Sender ID Wars Heat Up

By Steven Vaughan-Nichols  |  Posted 2004-09-02

Sender ID Wars Heat Up

Has Microsoft blinked on its licensing requirements for Sender ID, making it more acceptable to the open-source community? Some open-source leaders and companies think that it has, while others vehemently disagree.

Although Microsoft hasnt officially changed its Sender ID license, Harry Katz, program manager for Microsoft Exchange, has made three points about how it will be interpreted in a message to a standards group of the Internet Engineering Task Force named MTA Authorization Records in DNS, or MARID, which is working on Sender ID.

Read more here about MARID and its effort to form a proposed standard for SMTP authentication.

"At this time, Microsoft is only aware of pending patent-application claims that cover its submission of the Sender ID specification," Katz said.

"Because Microsoft is not aware of any issued patent claims, Microsoft does not require anyone to sign a license with Microsoft to implement the Sender ID specification or any part of it that is incorporated into IETF [Internet Engineering Task Force] working drafts."

So, while Microsoft may patent technology that is included in Sender ID, it has no Sender ID patents for now.

"In conformance with the IETF IPR [Intellectual Property Rights] policy, Microsoft has disclosed the existence of those pending patent claims and has provided its assurance that if such claims are granted, Microsoft will make licenses available on reasonable and nondiscriminatory terms," Katz said.

"Second, as per the terms of the license itself, end-users who are recipients of a licensed implementation of Sender ID and distributors who are redistributing a branded, licensed implementation do not need to separately sign this license agreement," he said.

"Finally, we have committed to a royalty-free license," Katz said. "That means Microsoft will never charge a royalty or licensing fee to anyone using the Sender ID necessary patent claims to implement the Sender ID specification."

That was good enough for Sendmail Inc., maker of the leading Internet mail-routing server. Sendmail on Monday released the first implementation of its Sender ID authentication specification for testing under the Sendmail Open Source License, a variation of the BSD (Berkeley Software Distribution) license.

This module has been released as an open-source plug-in to the Sendmail MTA (Mail Transfer Agent). The Sendmail open-source mail filter, or "milter," is available from Sendmail.

But Sendmail is releasing its Sender ID milter without signing any licensing agreement with Microsoft.

"I dont plan on signing a Microsoft license since, from a business standpoint, it doesnt give me anything anyway," said Dave Anderson, Sendmails CEO. "This isnt just for testing. I plan on going into production with no signed agreement."

"Microsoft has said that the license is royalty-free, so why would I want one?" he asked. "Im certainly not the right person to judge if [Microsofts Sender ID licensing position] is acceptable to the open-source community at large, but I do have to say that there are numerous open-source licenses—youre not talking about one thing."

Sender ID will soon be history, Security Center Editor Larry Seltzer writes. Click here to read more.

But Lawrence Rosen, a partner in the law firm Rosenlaw & Einschlag and author of "Open-Source Licensing: Software Freedom and Intellectual Property Law," said he thinks Microsofts change in stance is not sufficient.

"Microsoft has not made its Sender ID patent available under a license that is compatible with the GPL [GNU General Public License] or other open-source licenses. Their attorney and I—on behalf of several interested parties including the FSF [Free Software Foundation]—are working together to make that happen," Rosen said.

"I encourage everyone to be patient and optimistic, but in the meantime, please do not accept Microsofts Sender ID patents under the current license terms."

Next Page: A "victory" for open source?


-Source Victory?"> As far as Sendmails open-source Sender ID milter is concerned, Rosen said, "Regardless of whether Sendmail has released what they may call an open-source implementation of the IETFs Sender ID specification for testing on the Internet, the current version of the Microsoft Sender ID patent license is not compatible with open-source licenses."

But Eric Raymond, president of the Open Source Initiative, said he does think Microsofts concession is significant. "He [Katz] quoted a promise of a license with no royalties and no requirement to sign an agreement. That looks like victory to me," Raymond said.

To read more about the open-source communitys reaction to Microsofts Sender ID license, click here.

Craig Spiezle, director of industry and partner relations in Microsoft technology and strategy team, stressed the licenses royalty-free nature. "Microsoft is committed to working with the industry in a collaborative way to license Sender ID royalty-free," he said. "The technology is available to all interested parties, free of charge, based on widely utilized, industry-standard terms of use."

"Its important to note that a license is not required for those looking to adopt Sender ID by publishing their IP addresses in DNS, as outlined in the Sender ID Framework specification," Spiezle said.

"And again, programmers and developers implementing the Sender ID specification in their applications can receive a license to do so entirely royalty-free. For anyone interested in using Microsoft IP outside of the scope of the standard implementation, we encourage them to talk to us about a license," he said.

Microsoft has been pushing for Sender ID adoption. The company on Wednesday held a private meeting in Redmond, Wash., with ISPs and e-mail vendors to discuss how they might implement Sender ID. There, according to reports, the crux of the disagreement came out.

Is it time for Microsoft to put up or shut up on spam? Click here for a column.

In talking with Spiezle, the Microsoft exec seemed to have trouble understanding that "cost was not the issue, and that there was a fundamental incompatibility with open-source licenses," Matt Sergeant, senior anti-spam technologist at managed e-mail security services provider MessageLabs Ltd., wrote in a note to the MARID mailing list.

"On the cost issue, I believe that sunk in," Sergeant wrote. "On the incompatibility issue, I dont believe we managed to agree with each other."

This fundamental incompatibility, according to Rosen, stems from the widespread treatment of open-source licenses as sublicenseable. "The open-source development and distribution process works as well as it does because everyone treats open-source licenses as sublicenseable, and most of them are expressly so," he said.

"Open-source licenses contemplate that anyone who receives the software under license may himself or herself become a contributor or distributor. Software freedom is inherited by downstream sublicensees.

"Meanwhile, the Microsoft Sender ID patent license continues the convenient fiction that there are end-users who receive limited rights. That is unacceptable in open-source licenses," Rosen said.

Other open-source groups agree with Rosens interpretation. The ASF (Apache Software Foundation) on Thursday announced in a position paper, "The current Microsoft royalty-free Sender ID patent license agreement terms are a barrier to any ASF project that wants to implement Sender ID."

"We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards and specifically incompatible with the Apache License 2.0," the foundation said. "Therefore, we will not implement or deploy Sender ID under the current license terms."

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

On Aug. 27, Philip Hazel, author of the popular Exim MTA, wrote, "Exim is licensed under the GPL. As the proposed Microsoft IP license is not GPL-compatible, Sender ID cannot be implemented in Exim."

Fed up with the lack of progress over these issues, many MARID members are arguing that Sender ID should be abandoned. Still others argue that Sender ID would not be the only IETF standard that comes with patent baggage. For instance, SSL (Secure Socket Layer) is patented by Netscape.

In any case, while the debate rages on in the MARID community, Sendmail has implemented what it claims to be an open-source version of Sender ID, without a Microsoft license. And Rosen said he will continue trying to make "the next version of the Microsoft patent license … better."

"Im working with Microsofts attorney to help make that happen," he said.

Editors Note: Larry Seltzer provided additional reporting for this story.

Check out eWEEK.coms Security Center at for security news, views and analysis.

Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  

Rocket Fuel