Authentication Standards Continue to Vex Security Pros
"Kudos to the IETF," said security analyst Pete Lindstrom of Spire Security LLC, of Malvern, Pa. "There are plenty of other standards out there," he added. Lindstrom thinks that the current level of disagreement among members of the MARID working group would have prevented any standard from appearing in the immediate future.
The MARID working group cited a lack of agreement on basic issues that would lead to a standard to help fight spam, mail-based worms and other e-mail abuse. The group has been surrounded by controversy recently. Microsofts Sender ID has licensing requirements that many Internet users, especially members of the open-source community, find objectionable.
Others said that the other major standard, the SPF (Sender Policy Framework) specification ,SPF (Sender Policy Framework) specification , doesnt really provide the level of protection that Sender ID can provide.
Some saw a bright spot, however. "Maybe there was work completed by the MARID group that can be carried forward," Lindstrom suggested, "This could be the first step in a series of steps."
Part of the working groups problem may also have been that e-mail authentication isnt easy.
"To solve the e-mail authentication problem is a huge challenge," said Reed Harrison, CTO and Founder of eSecurity Inc., of Vienna, Va.
"Proprietary solutions will proliferate," he predicted, noting that major companies are beginning to form alliances, but that there will probably be competing standards for some time. "This will be very complex," he said.
Tim Lorello, vice president of Annapolis, Md.-based TeleCommunication Systems Inc., a major provider of text messaging services for the wireless industry, said he was disappointed at the news. "This is not a good thing," Lorello said, "its a blow to the industry."
According to Lorello, the result will be more complex systems, and the possibility that proprietary standards will take over. "Its another Microsoft play for monopoly penetration," he said.
The result will be more spam for wireless users who can ill-afford it, he added, and a more complex environment. "Itll be harder for the industry as a whole to slow down the growth of spam."
Ken Schneider, Chief Architect for Symantec Corp. agreed that the disbanding of the MARID working group will lead to more standards, some proprietary and some not. "Itll make more work for everyone," he said.
"Its an unfortunate situation where well have several standards; unfortunate for senders of e-mail," Schneider said. For large senders of legitimate e-mail, such as mailing list coordinators and companies keeping in touch with their customers, the lack of a single standard will mean that the search will continue for authentication, so that intended users will get the mail theyve requested.
"We support e-mail authentication," Schneider said, but added that commercial e-mailers will be facing a much more complex task. Adding to the complexity, he expects additional standards to arise. "Yahoo Domain Keys will be going to the IETF," he said.
Some analysts observed that the MARID working groups chance of producing a successful standard was unlikely since the players involved werent committed to cooperation.
"The notion of standards in this case is centered around people appearing to play well together instead of actually playing well together," Lindstrom said. It was leading to a situation in which the MARID working group could "go on forever without accomplishing anything."