I Come to Bury Sender ID, Not to Praise It

By Larry Seltzer  |  Posted 2004-08-26

I Come to Bury Sender ID, Not to Praise It

It must have seemed like a good idea at the time: The effort to create an effective standard for SMTP authentication relied, and still relies, on quick adoption by the largest companies in the e-mail business, and Microsoft is a significant company in both the e-mail software and service business. Why not bring them into the process and make them a central part of the solution?

But it was not to be. With just hours to go on their deadline under the IETF standard process, Microsoft finally released their revised license for their intellectual property rights claims in Sender ID. Microsoft has offered a royalty-free license to all implementers of their property and, it would appear, more than satisfied the needs of the IETF.

But open-source advocates in the working group have emphatically rejected the proposed license. Those who would create a distribution of it must obtain one of these royalty-free licenses directly from and fax a signed license form to Microsoft. So if you have a license and wish to publish your source code for others to implement, you cant include the intellectual property rights with the distribution.

This only applies to people creating new distributions of the software, not people who simply want to use software that implements Sender ID, even GPL software, or who want to create Sender ID records in DNS.

The reasons for the license are defensive. The only people who cant get a license are those who are suing Microsoft over the intellectual property claims in it. As one participant said, any company with a sizable R&D staff will need to make such defensive moves, and the IETF has happily worked with standards that involved IPR licenses before, many more restrictive and burdensome than this.

But Sender ID is different. It is intended for a software market that has had a large presence of open source software. There is some dispute in the working group over whether the license is or is not compatible with most open-source licenses, especially the GPL, but there is a consensus that it is at least problematic for those licenses and a poke in the eye of those who use them. And lawyers from the Free Software Foundation have stated that the license is not GPL-compatible.

I tried to warn them, and I know I wasnt alone. Microsoft gave the impression that stopping spam, phishing and other abuses of e-mail was important to them, but it obviously wasnt important enough. For Sender ID to be successful it needs to be adopted widely, and the only way that was going to happen was if it was unencumbered by burdensome licenses. And it had to be obviously free in everyones sense of the word so that everyone could feel free implementing it and getting to the important business of fixing the broken e-mail system on the Internet. Microsoft just couldnt bring themselves to do it. Instead they actually advise people, if they are unsure of how the license affects them, to hire a lawyer.

Next page: We can do better anyway.

We Can Do Better


Theres another point thats bothering people, which is the exact scope of their IPR claims. Microsoft has said they have patent claims related to Sender ID, but havent said exactly what they are. Microsoft set up an e-mail address (stdsreq@microsoft.com) to which people could send questions on the matter. I asked them, "Can you tell me what patents Microsoft holds that pertain to an implementation of Sender ID?" and havent heard back. It appears that the claims have to do with the retrieval of the PRA (purported responsible address) from the message. Its just not worth scuttling Sender ID over that.

And it could have turned out well. The merger of SPF and Microsofts Caller ID may have been a bit ugly and scientifically worthy of South Parks Dr. Mephisto, but it would have improved on the current situation a great deal. And it would have been good to show that Microsoft can be cooperative even with their most unrelenting and unreasonable enemies when an important issue is at stake.

In a way its just as well, since the technical luster had come off Sender ID in the last couple of months, such as in the concern addressed here over the clogging up of DNS records. No approach that addressed all the major problems with e-mail fraud would lack some flaws, but even if there was a consensus on Sender ID it was not an overwhelming one. And with the licensing debacle the consensus has swung overwhelmingly against Sender ID and Microsoft in particular.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Perhaps Microsoft thought that Sender ID was such a killer standard that they could push people around, but its not. Theyve only boxed themselves out of the process. The rest of the SID standards process will now be a waste of time thanks to Microsoft, and the other participants will afterwards pick up the pieces and get the job done with another spec. Rest assured that enough alternatives were proposed that something can be found that will suffice and that will have none of the license issues.

I feel sorry for the Microsoft participants in the process, principally Harry Katz of the Exchange Edge team, who Im sure only wanted the whole thing to work and were restrained by persons senior to them, probably Microsofts vaunted legal team who did such a good job for them in the past. Of course, we all know what Shakespeare said about lawyers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

More from Larry Seltzer

Rocket Fuel