September 2, 2004

Email Sender ID: It's like Kerberos all over again

Author: Joe Barr

Updated: We received a lot of interesting feedback in comments and email as a result of the story we ran last week on Email Sender ID: the hype and the reality." Many of those who contacted us are intimately acquainted with the subject matter, having had personal, first-hand involvement in the process to date. One of those was Yakov Shafronovich, who co-chaired
the Anti-Spam Research Group during 2003, when the group was considering this very issue, prior to passing it on to the IETF. That led to an exchange of email messages during which I got a much clearer look at how Microsoft is once again embracing, extending, and attempting to encumber open source technology. Doggone it, it looks like Kerberos all over again.Yakov pointed me to a copy of the document produced by the ASRG committee that he co-chaired in 2003. The project was called Lightweight MTA Authentication Protocol, or simply LMAP. As with the protocols discussed in last week's article, authentication records are added to DNS and then used by SMTP to authenticate mail received.

Yakov also pointed out an early post to the ASRG mailing list by Bob Atkinson, the Microsoft employee whose previous expertise seems to have been primarily in XML, who later became the primary "author" of Caller ID.

Yakov noted, "It is clear from this message that Bob had no clear idea how these proposals work. Yet a year later, he published a draft of Caller ID with
his name on it..."

The Microsoft Caller ID proposal had two major differences with the LMAP project: It used XML for the DNS records, and it determined the authenticity of the mail based on an algorithm for identifying the purported responsible address (PRA) rather than simply using the TCP/IP address from the "envelope."

As detailed last week, Caller ID merged with Sender Policy Framework (SPF) to become Sender ID, but the sticky licensing bits over Microsoft claims of intellectual property rights (IPR) came through the transformation unscathed. Microsoft has not budged on its stance of a restrictive license, perhaps hoping to drive a wedge between the GPL and other free software and open source licenses. The last-second tweaking of the licensing terms didn't really change that.

Sendmail author Eric Allman told us last week, when we asked if the licensing terms had prevented them releasing a Sender ID solution, that:

It's true that we were unclear about the previous version of the
license, and that was one part of holding off. There were other
issues -- for example, we had Caller ID ready to go about the same
time as it morphed into Sender ID, and we felt it was better to wait.
In any case, we believe the terms of the new license to be
acceptable.

And to demonstrate just how acceptable Microsoft's new licensing terms are to part of the free software community -- and just how deftly Microsoft is playing BSD-style licenses against the GPL -- Sendmail yesterday announced its new open source Sender ID plug-in.

But Yakov questions Microsoft's IPR claims in either case. He points out, for example, that XML has been ripped out of the latest Caller ID and Sender ID specifications, which leaves only the Purported Responsible Address (PRA) functionality on which to base them. Yakov told us:

The main advantage of the PRA algorithm is allowing
an email program such as Outlook or Mozilla to use Sender-ID, instead of
restricting it to mail server software such as sendmail.

However, looking at the actual algorithm it is apparent to me that it is
trivial. There is also an extensive collection of prior art... Examples of prior art include the fetchmail program written by a well
known open source advocate Eric S. Raymond as well as others. Members of
MARID have also argued that the entire algorithm is just a rehashing of
RFC 2822 which is copyrighted by the IETF. Taking into account that the
discussions in the ASRG mentioned the use of RMX for verification of
mail header fields such as the PRA algorithm does, and the IPR policy of
the IETF, it is also unclear how Microsoft can claim IPR over someone
else's ideas. For example, Hadmut Danish who wrote RMX discusses
verification of "From" headers with RMX over a year and a half ago:

Unfortunately, there seems to be nothing to keep Microsoft from making its shadowy, unsubstantiated, or even unequivocally bogus claims to intellectual property rights in Sender ID. And whether those claims are real or not, they allow the Microsoft monopoly to once again embrace, extend, and regurgitate-with-restrictions, technology it has stolen from the public sector.

Update:
The Apache Software Foundation has sent an open letter to the IETF which states in part:

The current Microsoft Royalty-Free Sender ID Patent License Agreement
terms are a barrier to any ASF project which wants to implement Sender ID.
We believe the current license is generally incompatible with open source,
contrary to the practice of open Internet standards, and specifically
incompatible with the Apache License 2.0. Therefore, we will not
implement or deploy Sender ID under the current license terms.

The whole letter is definitely worth your time to read.

Click Here!