Sender ID Finds Followers Ahead of Approval

UPDATED: As a new Sender ID specification for beating back spam wends its way through the Internet Engineering Task Force (IETF), some e-mail
software vendors are not waiting around for its final approval before implementing the system.

They could be taking a gamble. Or they could be acting in confidence that the IETF will eventually bless a specification that will be used on e-mail
systems throughout the world.

One of the contributors to the Sender ID specification, Microsoft , has patents pending on certain components of the Sender ID
technology it has donated to the IETF’s efforts. Microsoft has repeatedly
said that — even if it is granted a patent on the technology — it would
“make licenses available on reasonable and non-discriminatory terms.”

But the issue has some in the open source world talking.

The drive in the business community to press ahead with Sender ID comes at a time when some in the open source community are claiming the
licensing stipulations around Sender ID don’t interoperate with the most
popular open source license variant, the General Public License
.

In a post to the IETF’s MARID (MTA Authorization Records in DNS) discussion list the chairman of the
Apache Software Foundation (ASF), Greg Stein, called Microsoft’s Royalty-Free Sender ID license agreement a barrier to any ASF project.

“We believe the current license is generally incompatible with
open source, contrary to the practice of open Internet standards, and
specifically incompatible with the Apache License 2.0. Therefore, we will
not implement or deploy Sender ID under the current license terms.”

The finalized version of Sender ID, a combination
of Microsoft’s Caller ID for E-Mail specification and Meng Weng Wong’s
popular Sender Policy Framework (SPF), is expected to move on to the IETF’s
steering group after Friday (following the close of comments in this round)
for further approval as a proposed standard within the IETF. From there,
perhaps by the fall, the IETF is expected to bless the new proposed standard
as a way to combat the ever-rising spam and phishing attempts that bedevil
so many e-mail servers today.

That may explain why some companies are moving ahead with Sender ID
deployments now to cut down on the number of phishing and
spoofing attacks that are holding large companies
hostage.

“It’s getting to the point where they cannot even send legitimate e-mails
out anymore,” said Paul Judge, chief technology officer at CipherTrust, a
secure messaging software vendor. “So, you think that you’re one of the
most powerful organizations in the world and you’ve been crippled so that
you simply cannot send out e-mails to your customers; think of the damage
phishers can do to disable a brand like that.”

CipherTrust is one of several vendors that signed onto the Sender ID
bandwagon. It said Tuesday it would support the specification in the next
version of its IronMail e-mail authentication application, due out in
October. Others moving to the Sender ID specification with application
support include Symantec , VeriSign
and IronPort.

Also adopting Sender ID is Sendmail, which makes a commercial version of
the venerable open source Sendmail message transfer agent , a
project that predates the other popular open source MTAs — qmail, postfix
and exim.

Officials from the vendor announced an open source plug-in module as
part of their Messaging Integrity Pilot Program, in order to test and assess
its implementation of Sender ID in the wild.

Dave Anderson, Sendmail’s CEO, said the plug-in will be available under
its Sendmail Open Source License, which lets users modify the original
source code as long as the modifications are donated back to the open source
community. If customers decide they would rather work the code how they see
fit and not contribute the changes under the open source license, they can
buy a license from Sendmail, Anderson said.

Anderson is also part of a group of companies not concerned that the
Microsoft-sponsored specification could one day be awarded patents by the
U.S. Patent & Trademark Office (USPTO). Right now, the technology is patent
pending, which means no company is under obligation to sign a license to use
Sender ID.

“If you read the Microsoft license it grants you some rights but you
also accept some obligations,” he said. “What you get [with the license] is
the ability to use the software for free, and if you don’t get a license
what you get is the ability to use this software for free — so we’ve
decided there really is no reason for us to get a license.”

Microsoft’s FAQ sheet on the Sender ID license states that because the
company is not aware of any issued patents on the technology, no license is
required. And even if Microsoft should win its patent claim through the
USPTO, “Microsoft has disclosed that if such claims are granted Microsoft
will make licenses available on reasonable and non-discriminatory terms.”

Plus, several individuals posting to the IETF’s MARID (MTA Authorization
Records in DNS) working group discussion claim Microsoft’s claims for its
patent are part of “prior art” and, as such, not eligible for patent.

Anderson said that while he doesn’t want people to take his company’s
decision not to sign a license agreement as an indicator that other
companies shouldn’t, he said Sendmail’s decision should allay some fears.

“Why would I want to get a license that has some additional constraints
in it if it’s already free? To me, that’s a pretty simple business
decision.”

Also, plenty of software vendors in the e-mail sector are making plans to
implement the Sender ID specification following a Sender ID summit, which Microsoft hosted Tuesday. The goal: to educate ISPs, Web site
hosters and anti-spam/anti-phishing vendors on Sender ID deployments in
their own organization.

Anderson said the summit was a success, with many ISPs making plans to
incorporate Sender ID in the coming months. He expects 50 percent of the
world’s e-mail senders will have the specification in place by year’s end.

Eben Moglen, a law professor at Columbia University and who provides free legal
advice to the Free Software Foundation, is also taking issue with Microsoft’s free
licensing terms in a post to a MARID discussion list.

“The license posted by Microsoft is not compatible with GPL and is not a
free software compatible license. There are several problems, of which the
most severe is the requirement that anyone who wants to redistribute a
covered implementation must execute a license with Microsoft,” according to
a post attributed to Moglen. “If you cannot give people code that they can
redistribute without permission, you are not giving them free software. This
would be the conclusion under all the meta-definitions of freedom: the
[Open Source Definition], the [Free Software Definition], and the Debian
[Free Standards Group].” (Moglen did not respond to requests for further comment.)

Microsoft’s Sundwall said he doesn’t understand why the open source
community is balking at the license agreement, which is in many ways similar
to the terms found in software companies like IBM , a
company with tens of thousands of intellectual property (IP) patents that
routinely donates code to the open source community.

“It’s a very standard procedure; IBM and many others that have a
foundation on IP submit specs to the IETF and other standard’s bodies with
IP claims all the time,” he said. “It’s a little baffling why this issue in
particular has gotten so much attention because our intentions are 100
percent pure; we have a pretty good track record on spam and how we’ve made
an effort to make no money to solve this for our customers and anyone else’s
customers as well.

“We have never and will never charge any money whatsoever for this
patent,” he said. “The patent, which has not been granted yet, was filed
mostly as a defensive measure down the road should people come back at us
and file an IP-based lawsuit.”

News Around the Web