies like the OpenGroup, the WiFi Alliance, and MAAWG which do not seek to impose standards but rather help with implementation and collectively provide industry input to the standards process. Standards bodies should also not ignore industry input but rather seek to engage them in discussions. Like everything this is a balancing act - one that requires a lot of tolerance from all parties.
Something’s Cooking at the IETF with Email Authentication
January 16, 2005 – 11:27 pm(This article was published by Circle-ID)
DISCLAIMER: I do not have any inside knowledge regarding this nor have I discussed this with any IETF folks. This is based purely on publically available information.
A few months ago, Ted Hardie (AD of Applications for the IETF) informed the MARID WG in the closure announcement as follows:
Given the importance of the world-wide email and DNS systems, it is critical that IETF-sponsored experimental proposals likely to see broad deployment contain no mechanisms that would have deleterious effects on the overall system. The Area Directors intend, therefore, to request that the experimental proposals be reviewed by a focused technology directorate. This review group has not yet been formed but, as with all directorates, its membership will be publicly listed at http://www.ietf.org/u/ietfchair/directorates.html once it has been constituted.
IETF Directorates are defined in RFC 2418 as follows:
In many areas, the Area Directors have formed an advisory group or directorate. These comprise experienced members of the IETF and the technical community represented by the area. The specific name and the details of the role for each group differ from area to area, but the primary intent is that these groups assist the Area Director(s), e.g., with the review of specifications produced in the area.
Now the directorates list does not YET list anything on this. However, now comes word from the SPF folks that something is cooking in this area. In an email to the SPF Discuss list Julian Mehnle wrote the following of the recent SPF Council meeting:
Wayne reported that within the IETF, the draft-schlitt-spf-classic-00[6] specification draft had been conveyed to the Directorate for DNS and Email Authentication (DEA), which is working in private by IETF standard policy. The DEA would contact the drafts’s authors, Meng and Wayne, for any questions and comments. Wayne also stated that he had informed all relevant IETF working groups about the draft and that the DNS groups had raised objections, mostly regarding the zone cut default mechanism, but the e-mail working groups had not expressed any disfavor. Wayne said that was working hard on another iteration of the draft.
A quick check at the IETF’s mailing list page reveals a new mailing list called “DEA-DIR” which stands for “Directorate for DNS and Email Authentication”. The list is currently private and being managed by the two ADs for the application area. The list is referenced in an email from Ted Hardie to the SPF-Council’s mailing list dated January 10th, 2005:
DEA-dir is the list Scott and I are using to as a directorate list for folks helping us review these experimental proposals. The list itself is basically there so we can get folks who have committed to reviewing the drafts to share their reviews with each other. There is no need for you two as authors to be on it; Scott and I already know where to find you to ask you questions on your draft. The dea-dir list is closed, so we can keep the discussion focused, but its members have no special status; comments from reviewers on the list and comments from outside the list are treated exactly the same in the standards process. Anyone with a comment on the drafts can send them to the ADs directly.
So, it appears that the IETF is keeping to its promise after all and is proceeding with evaluation of email authentication proposals on the experimental track via this directorate. Of course since very little public information is currently available it is hard to judge what is going on. Hopefully, the IETF will release more information and publish a list of members as promised originally. And while SPF is being reviewing by the IETF, there has been no word to whether Sender-ID is getting the same treatment.
2004: The Year That Promised Email Authentication
December 25, 2004 – 11:25 pm(This article was published at Circle-ID)
As the year comes to a close, it is important to reflect on what has been one of the major actions in the anti-spam arena this year: the quest for email authentication. With email often called the “killer app” of the Internet, it is important to reflect on any major changes proposed, or implemented that can affect that basic tool that many of us has become to rely on in our daily lives. And, while many of the debates involved myriads of specialized mailing lists, standards organizations, conferences and even some government agencies, it is important for the FOSS community as well as the Internet community at large, to analyze and learn lessons from the events surrounding email authentication in 2004.
Read the rest of this entry »
Larry Seltzer on Sender-ID
October 28, 2004 – 4:55 pmeWeek just published an opinion piece on Sender-ID written by Larry Seltzer. In general it reflects the same line of thinking that I used myself. However, I do want to take issue with something he says in the end of the article:
Personally, I’m sick and tired of the lack of achievement that openness and the OSS community have gotten us. If it weren’t for private companies like Microsoft and Yahoo and Meng Wong personally, we wouldn’t have anywhere near as many plausible solutions in sight as we do now.
Really? At one point in the ASRG there were at least 7 sender authentication proposals discussed, none of which were developed by big companies. Rather, all of them were made by single individuals with the exception of Meng Wong who had a large open community behind him. Look at IETF-MAILSIG - only two solutions are from big companies, the rest from little guys. The IETF itself operates very openly as well, just like many other standards organizations and many proposals in the IETF come from single individuals as well. What Microsoft has done here is classic “embrace and extend” - they took the work percolating in the ASRG for several months, “extended it” by adding PRA and brought back to the table, branded as their own. I wrote about this in detail previously in a two part series published at CircleID, titled “Sender ID: A Tale of Open Standards and Corporate Greed?” (Part I, Part II):
This brings us to the next point of this story: what did Microsoft possibly invent? The Caller-ID standard when published had two major distinctions over the existing set of authentication proposals: it used XML and also had the PRA algorithm to address phishing in addition to spam. The rest of the proposal was based directly on SPF, DMP, RMX and others, all of which dated back to Paul Vixie in 2002 and to Jim Miller in 1997.
I am sorry Larry, but that paragraph in your story is total FUD.
MARID is dead
September 22, 2004 – 2:54 pmThis was published on Circle-ID.
As long suspected by some, the IETF is going to be closing up the MARID WG according to today’s post by Ted Hardie, co-AD for Applications. Larry Seltzer of eWeek was right on target about this:
The rest of the SID standards process will now be a waste of time thanks to Microsoft, and the other participants will afterwards pick up the pieces and get the job done with another spec.
Analysis of Sender-ID patents
September 18, 2004 – 9:42 pmMy former co-chair as the ASRG, John Levine, published an analysis of Sender-ID�s patent application. Along with other opinions offered in the MARID WG, it seems that the patent may very well cover SPF Classis which only does MAIL FROM checking. Considering that Paul Vixie�s and David Green�s drafts predate this by at least 2 years, it is highly questionable how the patent can be granted. Meawhile AOL has pulled their support for Sender-ID which makes the whole thing even a bigger mess.
Update: John’s article was published on CircleID, the same place where my two part series on Sender-ID history was published. Words of thanks go to Ali Farshchian, the founder and publisher of Circle-ID, for doing a great job!
Groklaw on Sender-ID
September 8, 2004 – 10:11 pmPamela Jones of GrokLaw posted two stories on Sender-ID tonight: one on the current controversy and a second on the compromise/apparent death of Sender-ID. I got some quotes in both!
Death of Sender-ID and Compromise?
September 8, 2004 – 11:20 amAndy Newton, co-chair of MARID, posted an interesting proposal for a compromise today to the MARID list. First of all, to no one’s suprise he stated that IPR issues would block Sender-ID approval due to lack of consensus on deployment:
It is the opinion of the co-chairs at this time (before the end of last call) that the MARID working group has no consensus regarding the deployment of Sender ID. This lack of consensus centers around the IPR associated with the PRA algorithm.
In IETF-speak that means that Sender-ID is dead in its current form. But second, here comes a proposal:
It is also the opinion of the co-chairs that many in the working group
are willing to deploy MAIL FROM checking as specified in
draft-mengwong-spf. Therefore, we ask for consideration of the
following proposal:The ABNF in -protocol 3.4.1 is (mostly from a post by Wayne)
version = "spf2." ver-minor "/" ver-scope *( "," ver-scope )
ver-minor = 1*DIGIT
ver-scope = "pra" / "mailfrom" / name
name = alpha *( alpha / digit / "-" / "_" / "." )
And the following stipulations:
1) “mailfrom” checking will be defined in a new draft
2) multiple records are allowed
3) a scope (e.g. “pra”) can only appear in one record of one type for
validity purposesBasically the Sender-ID draft has a scope attribute. The interesting part is that Andy wants to use that scope for other identities besides PRA such as MAIL FROM and possible other ones. This would allow the IETF to approve Sender-ID without touching PRA, and leave the PRA decision to end users. Of course, it remains to be seen whether domain owners would be willing to publish both.
