Cisco, Yahoo Work on Authentication Differences

Yahoo and Cisco are working to find
some common ground in their respective e-mail authentication specifications.

Often confused as anti-spam technology, e-mail authentication attempts
to verify that an e-mail is really coming from the person listed in the
e-mail header. The technology is then used as a foundation for traditional
anti-spam software and hardware like those provided by Symantec, McAfee,
Postini, CipherTrust and many other vendors.

One of the big topics during last week’s Internet Engineering Task Force
(IETF) meeting was word of whether Yahoo and Cisco had combined
their two similar signature-based specifications.

Dave Crocker, principal at Brandenburg InternetWorking and author of the
Bounce Address Tag Validation (BATV) e-mail authentication specification,
said the work of the two companies is slated to become the foundation for an
IETF working group, as soon as the two combine their technologies.

Crocker said that it’s not good for the Internet community to have two competing specifications that are so similar in nature and function. However, he said, the differences in IIM and DomainKeys are significant.

“Usually the efforts to merge
competing proposals don’t go very well inside the IETF, and so the feeling is
that the IETF has to wait until that merger is complete and then the IEFT
can consider pursuing a standards process for the result.”

Yahoo’s DomainKeys and Cisco’s Identified Internet Mail (IIM) are both very
similar in that they use public-key technology to determine whether a
message is really coming from the individual named in the e-mail header.
Both use RSA public-key encryption as their foundation; both
append the signature in the message header; and signing and verification
typically take place at the MTA , though the option exists at
the MUA .

But, as the saying goes, the devil is in the details; some fundamental
differences have kept the two from merging in the past.

One of the biggest differences between the two technologies is that, while in
IIM, the public key is tacked onto the e-mail message and authorized through
the DNS. In DomainKeys, public keys are stored in DNS TXT records.

Also, while the IIM specification can use the DNS to verify keys, it prefers
the Key Registration Server (KRS) for more flexibility, while DomainKeys
relies on DNS alone. The tradeoff is that IIM can provide
user-level keys and outsource e-mail addresses, and DomainKeys can only register
keys by domain. E-mail outsourcing isn’t available.

Miles Libbey, anti-spam product manager at Yahoo, said that from a project
manager’s point of view, the differences are highly technical but not
insurmountable.

“Conceptually, DomainKeys and Identified Internet Mail are extremely
similar. The general concepts are effectively identical, so we think that it
will be possible to have a merged spec,” he said. “Certainly, the
individual technology choices that are made in both specs would make one
incompatible with the other today, but a lot of those things are easily
overcome.”

An IETF working group infrastructure is already in place for a combined
specification, in the form of the unofficial Message Authentication
Signature Standards (MASS). While DomainKeys and IIM are the leading
contenders in the group, others are under consideration: Microsoft’s E-mail
Postmarks; Entity to Entity S/MIME; MTA Signatures; BATV; and Trusted E-mail
Open Standard (TEOS).

According to Jim Fenton, co-author of IIM, a combined technology should be ready in the coming months
but much depends on the review processes at the two companies. The combined
specification won’t incorporate many new ideas, he said, but find common
ground and incorporate the best ideas of both technologies.

“It’s really hard for me to put a specific timeline on it,” he said. “We
know that the industry is very anxious for this hybrid to get going and so
there’s a lot of urgency. I would certainly hope it would be this year.

“I would be extremely disappointed if it didn’t happen this year, but
whether it’s springtime or summertime, I don’t know,” he added. “It becomes
a lot more complex when we have more authors and more review that needs to
go on.”

Both companies have picked up corporate support for their respective
technologies, though Cisco officials said they are keeping a low profile on
announcing companies testing and deploying their technology.

Yahoo, on the
other hand, has reported that Google , EarthLink , SBC and even its own Yahoo Mail service are using DomainKeys.

News Around the Web