Microsoft was also at the heart of another controversy. Anger flared in the MTA Authorization Records in DNS (MARID) working group at the IETF. MARID is choosing a standard for authenticating email, and favours SenderID, a hybrid of SPF and Microsoft's CallerID.
At the heart of the matter is a patent application which Microsoft believes will cover the protocols of SenderID. Although the company has formally offered the IETF (and prospective users of the technology) a "royalty-free license", that license requires developers to sign Microsoft agreements. Apart from no guarantee Microsoft will not change the terms in the future, that provision is in direct opposition to open source licenses like the GPL.
Much of this is still hypothetical: the patent is still in application so no one (outside Microsoft) seems to know what it is supposed to cover. It may not be awarded, though the track record of the US patent office suggests almost anything can be patented today. Once awarded, it may be found over-broad or voided by prior art. But the principle of allowing a protocol acknowledged to be restricted by patents through the IETF standards process goes beyond Microsoft and MARID. This could be any patent-holder and any standard. The outcome for the open source community, and the internet community, would be similar.
In amongst the usual background noise of bickering and contention on the MARID mailing list, big guns have started to take aim against SenderID. Richard Stallman, Larry Rosen and Eben Moglen have posted messages to the MARID mailing list, unequivocally stating that the license would exclude open source software developers from using the proposed standard.
The Apache Foundation, which includes projects such as the popular SpamAssassin and the James mail server, has declared that due to licensing issues it "will not implement or deploy Sender ID under the current license terms."
Through it all, chairmen Andrew Newton and Marshall Rose are working desperately to keep the process on track. Newton politely declined to talk to SC Magazine until some resolution is achieved, but did say he hoped to see some clarity before mid-September.
We can only hope so. Although SPF/SenderID is unlikely to be particularly effective against spam, it will help a bit. More importantly, it can be a stake through the heart of phishing attacks, Joe jobs and similar identity theft activity. However, the need for an unencumbered standard cannot be ignored.
Send your view to scfeedback@haynet.com.
Jon Tullett is UK and online editor for SC Magazine
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