UPDATE: I got quoted in an InternetNews.com story on this.
Interview with Larry Rosen
September 7, 2004 – 10:33 pmNewforge is carrying an interesting interview with Larry Rosen, general counsel for OSI. Among some of the more interesting tidbits:
And the second point: I don’t have any basis for making the statement that the patent itself is valid or invalid. First, no one has seen the patent, because it is not actually an issued patent. It is merely a patent application. And so the paperwork that has been filed is not available to us.
…
Right, and I don’t know, I have not seen the claims of that patent application. It has not yet ripened into a patent. To say there is prior art for it is premature. Furthermore, there is a kind of common — I don’t mean that word in a derogatory sense — but a typical impression of what prior art is about in the world of patent law. It’s a little misunderstood, and so you have to look closely at the claims and the specification of the patent, and you have to look closely at the prior art, to determine whether something is in prior art or not. Merely to say, “Gosh, that sounds familiar, I could have done that,” or “I did that,” or “Someone did that, something similar to that,” especially in absence of an actual patent, is real premature.UPDATE: But of course it made it to SlashDot
An inDECENT proposal
September 6, 2004 – 5:20 pmA very INTERESTING proposal has come up in MARID. John Levine, my old ASRG co-chair proposed the use of fetchmail’s algorithm for Sender-ID instead of Microsoft’s PRA to go around IPR issues. Being that it is Labor Day, it remains to be seen what the reaction would be. Adding to this fact is that Microsoft is only claiming IPR on the core of Sender-ID itself when used with PRA, not separately as outlined in their disclosure:
C. If an Internet-Draft or RFC includes multiple parts and it is not reasonably apparent which part of such Internet-Draft or RFC is alleged to be covered by the patent information disclosed in Section V(A) or V(B), it is helpful if the discloser identifies here the sections of the Internet-Draft or RFC that are alleged to be so covered. Both Sender ID: Authenticating E-mail <draft-ietf-marid-core-03.txt> and Purported Responsible Address in E-mail Messages <draft-ietf-marid-pra-00.txt> in combination (emphasis added)Now RFC 3668 in section 8 is pretty clear that non-IPR stuff is preferred unless the IPR encumbered is superior:
In general, IETF working groups prefer technologies with no known IPR
claims or, for technologies with claims against them, an offer of
royalty-free licensing. But IETF working groups have the discretion
to adopt technology with a commitment of fair and non-discriminatory
terms, or even with no licensing commitment, if they feel that this
technology is superior enough to alternatives with fewer IPR claims
or free licensing to outweigh the potential cost of the licenses.
Take into account that fetchmail is written by Eric S. Raymond (ESR), who is the president of the Open Source Initiative (OSI) and the story becomes even more ironic: a choice between an algorithm written by an FOSS advocate which is not IPR encumbered, or a choice of Microsoft’s algorithm not compatible with the GPL because of patents. As we say in chess, Microsoft appears to be “in check”. It remains to be seen when the checkmate will happen.
Sender-ID - A Tale of Open Standards and Corporate Greed? - Part II
August 31, 2004 – 5:11 pmCopyright � 2004 Yakov Shafranovich (asrg@shaftek.org). This article is under a different copyright than the rest of this blog. This article was originally published at CircleID.
Part II
While everything seemed fine and various participants in these discussions were celebrating the merger of these proposals into one, as well as the support of Microsoft in this endeavor, there was an elephant in the room so to speak, and a rather large one at that. When the original Caller-ID proposal was published, a patent license came along with it. Microsoft indicated that they were planning on filing patents on Caller-ID or some of its aspects, and offered a royalty-free license for the use of their intellectual property. There was some talk about the incompatibility of the license with open source software, including comments from Eben Moglen of FSF and Richard Stallman, but Microsoft employees assured the MARID WG that the licensing issue would be resolved in time for the San Diego meeting. Except that it wasn’t. The license was not changed until the last call procedure begun, leaving only two weeks to discuss both the IPR and remaining technical issues. And the license was not substantially changed either. This sparked a heated debate in the MARID WG which is still simmering. Among the problematic sticking points in the license is a requirement for each implementor to sign a license with Microsoft, the fact that the license was not sub-licensable to others, and also the inherent ability for Microsoft to revoke the license. But the problems did not stop there - it seems that the elephant in question was a rather large specimen than thought before.
Read the rest of this entry »
Sender-ID - A Tale of Open Standards and Corporate Greed? - Part I
August 31, 2004 – 5:06 pmCopyright � 2004 Yakov Shafranovich (asrg@shaftek.org). This article is under a different copyright than the rest of this blog. This article was originally published in CircleID.
Part I
A long long time ago when the Internet was still young and most people were still using clunky Apples, PCs and mainframes; two documents were published by the Advanced Research Projects Agency (ARPA), part of the US Government’s Department of Defense. They were called “RFC 821 - Simple Mail Transfer Protocol” and “RFC 822 - Standard for the format of ARPA Internet text messages” respectively. Written by the John Postel and Dave Crocker respectively, often referred to as some of the founding fathers of the Internet, they defined a simple text-based email system for the use of the fledging network then called the “ARPA Internet”. The year was 1982: IBM and Apple just came out with their respective computers, Microsoft was still a tiny company shipping the DOS for IBM’s new PC under a contract with the “Big Blue”. In those days the phrase “Evil Empire” still referred to the Soviet Union in general, and to IBM in the technology industry specifically. Internet standards were developed for the US Government, to be used on their private network and no one heard of “open source”.
Read the rest of this entry »
How old is “Caller-ID”?
August 26, 2004 – 12:32 pmGoing over Microsoft’s FAQ on their new Sender-ID license, I noticed the following statement:
The original CallerID patent application was filed long before Microsoft made a decision to contribute its CallerID specification to the IETF
The original Caller ID specification was submitted to the IETF sometime around the Spring of 2004, after the MARID WG formed. “Was filed long before” sounds like a pretty long times, however the facts are pointing in a different direction.
Bob Atkinson is listed as a main author of the Caller ID draft. Yet in May of 2003 he was asking questions about RMX which surely did not sound like he was well versed in email.
Draw your own conclusions.
The emperor’s new clothes
August 24, 2004 – 8:04 pmMicrosoft posted today their new license for Sender-ID protocol (which grew out of SPF/RMX/DMP/DRIP/etc. work in the ASRG). It still requires a signed license directly from MSFT for each implementer . More so, the license states excplictly on the bottom that the information on licensors may be published publically. Others already raised the question of GPL-incompatability. The question is what happens now - will the IESG accept this license or not.
Interesting enough this takes place on the same day as Microsoft pulled out from another standards body affiliated with the UN. More at GrokLaw. I sincerely hope this is a coincidence.
UPDATE: Now the FSF/OSI folks have jumped in on this stating publically that this license is not compatible with the GPL and other open source license. However, the best quote I have seen on this comes from this eWeek article:
Allman also isn’t optimistic about Microsoft making Sender ID open-source friendly. “It’s pretty clear that it’s going to take an act of whatever deity Microsoft worships in order to get them to back down on the sublicensing issue. They made it absolutely clear to us that they were not even going to consider changing this, and the legal folks made it further clear that they would rather see Sender ID die than back down.”
Update #2: Larry Seltzer of eWeek published a very good opinion piece called “I Come to Bury Sender ID, Not to Praise It”. It reflects the thinking of many participants including myself. And I couldn’t say it better than Larry:
I feel sorry for the Microsoft participants in the process, principally Harry Katz of the Exchange Edge team, who I’m sure only wanted the whole thing to work and were restrained by persons senior to them, probably Microsoft’s vaunted legal team who did such a good job for them in the past. Of course, we all know what Shakespeare said about lawyers.
Future of this Blog
June 2, 2004 – 8:23 pmUntil I have resigned from the ASRG, this served as a place for me to comment on various issues in the spam world and the technology world at large. Now that I am less involved in these, the focus of this blog will probably shift to more personal and less technology oriented.
Moving on…
May 21, 2004 – 2:45 amI am moving on with life - my graduation from Johns Hopkins finally took place and I stepped down as a co-chair of the ASRG. Its been a wild ride and life goes on.
