Authentication Standards Continue to Vex Security Pros

Security experts and vendors tried to find the silver lining behind the dissolution of the MARID working group. The outlook looks complex-multiple standards-something that's seldom good in the coding arena.

Following the announcement that the IETF (Internet Engineering Task Force) had pulled the plug on its MARID (MTA Authorization Records In DNS) working group early reactions by security analysts and developers were mixed. Still, there was consensus that the immediate result will be a requirement by the industry to support at least two e-mail authentication standards.

"Kudos to the IETF," said security analyst Pete Lindstrom of Spire Security LLC, of Malvern, Pa. "There are plenty of other standards out there," he added. Lindstrom thinks that the current level of disagreement among members of the MARID working group would have prevented any standard from appearing in the immediate future.

The MARID working group cited a lack of agreement on basic issues that would lead to a standard to help fight spam, mail-based worms and other e-mail abuse. The group has been surrounded by controversy recently. Microsofts Sender ID has licensing requirements that many Internet users, especially members of the open-source community, find objectionable.

Others said that the other major standard, the SPF (Sender Policy Framework) specification ,SPF (Sender Policy Framework) specification , doesnt really provide the level of protection that Sender ID can provide.

/zimages/2/28571.gifRead more here about the shut down of the MARID working group.

Some saw a bright spot, however. "Maybe there was work completed by the MARID group that can be carried forward," Lindstrom suggested, "This could be the first step in a series of steps."

Part of the working groups problem may also have been that e-mail authentication isnt easy.

"To solve the e-mail authentication problem is a huge challenge," said Reed Harrison, CTO and Founder of eSecurity Inc., of Vienna, Va.

"Proprietary solutions will proliferate," he predicted, noting that major companies are beginning to form alliances, but that there will probably be competing standards for some time. "This will be very complex," he said.

Tim Lorello, vice president of Annapolis, Md.-based TeleCommunication Systems Inc., a major provider of text messaging services for the wireless industry, said he was disappointed at the news. "This is not a good thing," Lorello said, "its a blow to the industry."

According to Lorello, the result will be more complex systems, and the possibility that proprietary standards will take over. "Its another Microsoft play for monopoly penetration," he said.

The result will be more spam for wireless users who can ill-afford it, he added, and a more complex environment. "Itll be harder for the industry as a whole to slow down the growth of spam."

/zimages/2/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Ken Schneider, Chief Architect for Symantec Corp. agreed that the disbanding of the MARID working group will lead to more standards, some proprietary and some not. "Itll make more work for everyone," he said.

"Its an unfortunate situation where well have several standards; unfortunate for senders of e-mail," Schneider said. For large senders of legitimate e-mail, such as mailing list coordinators and companies keeping in touch with their customers, the lack of a single standard will mean that the search will continue for authentication, so that intended users will get the mail theyve requested.

"We support e-mail authentication," Schneider said, but added that commercial e-mailers will be facing a much more complex task. Adding to the complexity, he expects additional standards to arise. "Yahoo Domain Keys will be going to the IETF," he said.

Some analysts observed that the MARID working groups chance of producing a successful standard was unlikely since the players involved werent committed to cooperation.

"The notion of standards in this case is centered around people appearing to play well together instead of actually playing well together," Lindstrom said. It was leading to a situation in which the MARID working group could "go on forever without accomplishing anything."

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...