RealTime IT News

Cisco, Yahoo Work on Authentication Differences

Yahoo and Cisco are working to find some common ground in their respective e-mail authentication specifications.

Often confused as anti-spam technology, e-mail authentication attempts to verify that an e-mail is really coming from the person listed in the e-mail header. The technology is then used as a foundation for traditional anti-spam software and hardware like those provided by Symantec, McAfee, Postini, CipherTrust and many other vendors.

One of the big topics during last week's Internet Engineering Task Force (IETF) meeting was word of whether Yahoo and Cisco had combined their two similar signature-based specifications.

Dave Crocker, principal at Brandenburg InternetWorking and author of the Bounce Address Tag Validation (BATV) e-mail authentication specification, said the work of the two companies is slated to become the foundation for an IETF working group, as soon as the two combine their technologies.

Crocker said that it's not good for the Internet community to have two competing specifications that are so similar in nature and function. However, he said, the differences in IIM and DomainKeys are significant.

"Usually the efforts to merge competing proposals don't go very well inside the IETF, and so the feeling is that the IETF has to wait until that merger is complete and then the IEFT can consider pursuing a standards process for the result."

Yahoo's DomainKeys and Cisco's Identified Internet Mail (IIM) are both very similar in that they use public-key technology to determine whether a message is really coming from the individual named in the e-mail header. Both use RSA public-key encryption as their foundation; both append the signature in the message header; and signing and verification typically take place at the MTA , though the option exists at the MUA .

But, as the saying goes, the devil is in the details; some fundamental differences have kept the two from merging in the past.

One of the biggest differences between the two technologies is that, while in IIM, the public key is tacked onto the e-mail message and authorized through the DNS. In DomainKeys, public keys are stored in DNS TXT records.

Also, while the IIM specification can use the DNS to verify keys, it prefers the Key Registration Server (KRS) for more flexibility, while DomainKeys relies on DNS alone. The tradeoff is that IIM can provide user-level keys and outsource e-mail addresses, and DomainKeys can only register keys by domain. E-mail outsourcing isn't available.

Miles Libbey, anti-spam product manager at Yahoo, said that from a project manager's point of view, the differences are highly technical but not insurmountable.

"Conceptually, DomainKeys and Identified Internet Mail are extremely similar. The general concepts are effectively identical, so we think that it will be possible to have a merged spec," he said. "Certainly, the individual technology choices that are made in both specs would make one incompatible with the other today, but a lot of those things are easily overcome."

An IETF working group infrastructure is already in place for a combined specification, in the form of the unofficial Message Authentication Signature Standards (MASS). While DomainKeys and IIM are the leading contenders in the group, others are under consideration: Microsoft's E-mail Postmarks; Entity to Entity S/MIME; MTA Signatures; BATV; and Trusted E-mail Open Standard (TEOS).

According to Jim Fenton, co-author of IIM, a combined technology should be ready in the coming months but much depends on the review processes at the two companies. The combined specification won't incorporate many new ideas, he said, but find common ground and incorporate the best ideas of both technologies.

"It's really hard for me to put a specific timeline on it," he said. "We know that the industry is very anxious for this hybrid to get going and so there's a lot of urgency. I would certainly hope it would be this year.

"I would be extremely disappointed if it didn't happen this year, but whether it's springtime or summertime, I don't know," he added. "It becomes a lot more complex when we have more authors and more review that needs to go on."

Both companies have picked up corporate support for their respective technologies, though Cisco officials said they are keeping a low profile on announcing companies testing and deploying their technology.

Yahoo, on the other hand, has reported that Google , EarthLink , SBC and even its own Yahoo Mail service are using DomainKeys.