RealTime IT News

Sender ID Up for Discussion in D.C.

Microsoft's controversial Sender ID for E-Mail dominated the opening panel of a two-day e-mail authentication summit sponsored by the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST).

In addition to Sender ID, the summit will focus on other technologies it is hoped will combat the growing amount of spam and phishing attacks that clog user inboxes and steal personal information.

The opening session, "Defining the Framework: Policy Considerations for Email Authentication," focused on the divide between the open source community and business interests.

Open source advocates, led by Daniel Quinlan, Apache Software Foundation (ASF) vice president, pointed out the licensing problems associated with Microsoft's Sender ID technology. Because e-mail authentication will be performed by e-mail servers, of which open source software makes up a bulk of the industry, open source advocates' issues carried a lot of weight in the discussion.

Groups like the Open Source Initiative (OSI), Free Software Foundation (FSF) and Software in the Public Interest are concerned about the license requirements surrounding Microsoft's patent-pending Sender ID technology.

Currently, two such patents are making their way through the U.S. Patent & Trademark Office (USPTO).

Open source advocates aren't necessarily worried about the patents themselves, as patents are found in many standards; what they're worried about is the sub-licenseability clause that requires every new group or company involved in an application containing Sender ID to sign Microsoft's license agreement. Lawyers at the open source groups maintain that clause precludes its use in open source software.

Quinlan said the growth of the Internet, particularly the Web, was helped by open source software that runs most of the Web servers today, namely the Apache Web server.

"That is possible because the [Web] and the standards that are needed in the [Web] are freely available," he said during the panel discussion. "There's no patent license that needs to be executed with Microsoft or any other company, and we want to make sure it stays that way with e-mail and other important parts of the Internet."

Microsoft disagrees, pointing out the license is compatible with open source licenses like the BSD, Apache, IBM common public license and MIT public license.

In the past, said David Kaefer, Microsoft intellectual property and licensing group director of business development, the open source community has worked with them to make licenses and proprietary technology work.

"These are licenses that we believe will work and given the flexibility the open source community has shown on licensing over the years. In fact, there are over 50 approved open source licenses," he said. "There's certainly a great amount of choice within the open source and standards context to find something that will work for everybody."

The Redmond, Wash., company has tweaked its Sender ID for E-Mail license twice in the past several months to appease the open source community.

The first modification, in August, altered the wording on its sub-licenseability clause to state that open source developers and their recipients were not required to sign the license. It's a move that's been moderately successful; besides Sendmail, Inc., a Canadian ISP has released services based on Sender ID technology.

The second time was in reaction to AOL abandoning Sender ID in favor of SPF-Classic in September. The next month, Microsoft announced it had amended its Sender ID patent application and made the technology backwards-compatible with SPF-Classic, which prompted AOL to rejoin the Sender ID movement.

Summit discussion also included the Internet Engineering Task Force (IETF), where the MTA Authorization Records in DNS (MARID) working group, which was created to find an e-mail authentication technology standard, stalled after its participants bogged down on Microsoft's patent and licensing claims.

Scott Bradner, Harvard University technology security officer, was one of the panelists on the FTC panel. He said the license was written for lawyers, not computer scientists, which made it difficult for everyone to understand the terms of the license.

While Microsoft and Sender ID dominated the discussions, other general items related to e-mail authentication were raised during the panel.

An employee at one of the major credit card companies wanted to know how to identify the people behind phishing attacks, matching IP addresses and names. Credit card companies and their customers are the biggest victims of phishing attacks.

Annalee Newitz, a policy analyst for the Electronic Frontier Foundation (EFF), said finding the name behind the IP addresses of the sender is possible today, though it requires a subpoena.

She's referring to the current activities of the Recording Industry Association of America, which has so far unsuccessfully tried to subpoena account information from ISPs who are providing their file-sharing customer's Internet connection.

Also discussed was the likely cost to the end user once e-mail authentication made its way into the mainstream.

Jonathan Zuck, president of the Association for Competitive Technology, said the costs will ultimately prove to be less than what they're paying today, because end users won't have to buy into as many filtering applications. However, the ISPs might charge a little more for e-mail service.

ISPs, with the exception of some Sender ID for E-mail technology that is focused on the end user, will bear most of the cost of Sender ID, checking e-mail at their servers before passing them along to customers.

The FTC and NIST summit ends Wednesday afternoon. The proceedings are open to the public, and phones lines are available for those wishing to listen in on the discussions.