IETF deals Microsoft's e-mail proposal a setback

A proposed technology for identifying the source of e-mail messages suffered a blow last week when a group within the Internet Engineering Task Force (IETF) established to study the proposal sent it back for more work, citing concerns over vague intellectual property claims made by Microsoft Corp. covering some of the technology.

Free IT resource Hear how top CIOs turn change into a competitive advantage. Sponsored by HP Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

Members of the IETF's Mail Transfer Agent Authorization Records in Domain Name System (DNS) working group, also known as MARID, voted last week to not to proceed with standards documents for the Sender ID authentication technology that were submitted by Microsoft to the IETF for approval in June. The group's members reached a "rough consensus" that questions about intellectual property claims by Microsoft could torpedo deployment of the standard unless they are resolved, according to a message posted to a discussion list for the group.

The vote by MARID is just the latest voice in a chorus of complaints about the proposal, which Microsoft promoted heavily as one piece of a multipronged attack on spam. In recent weeks, leading open source software groups have already said they will not use it in their products, because Microsoft's terms for use of the technology violate the terms of their own open source license.

In an e-mail statement, Microsoft said that MARID's decision "does not mean Sender ID has been rejected," but that changes proposed by MARID will make the standard more flexible. Microsoft is "excited to continue our collaboration with industry stakeholders to help move this important authentication protocol forward" and sees a future in which "complementary technologies" will be used with Sender ID to fight spam.

Sender ID closes loopholes in the current system for sending and receiving e-mail that allow senders, including spammers, to fake, or "spoof," a message's origin. Organizations publish a list of their approved e-mail servers in the DNS. That information, referred to as the sender policy framework (SPF) record, is then used, in part, to verify the source of e-mails sent to other Internet domains by checking information contained in the e-mail "envelope" -- basic information about the source of the message that is sent before the actual message content.

Tens of thousands of Internet domains have published SPF records since Meng Weng Wong of Pobox.com. introduced the standard. In May, Microsoft and Meng reached an agreement to merge SPF with a Microsoft-developed technology called Caller ID to form the new Sender ID standard. The merged proposal includes Microsoft-developed technology for authenticating e-mail messages by checking information in the e-mail header, in addition to checking the e-mail envelope using SPF.

However, nagging questions remain about the licensing language for using the Sender ID technology, as well as about Microsoft's refusal to discuss the scope of intellectual property claims and patents it intends to file for Sender ID algorithms used to perform "purported responsible address," or PRA, checks.

Both the Apache Software Foundation and the Debian Project said that they will be unable to support Sender ID in their products. As currently proposed, the Sender ID license does not meet the standard that each group holds for software distributed with their products, the groups said.

Those criticisms registered with MARID members, as well. In a message posted to an internal discussion list for the group, MARID co-chairman Andrew Newton wrote that the questions about Microsoft's unpublished patent claims in Sender ID could not be ignored and that the group would have to look at alternatives to the Microsoft algorithms for doing PRA checks.

Given the potentially broad coverage of Microsoft's intended patent claims, Newton also said that MARID should not waste time researching alternatives that might be covered by Microsoft's claims, leaving it to the courts to sort out what is and isn't Microsoft's property, he said.

In its statement, Microsoft said that the Sender ID framework has essentially been accepted, and that MARID's decision only means there will be "an alternative spoof checking mechanism to the proposed PRA check."

"While we would have preferred a single technical mechanism as the standard, we believe this proposal to allow multiple scopes in the protocol is a reasonable approach to provide additional choice and flexibility," Microsoft said in the statement.

Meng Weng Wong backs the IETF decision, saying the patent threat was too big an unknown to simply pass over.

"The IETF has to operate in the reality of today. Patents and the defense of patents are a reality and there's no way to get around that," Meng said.

However, with neither Microsoft nor the open source community likely to budge, the IETF is now caught between two ideologically opposed camps as it tries to find a technological fix for the spam epidemic, said Meng.

Meng said he warned Microsoft about the patent issue repeatedly in the last six months and that the company was aware of the potential conflict, but lacked a resolution.

"Microsoft is a business. The question is, whether what's good for Microsoft is good for the Internet," he said.

Still, Meng hopes that the dispute can be resolved.

"At end of day, we're on the same side and we're trying to solve the spam problem together. If we can't do that because people have shortsighted vision, then that would be a real tragedy," he said.