IETF deals Microsoft's e-mail proposal a setback

A proposed technology for identifying the source of e-mail messages suffered a blow last week when a group within the Internet Engineering Task Force (IETF) established to study the proposal sent it back for more work, citing concerns over vague intellectual property claims made by Microsoft Corp. covering some of the technology.

Members of the IETF's Mail Transfer Agent Authorization Records in Domain Name System (DNS) working group, also known as MARID, voted last week to not to proceed with standards documents for the Sender ID authentication technology that were submitted by Microsoft to the IETF for approval in June. The group's members reached a "rough consensus" that questions about intellectual property claims by Microsoft could torpedo deployment of the standard unless they are resolved, according to a message posted to a discussion list for the group.

The vote by MARID is just the latest voice in a chorus of complaints about the proposal, which Microsoft promoted heavily as one piece of a multipronged attack on spam. In recent weeks, leading open source software groups have already said they will not use it in their products, because Microsoft's terms for use of the technology violate the terms of their own open source license.

In an e-mail statement, Microsoft said that MARID's decision "does not mean Sender ID has been rejected," but that changes proposed by MARID will make the standard more flexible. Microsoft is "excited to continue our collaboration with industry stakeholders to help move this important authentication protocol forward" and sees a future in which "complementary technologies" will be used with Sender ID to fight spam.

Sender ID closes loopholes in the current system for sending and receiving e-mail that allow senders, including spammers, to fake, or "spoof," a message's origin. Organizations publish a list of their approved e-mail servers in the DNS. That information, referred to as the sender policy framework (SPF) record, is then used, in part, to verify the source of e-mails sent to other Internet domains by checking information contained in the e-mail "envelope" -- basic information about the source of the message that is sent before the actual message content.

Tens of thousands of Internet domains have published SPF records since Meng Weng Wong of Pobox.com. introduced the standard. In May, Microsoft and Meng reached an agreement to merge SPF with a Microsoft-developed technology called Caller ID to form the new Sender ID standard. The merged proposal includes Microsoft-developed technology for authenticating e-mail messages by checking information in the e-mail header, in addition to checking the e-mail envelope using SPF.

However, nagging questions remain about the licensing language for using the Sender ID technology, as well as about Microsoft's refusal to discuss the scope of intellectual property claims and patents it intends to file for Sender ID algorithms used to perform "purported responsible address," or PRA, checks.

Both the Apache Software Foundation and the Debian Project said that they will be unable to support Sender ID in their products. As currently proposed, the Sender ID license does not meet the standard that each group holds for software distributed with their products, the groups said.