Microsoft’s controversial Sender
ID for E-Mail dominated the opening panel of a two-day e-mail authentication summit sponsored by
the Federal Trade Commission (FTC) and the National Institute
of Standards and Technology (NIST).
In addition to Sender ID, the summit will focus on other
technologies it is hoped will combat the growing amount of spam and phishing
attacks that clog user inboxes and steal personal information.
The opening session, “Defining the Framework: Policy
Considerations for Email Authentication,” focused on the divide between the
open source community and business interests.
Open source advocates, led by Daniel Quinlan, Apache Software Foundation (ASF)
vice president, pointed out the licensing problems
associated with Microsoft’s Sender ID technology. Because e-mail
authentication will be performed by e-mail servers, of which open source software
makes up a bulk of the industry, open source advocates’ issues carried a lot of weight in the
discussion.
Groups like the Open Source Initiative (OSI), Free Software Foundation (FSF)
and Software in the Public Interest are concerned about the license
requirements surrounding Microsoft’s patent-pending Sender ID technology.
Currently, two such patents
are making their way through the U.S. Patent & Trademark Office (USPTO).
Open source advocates aren’t necessarily worried about the patents themselves, as
patents are found in many standards; what they’re worried about is the
sub-licenseability clause that requires every new group or company involved
in an application containing Sender ID to sign Microsoft’s license
agreement. Lawyers at the open source groups maintain that clause precludes
its use in open source software.
Quinlan said the growth of the Internet, particularly the Web,
was helped by open source software that runs most of the Web servers
today, namely the Apache Web server.
“That is possible because the [Web] and the standards that are needed in the
[Web] are freely available,” he said during the panel discussion.
“There’s no patent license that needs to be
executed with Microsoft or any other company, and we want to make sure it
stays that way with e-mail and other important parts of the Internet.”
Microsoft disagrees, pointing out the license is compatible with open source licenses
like the BSD, Apache, IBM common public license and MIT public license.
In the past, said David Kaefer, Microsoft intellectual property and licensing
group director of business development, the open source community has worked with
them to make licenses and proprietary technology work.
“These are licenses that we believe will work and given the flexibility
the open source community has shown on licensing over the years. In fact,
there are over 50 approved open source licenses,” he said. “There’s certainly a great
amount of choice within the open source and standards context to find
something that will work for everybody.”
The Redmond, Wash., company has tweaked its Sender ID for E-Mail license twice
in the past several months to appease the open source community.
The first modification, in August, altered
the wording on its sub-licenseability clause to state that open source
developers and their recipients were not required to sign the license. It’s
a move that’s been moderately successful; besides Sendmail, Inc., a Canadian
ISP has released services
based on Sender ID technology.
The second time was in reaction to AOL abandoning
Sender ID in favor of SPF-Classic in September. The next month, Microsoft
announced it had amended its Sender ID patent application and made the
technology backwards-compatible with SPF-Classic, which prompted
AOL to rejoin the Sender ID movement.
Summit discussion also included the Internet Engineering Task Force (IETF), where
the MTA Authorization Records in DNS (MARID) working group, which was created to find
an e-mail authentication technology standard, stalled
after its participants bogged down on Microsoft’s patent and licensing
claims.
Scott Bradner, Harvard University technology security officer, was one of
the panelists on the FTC panel. He said the license was written for
lawyers, not computer scientists, which made it difficult for everyone to
understand the terms of the license.
While Microsoft and Sender ID dominated the discussions, other general items
related to e-mail authentication were raised during the panel.
An employee at one of the major credit card companies wanted to know how to
identify the people behind phishing attacks, matching IP addresses and
names. Credit card companies and their customers are the biggest victims
of phishing
Annalee Newitz, a policy analyst for the Electronic Frontier Foundation
(EFF), said finding the name behind the IP addresses of the sender is
possible today, though it requires a subpoena.
She’s referring to the current activities of the Recording Industry Association of America,
which has so far unsuccessfully
tried to subpoena account information from ISPs who are providing
their file-sharing customer’s Internet connection.
Also discussed was the likely cost to the end user once e-mail
authentication made its way into the mainstream.
Jonathan Zuck, president
of the Association for Competitive Technology, said the costs will
ultimately prove to be less than what they’re paying today, because end users
won’t have to buy into as many filtering applications. However, the ISPs might
charge a little more for e-mail service.
ISPs, with the exception of some
Sender ID for E-mail technology that is focused on the end user, will bear
most of the cost of Sender ID, checking e-mail at their servers before
passing them along to customers.
The FTC and NIST summit ends Wednesday afternoon. The proceedings are open
to the public, and phones lines are available for those wishing to listen in
on the discussions.
