Contentious discussions in group boded ill for consensus on a standardCiting a lack of agreement on basic issues in the discussions of the working group, the IETF (Internet Engineering Task Force) has disbanded
the MARID (MTA Authorization Records In DNS) working group. The group had been working to create a standard for mail authentication for the fight against spam, mail worms and other e-mail abuse.
The groups short history has been fraught with controversy. The most recent crisis was over intellectual property claims by Microsoft over technologies in some of standards under consideration, and the Microsoft license to those claims. Open source advocates and many others rejected the terms as burdensome and incompatible with their own licensing practices.
But there has been more disagreement than consensus in the group in other areas as well. Advocates for similar methods of authentication have continued to argue strenuously for their favorite approaches, many of which may be covered under the claims of Microsoft in their patent applications.
There have been other problems. Recently it was noted that the name "Sender ID," which had been used by the standards documents for many of the proposals, has a trademark claim by a company that does related work.
In an e-mail to the working group, the co-Area Director Ted Hardie said that effort to formulate a single standard was hampered by a lack of real-world experience with the proposals. The directors recommended that the work of the various proponents move forward to Experimental RFC status, and that actual tests of the proposals proceed. They hope this experience will clarify some of the debates in the group.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
A frequent contributor to the group, Phillip Hallam-Baker of Verisign, recommends moving the process out of the IETF and into a "more professional outfit." Hallam-Baker says that ISO accreditation is more important than a big name.
But Yakov Shafranovich, a former chair of the Anti-Spam Research Group of the Internet Research Task Force argues that most such organizations are not as open to participants as the IETF, and so "if anything comes out of the other organizations, it is likely to be something done by big firms only, not to mention possible [intellectual property rights]. The [free and open source software] world will probably fight that standard and continue going with SPF, and so we might end up fighting these for a while."
Meng Weng Wong, author of the SPF standard and co-author of the Sender ID specification, is now advocating for Unified SPF, a proposal from earlier in the MARID process that lost attention when the Sender ID agreement with Microsoft was announced. Unified SPF is a framework which supports one or more authentication methods specified by the system administrator.
Wong thinks the variety is a virtue and not, as some think, a recipe for a standards war. "Saying we should only standardize one form of authentication is like saying gas stations should only offer 87 octane gasoline and not sell diesel at all." Wong argues that Unified SPF gives all the various advocates in the standards process the opportunity to deploy their favorite standard.
Questions may also be raised over potential actions by the US government.
In June the FTC rejected calls to create a Do-Not-Spam registry and noted that it couldnt work without a system of authentication. The FTC report actually contemplates mandating a system of authentication if the industry doesnt agree on one after a period of time.
Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page
Network Security & Hardware 
