Yahoo, Cisco Team on E-Mail Authentication

The companies announce work on a cryptographic authentication method that combines Yahoo's DomainKeys and Cisco's Identified Internet Mail specifications.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

SAN JOSE, Calif.—Yahoo and Cisco have joined forces to promote a cryptographic approach for authenticating e-mail in the battle against fraud and spam.

The two companies announced Wednesday that they are combining their two separate authentication proposals into a new specification called DomainKeys Identified Mail, or DKIM, and are planning to propose it as a Web standard.

Yahoo Inc. has been rallying around an approach it calls DomainKeys since late 2003, while Cisco Systems Inc. a year ago developed a authentication technology called Internet Identified Mail.

Both use public key cryptography in an attempt to verify the sender of an e-mail to combat the fraud used in phishing attacks and spam.

The merged specification, which has yet to be finalized, will combine DomainKeys method of verifying a sender at the level of the Internets DNS (Domain Name System) with the Identified Internet Mail specifications approach for maintaining the consistency of header signatures in messages as they transverse networks, said officials with the companies.

"Conceptually the two [specifications] are very similar," said Miles Libbey, anti-spam product manager for Yahoo Mail. "Both in their standalone versions had the ability to prevent forgery. By taking the best of both of them, we hope it increases those strengths."

Online attackers regularly send unsolicited e-mails and lure consumers into clicking malicious links or providing personal information by disguising their e-mail addresses with the domains of major consumer companies.

/zimages/3/28571.gifRead more here about the rise of crypto techniques for e-mail authentication.

Ciscos specification has been less visible in the industry than DomainKeys and a Microsoft Corp.-based authentication approach called Sender ID, according to analysts.

Yahoos DomainKeys, in particular, has begun gaining adoption among e-mail and Internet service providers. Yahoo Mail, the largest Web-based e-mail service, started supporting DomainKeys authentication late last year. Other backers include EarthLink Inc. and Google Inc.s Gmail service.

By collaborating on the merged specification, Yahoo and Cisco should be able to create more interest in the DKIM approach, said Richi Jennings, an analyst at San Francisco-based Ferris Research.

"Its very good from the perspective that now there are only two and a half e-mail authentication schemes to think about rather than three and a half," Jennings said, who was counting the earlier merger of Sender ID with an approach called SPF (Sender Policy Framework) as slightly more than a single specification.

Yahoo and Cisco also are moving to make DKIM into a Web standard. The authors of the specification are working to submit a final specification to the Internet Engineering Task Force in time for the standards bodys meeting in Paris, which opens on July 31, said Jim Fenton, a distinguished engineer at Cisco.

Along with representatives from Cisco and Yahoo, the authors of the DKIM specification include representatives from Sendmail Inc. and PGP Corp., Fenton said.

Sender ID also was considered as part of the IETFs MARID (MTA Authorization Records In DNS) working group, but that standards effort largely collapsed in September. Among the problems were concerns that Microsoft Corp. patents could potentially cover parts of the specification, and open-source objections to licensing requirements.

/zimages/3/28571.gifRead more here about the industrys reaction to MARIDs collapse.

In their announcement, Yahoo and Cisco vowed to offer the merged DomainKeys and Identified Internet Mail specification to the industry at large and without seeking royalties. The license for DKIM will be similar to the DomainKeys license, Libbey said.

"The whole point of this is to gain industry adoption, so it is important to make sure the license is available to the entire industry," Libbey said.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.