RealTime IT News

Sender ID in Limbo

UPDATED: Microsoft's undeclared patent claims on Sender ID technology are holding up adoption of the e-mail authentication specification, and it's not clear when the issue will be resolved.

The MTA Authorization Records in DNS (MARID) working group was supposed to conclude its discussion of Sender ID Friday and send it to the next stage of the Internet Engineering Task Force (IETF) standards adoption. But an e-mail from one of the chairmen over the weekend put an end to that.

Andrew Newton, MARID co-chairman, outlined four areas where some form of consensus within the community has been reached in regards to Sender ID so far: DNS name prefix, Sender Policy Framework (SPF)-specific record types, support for multiple authentication schemes and patent claims. But no mention was made as to when a final draft for Sender ID will move forward for adoption as a proposed standard.

Microsoft's patent claim centers on the combined use of two Internet drafts: draft-ietf-marid-core-03 (Sender ID) and draft-ietf-marid-pra-00 (the Purported Responsible Address [PRA] algorithm developed by Microsoft). The open source community says the license agreement protecting those patents violate the GPL . So to try and accommodate the needs of the open source community while still keeping Sender ID alive as a viable technology, Newton and Marshall Rose, the other MARID co-chair, floated a compromise measure to separate the PRA algorithm from Sender ID last week.

It's a compromise that lets those comfortable with Microsoft's license agreement continue to use Sender ID with the PRA check, while letting others develop their own authentication scheme for e-mails and still be able to use the core Sender ID specification.

Unfortunately, because of the unspecified nature of the patents, MARID working group members still weren't convinced that removing the algorithm would completely absolve users from the necessity of signing a license agreement. Also, deciding which authentication "check" to use caused a gridlock on any decision supporting the compromise.

Newton confused matters by later acknowledging the issue and stating the working group shouldn't work on an alternative algorithm to replace PRA until the scope of the patent issue is resolved.

"It is the opinion of the co-chairs that MARID should not undertake work on alternate algorithms reasonably thought to be covered by the patent application," Newton stated in his post to the working group's discussion list. "We do feel that future changes regarding the patent claim or its associated license could significantly change the consensus of the working group, and at such a time it would be appropriate to consider new work of this type."

In addition, MARID discussion on authentication schemes will focus only on two of the more popular checks, PRA and "mailfrom," a method that uses the envelope information found in SMTP transmissions. PRA, on the other hand, doesn't check at the SMTP protocol level, and instead relies on e-mail header information.

Sean Sundwall, a Microsoft spokesman, said the co-chair's decision to wait for the patent cloud to blow over doesn't mean the end of Sender ID; work will continue on the technology.

"I wouldn't characterize it as in limbo," he said. "I don't think that it's exited quite the way people thought it would when it entered. Basically, what you have is what was submitted; plus you've changed it from having one checking mechanism to two."

It's a good way to move forward, he continued. Those who favor Microsoft's PRA can continue on the work already begun, while those who don't like the license agreement that comes with the PRA can flesh out "mailfrom."

While Microsoft plans to incorporate both mailfrom and PRA checking information in the records it maintains, it has no plans to use mailfrom to check incoming e-mails, saying PRA is the superior technology.

Sundwall assumes its 60 or so public supporters will continue forward with PRA.

"I think the good news is that we finally have a specification, albeit it has a duality to it. We have a specification that the industry can march behind," he said.

Microsoft's patent claims have created quite a stir and have split the MARID community into two camps: those for Sender ID -- mainly large telecom providers, financial institutions, e-mail security software vendors and Microsoft -- and those against Sender ID, who make up of the free- and open source-software groups who develop the most popular MTAs in the world (SendMail, QMail and Exim).

Both the Apache Software Foundation and the Debian Project, as well as open source advocates like Eben Moglen and Richard Stallman, have spoken up against the existing Sender ID technology based on the unknown patent claims and license agreement that protects the patents.

Newton was not available for comment at press time on what's next for the MARID working group and what new timetable is in effect.