The Web    Google
MARID Floats Sender ID Compromise

MARID Floats Sender ID Compromise
September 8, 2004

The working group charged with finding an acceptable method for authenticating e-mails to reduce spam now has a proposal to consider before Sender ID adoption grinds to a halt.

The proposal, posted Wednesday by Andrew Newton, co-chair of the MTA Authorization Records in DNS (MARID) working group, is an alternative to the current Microsoft-sponsored Sender ID specification and is a compromise measure to salvage the spec before it dies.

The proposal, which contains seemingly insurmountable differences between the open source community and Microsoft , comes just two days before MARID's self-imposed last call. At that time, the Sender ID issue will move forward to the next step in the Internet Engineering Task Force (IETF) standards process. Newton doesn't believe the proposal will delay the Friday deadline.

"It is the opinion of the co-chairs at this time that the MARID working group has no consensus regarding the deployment of Sender ID," Newton's e-mail states. "This lack of consensus centers around the [Intellectual Property Rights (IPR)] associated with the [Purported Responsible Address (PRA)] algorithm."

As such, Newton and fellow co-chair Marshall Rose have suggested the separation of Microsoft's PRA technology -- which verifies the Internet address of the originating e-mail address and is the source of the patent contention -- from the core Sender ID specification.

That way, those who already accept Sender ID as it stands today will be able to continue using PRA, while those opposed to the technology can incorporate other extensions to verify a sender's address.

For weeks, the open source community has become increasingly vocal in its criticism of the patent claims surrounding Sender ID, the merger of Microsoft's Caller ID for E-Mail and the Sender Policy Framework (SPF). Microsoft has pending patents on the use of the PRA algorithm -- used in the Caller ID for E-Mail specification -- operating in conjunction with the core Sender ID specification. However, Redmond officials have been noticeably stubborn about publicizing what exactly the company is trying to patent. They are also asking Sender ID users to sign a license agreement, which many say violates the GPL and other open source licenses.

Although Microsoft lawyers tweaked their license agreement in response to the criticism, the changes weren't enough to prevent the Apache Software Foundation (ASF) and Debian Project, two major open source communities, from saying they will not implement Sender ID if Microsoft's current license agreement isn't modified or removed from Sender ID entirely.

Open source endorsement is essential for widespread, worldwide adoption of Sender ID. Although major e-mail service providers like Microsoft and AOL (, ) say they will be incorporating Sender ID as it stands, and many software vendors are already with implementations of their own. The vast majority of administrators around the world use open source Message Transfer Agents like Sendmail, QMail, Postfix or Exim.

Yakov Shafranovich, a former co-chair of the Anti-Spam Research Group (ASRG) and one of the more vocal critics of Microsoft's patent claims, was initially receptive to Newton's proposal, which puts the decision of which extension to use in the hands of network administrators.

"A proposal that allows Sender ID to be used with multiple identities would sidestep that problem by letting end users pick if they want to use PRA and handle the IPR issues themselves," he said in an e-mail interview. "Others are free to choose 'mailfrom' or any other extensions that will probably be developed. This way the IETF will sidestep IPR issues and can approve the standard."

Microsoft officials could not be reached for comment at press time.

  • Global content security player establishes U.S. beachhead
  • Locking Up All of That 'Free Information'
  • Do-Not-Spam List Great For Spammers
  • New Alliance Opposes Anti-Piracy Mandates
  • 4/29: Bropia-AJ Worm Messages IM Users
  • AOL's AIM Puts Browser Security in Danger
  • 9/16: Evaman-D Worm Kills Active Processes
  • Critical Flaws Flagged in Mozilla, Thunderbird
  • 1/7: Sdbot-TB Worm Lets Hackers In Via IRC
  • 5/2: Doyorg Trojan Arrives Via AOL IM
  • 9/22: Rbot-KJ Worm Has Backdoor
  • Security Camera Industry Information