The only really serious effort to do something about the overall problem is currently focused on an IETF standards group called MARID (MTA Authorization Records in DNS). A proposed specification has been written and will be discussed at an IETF meeting in San Diego next week. Microsoft has been a positive force in this process so far and worked with Meng Wong, developer of SPF (Sender Policy Framework), the main standard inspiring the MARID group, to combine it with their Caller ID for E-mail spec and make a better standard.
Theres a problem though: Microsofts claims that it holds patents related to the technology behind Caller ID. Even though it issued a free (as in beer) license to these patents and the Caller ID technology, the license doesnt pass muster with open-source advocates. Richard Stallman himself just chimed in on the MARID mailing list on the subject, declaring that "Microsofts Sender-ID license is directly incompatible with free software regardless of which free software license is used."
Hes right, at least as I read the license. It says that you can implement the spec for free, but you need to make an agreement with them, i.e. directly with Microsoft. You cant just put the code up on a Web site and let anyone else download it and use it. He goes on to say, "In the absence of resistance, Microsoft has a good chance of imposing whatever standards it likes. Let us, therefore, resist it here and now."
I decline to be inspired by this call to action. The free software movement has been notably useless in the fight against spam. The members of the 9/11 commission are going around advocating their reports recommendations saying, "If you dont like them, come up with something better, because something has to be done now." Thats how I feel about SMTP authentication. Nothing useful can be done about spam until some form of SMTP authentication is in place, and I would also argue that RFC2822 authentication—what the Caller ID part of the spec does—is a necessary part of it. If you dont like the spec, come up with something better.
But of course thats not going to happen, so MARID has to be successful. And to be successful it has to be widely accepted and as uncontroversial as possible. Because of this, Microsoft simply has to drop its license conditions and come up with something that even the most extreme open-source advocates can put up with.
Its worth noting that the patent license isnt technically a problem for the IETF. The IETF has lots of standards based on patented technologies, and most large corporations and software companies dont have a problem signing them. But thats not good enough in this case.
Microsoft isnt alone in disliking the GPL. Even advocates of other open-source licenses, BSD in particular, dislike it. Many GPL advocates figure that only their license is "free." I dont agree, and Microsoft certainly doesnt agree, and I dont begrudge them their rights to license their software as they see fit.
This isnt the time or place to fight that fight. Whatever value Microsoft sees in the patents, it has to pale in value compared with an effective standard to battle spam. What matters here and now is for that standard to move ahead unimpeded by a political issue that will drown out all the arguments over the true merit.
Microsoft representatives on the MARID working group have said they are working to come up with a response to a request to clarify their intellectual property claims. They cant answer soon enough, but the wrong answer could be bad news for MARID, and thats bad news for everyone.
But think of the potential for a cooperative Microsoft: They could be a major part of a specification that helps to solve perhaps the biggest problem in computing today, and to have that solution accepted even by those who usually spurn anything the company does. Technical issues might remain, but only the unreasonable would reject the solution simply because Microsoft had a hand in it. This would not just be a valuable service to all users on Internet, it would be illustrative.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer