Sender ID in Limbo

UPDATED: Microsoft’s undeclared patent claims on
Sender ID technology are holding up adoption of the e-mail authentication
specification, and it’s not clear when the issue will be resolved.

The MTA Authorization Records in DNS (MARID)
working group was supposed to conclude its discussion of Sender ID Friday
and send it to the next stage of the Internet Engineering Task Force (IETF)
standards adoption. But an e-mail from one of the chairmen over the weekend
put an end to that.

Andrew Newton, MARID co-chairman, outlined four areas where some form of consensus within the
community has been reached in regards to Sender ID so far: DNS name prefix,
Sender Policy Framework (SPF)-specific record types, support for multiple
authentication schemes and patent claims. But no mention was made as to when
a final draft for Sender ID will move forward for adoption as a proposed
standard.

Microsoft’s patent claim centers on the combined use of two Internet drafts:
draft-ietf-marid-core-03 (Sender ID) and draft-ietf-marid-pra-00 (the
Purported Responsible Address [PRA] algorithm developed by Microsoft). The
open source community says the license agreement protecting those patents
violate the GPL . So to try and accommodate the needs of the
open source community while still keeping Sender ID alive as a viable
technology, Newton and Marshall Rose, the other MARID co-chair, floated a
compromise measure to separate the PRA algorithm from Sender ID last week.

It’s a compromise that lets those comfortable with Microsoft’s license
agreement continue to use Sender ID with the PRA check, while letting others
develop their own authentication scheme for e-mails and still be able to use
the core Sender ID specification.

Unfortunately, because of the unspecified nature of the patents, MARID
working group members still weren’t convinced that removing the algorithm
would completely absolve users from the necessity of signing a license
agreement. Also, deciding which authentication “check” to use caused a
gridlock on any decision supporting the compromise.

Newton confused matters by later acknowledging the issue and stating the
working group shouldn’t work on an alternative algorithm to replace PRA
until the scope of the patent issue is resolved.

“It is the opinion of the co-chairs that MARID should not undertake work on
alternate algorithms reasonably thought to be covered by the patent
application,” Newton stated in his post to the working group’s discussion
list. “We do feel that future changes regarding the patent claim or its
associated license could significantly change the consensus of the working
group, and at such a time it would be appropriate to consider new work of
this type.”

In addition, MARID discussion on authentication schemes will focus only on
two of the more popular checks, PRA and “mailfrom,” a method that uses the
envelope information found in SMTP transmissions. PRA, on the
other hand, doesn’t check at the SMTP protocol level, and instead relies on
e-mail header information.

Sean Sundwall, a Microsoft spokesman, said the co-chair’s decision to
wait for the patent cloud to blow over doesn’t mean the end of Sender ID;
work will continue on the technology.

“I wouldn’t characterize it as in limbo,” he said. “I don’t think that it’s
exited quite the way people thought it would when it entered. Basically,
what you have is what was submitted; plus you’ve changed it from having one
checking mechanism to two.”

It’s a good way to move forward, he continued. Those who favor Microsoft’s
PRA can continue on the work already begun, while those who don’t like the
license agreement that comes with the PRA can flesh out “mailfrom.”

While Microsoft plans to incorporate both mailfrom and PRA checking
information in the records it maintains, it has no plans to use mailfrom to
check incoming e-mails, saying PRA is the superior technology.

Sundwall assumes its 60 or so public supporters will continue forward with PRA.

“I think the good news is that we finally have a specification, albeit it
has a duality to it. We have a specification that the industry can march
behind,” he said.

Microsoft’s patent claims have created quite a stir and have split the MARID
community into two camps: those for Sender ID — mainly large telecom
providers, financial institutions, e-mail security software vendors and
Microsoft — and those against Sender ID, who make up of the free- and open
source-software groups who develop the most popular MTAs in the world
(SendMail, QMail and Exim).

Both the Apache Software Foundation and the Debian Project, as well as open
source advocates like Eben Moglen and Richard Stallman, have spoken up
against the existing Sender ID technology based on the unknown patent claims
and license agreement that protects the patents.

Newton was not available for comment at press time on what’s next for the
MARID working group and what new timetable is in effect.

News Around the Web