Its only a little over a month since the collapse of the MARID working group and the apparent death of the Sender ID specification on which it had focused.
But now, from the secret workings of Microsoft and Meng Wong (playing here the role of Victor von Frankenstein), a stitched-up version of the spec has emerged, good enough to make AOL happy. It attaches the ancient (circa 2003) SPF Version 1 syntax to the new Microsoft PRA capabilities using the classic SPF DNS records.
Like a dagger through the head of open sourcedom, this new proposal has many recoiling in horror and calling for Mengs head. He has done the unthinkable, to bring Microsoft back into the process.
To recount a couple essential facts, large parts of the MARID community went ape a few months ago when Microsoft announced that it had made intellectual property claims on parts of the proposed Sender ID specification. It turned out that the relevant area was in the determination of the “purportedly responsible address,” or PRA, and the patent application is actually, arguably, a lot more aggressive than that.
Microsofts claims were actually within the bounds of what is permissible for an IETF standard, but they were a poison pill for most open-source licenses. This, combined with some actual technical criticism of Sender ID, caused the group leadership to throw in the towel and send everyone back to the drawing board.
But none of the licensing nonsense changed one important fact that Sender ID had going for it: It had a sporting chance to get the backing of most, if not all of the major ISPs and mail providers. Any standard that has this kind of backing has a good chance of creating, to use a diplomatic term, facts on the ground. With so many people using Sender ID, smaller organizations and ISPs might have to provide support or their users mail wont authenticate, and would be at a disadvantage.
This scenario became much more plausible when AOL signed up for Sender ID. Wong and Microsoft addressed some of those technical points to assuage AOL, and one has to assume some other objectors are now open to accepting Sender ID.
Who will set the
You know who else is likely to be assuaged? The FTC. After having made veiled threats to the industry to develop an authentication standard lest one be imposed on them, the FTC will be holding an E-mail Authentication Summit in D.C. Nov. 9-10. The modified Sender ID and support for it from AOL (the home team at D.C. events) are just about the only progress the industry can point to.
Its only been a little over a month, but its not like Ive seen serious efforts to move other proposals forward, with one exception. There is a separate proposed working group, IETF-Mailsig, working on a proposed standard for mail authentication through cryptographic signatures. Lots of top people believe in the cryptographic solution, if not in the short term than as an eventual successor to an IP-based solution like Sender ID.
And just because you support Sender ID doesnt mean you cant support other specs, although the administration can be cumbersome. Meng Wong diagrammed out some of the issues for a dual-Sender ID/Domain Keys implementation. Its hairy, but it can be done. I used to think that multiple implementations would be the norm, but I have to think now that administrators will want one set of records to maintain.
If Sender ID muscles its way into e-mail dominance, what will opensource developers do? There was some talk of ignoring or directly challenging the patent application (there is a complicated and expensive process for this called a patent interference; OSS developers arent usually in a position to mount such an effort). Ignoring it would be a dangerous gamble, although I dont think Microsofts going after anyone unless they sue the company over it themselves (i.e., this is a defensive patent).
Personally, Im sick and tired of the lack of achievement that openness and the OSS community have gotten us. If it werent for private companies like Microsoft and Yahoo and Meng Wong personally, we wouldnt have anywhere near as many plausible solutions in sight as we do now.
In the meantime the lack of e-mail authentication and its attendant problems, including spam, phishing and worms, are turning the Internet into a house of horrors.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer