Home / Blogs

Sender ID: A Tale of Open Standards and Corporate Greed? - Part II

This is the second part of a two-part series article by Yakov Shafranovich, a co-founder and software architect with SolidMatrix Technologies, Inc., and former co-chair of the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF). Read Part I of this series.

While everything seemed fine and various participants in these discussions were celebrating the merger of these proposals into one, as well as the support of Microsoft in this endeavor, there was an elephant in the room so to speak, and a rather large one at that. When the original Caller-ID proposal was published, a patent license came along with it. Microsoft indicated that they were planning on filing patents on Caller-ID or some of its aspects, and offered a royalty-free license for the use of their intellectual property. There was some talk about the incompatibility of the license with open source software, including comments from Eben Moglen of FSF and Richard Stallman, but Microsoft employees assured the MARID WG that the licensing issue would be resolved in time for the San Diego meeting. Except that it wasn't. The license was not changed until the last call procedure begun, leaving only two weeks to discuss both the IPR and remaining technical issues. And the license was not substantially changed either. This sparked a heated debate in the MARID WG which is still simmering. Among the problematic sticking points in the license is a requirement for each implementer to sign a license with Microsoft, the fact that the license was not sub-licensable to others, and also the inherent ability for Microsoft to revoke the license. But the problems did not stop there - it seems that the elephant in question was a rather large specimen than thought before.

It is well known that free and open source software collectively called "FOSS" runs majority of the Internet architecture: Linux, Apache, BIND, sendmail, OpenSSL and others have significant if not most of the market share in their respective categories. On the other hand majority of the desktop market is dominated by commercial software, a major part of which is either made or sold by Microsoft. This is even more expressed in the email market than other categories: the biggest four software packages used for email servers today are qmail, sendmail, postfix and exim, all of which are FOSS (although some dispute that regarding qmail). And this is where the elephant marches in.

After the new Microsoft license was published, it was reviewed by Eben Moglen, the legal counsel of the Free Software Foundation (FSF) and Larry Rosen, the legal counsel of the Open Source Initiative (OSI). They have both stated that this license is not compatible with the General Public License (GPL) and possibly other open source licenses (see DEPLOY: IPR/GPL). Microsoft lawyers have concurred with that analysis in regards to the GPL in their updated FAQ [PDF] published a few days ago. Aside from this, the very act of Microsoft knowing about possible competitors in the email business, is in itself rather disturbing. And to stir the pot, the viewpoint of Microsoft lawyers on the subject is rather die hard and strange. They have stated that they would rather see Sender-ID die than change the license, according to Eric Allman of Sendmail. Eric commented on this by stating that "It's pretty clear that it's going to take an act of whatever deity Microsoft worships in order to get them to back down on the sublicensing issue".

As if the situation was not complicated enough, Microsoft has refused to disclose what exact rights they might be claiming. While this is not unusual since the patent application has not been granted yet, nevertheless it is reducing the flexibility of the IETF in evaluating the issue. Some MARID members have indicated that it is possible that Microsoft might be claiming IPR on the very concept of sender authentication, which is clearly not their idea. While this does not affect desktop email software where Microsoft clearly carries a majority of the market, it does affect email server software where they do not.

This brings us to the next point of this story: what did Microsoft possibly invent? The Caller-ID standard when published had two major distinctions over the existing set of authentication proposals: it used XML and also had the PRA algorithm to address phishing in addition to spam. The rest of the proposal was based directly on SPF, DMP, RMX and others, all of which dated back to Paul Vixie in 2002 and to Jim Miller in 1997. While the US Patent and Trademark Office may grant a patent even on something with such obvious prior art, the enforceability of such patent would be questionable in light of prior art going back seven years. Therefore, it is logical to assume that the two extra features appearing in Caller-ID are the ones being claimed.

The use of XML for RMX was first proposed by Bob Atkinson, who eventually would author the Caller-ID proposal in a posting to the ASRG list in May of 2003. At that time, the proposal under discussion was RMX and it was very clear that Microsoft did not have anything else on hand yet. What makes this also interesting, is that the ASRG list operates through the ietf.org domain, which includes a "note well" notice on their mailing list page. This note addresses IPR issues very clearly and requires contributors to state any possible IPR claims. Postings to lists are included, and while it may be argued that the ASRG list is not an official IETF list, nevertheless it may be covered by this notice. In lieu of IPR claims, postings to mailing lists grant certain rights to the IETF. Microsoft or their employees had never disclosed any IPR claims, thus possibly granting rights to the IETF. Of course this is something that we can leave to the lawyers to argue over.

The use of RMX in conjunction with email headers as opposed to the SMTP transaction, was first proposed on the ASRG list by Hadmut Danisch and others in May of 2003. This is the basic foundation of the PRA algorithm which is based on the way the email standards themselves are defined in RFCs 821 and 2822 (IP of IETF of course). The actual algorithm describes the order in which parse various email headers which is very similar to the way fetchmail, SpamAssassin and several other software packages do it as well. It is questionable whether any of this can be patented in light of its obviousness and possible prior art (see postings here and here).

Taking a step back we see a glaring contrast between the acts of Microsoft and of others involved in these proposals. While the various authors of sender authentication proposals have based parts of their drafts on other drafts, none of them filed for patents (although SPF authors considered filing a defensive patent). While there have been disagreements and some heated arguments about acknowledgements, nevertheless these are not issues that affect implementors. It turned out to be what the open standards process is all about — building standards together in an open fashion very similar to the way FOSS operates. On the other hand, Microsoft is claiming IPR in proposals that may very well not even be theirs, which evolved in an open discussion, is asking for a restrictive license, and refusing to consider the market truth — that most of email server software is FOSS and might not be able to use this standard. Their claim of a defensive patent does not hold water since other companies have managed differently and there are other ways to accomplish the same goal. The fact that FOSS is Microsoft's greatest competitor at this time, does not help their image as many including governments may start to wonder whether Microsoft is using standards development as a backdoor to killing FOSS.

It is pretty clear that there are orders from on the high in regards to the IPR issues. For example, in a recent posting to the MARID list, Matt Sergeant of MessageLabs shared his experiences from yesterday's Sender-ID summit held at Microsoft. He suggested to Microsoft that they should consider donating their IP to the community as IBM has done in the past. The reply received was "that Bill Gates himself had vetoed that idea because of the current focus on patent gathering and IPR issues at Microsoft". In a way I feel bad for Microsoft employees who contributed to both the ASRG and MARID discussions. These employees worked and worked in both the ASRG and MARID discussions, trying to improve these proposals for the benefit of the Internet community, only to be overriden by their employer. Of course whenever there is an opportunity, there is also a motive. The unanswered question in all of this is what is driving Microsoft to a point where they would rather see the entire standard killed rather than back down, at the immense public relation detriment to them. Many are starting to feel that simple corporate greed is at work: either a desire to destroy their greatest competitor, namely free and open source software ("FOSS"); a shot at monetizing their extensive IPR portfolio like the case with the FAT patent and memory cards recently; or maybe simply an inherent inability to give up its usual monopolistic behavior and bring itself to give up something for the good of the community. Unless another lawsuit comes along with a good discovery process, we may never know.

At the time of writing, the MARID WG was still debating the issue. On one side many members, mainly SPF community members and open source users and advocates have expressed their displeasure with the license, and have called for discarding of Sender-ID in favor of SPF. These include some important members of the FOSS community including the Apache Software Foundation. On the other hand, others have expressed their belief that the issue is overblown and Microsoft is not out to get anyone. At this point, the IETF faces an interesting dilemma — they can go back to SPF classic, thus snubbing Microsoft, possible risking losing its support, as well as support of its partners and other commercial firms, and risk making the IETF "irrelevant" to the commercial software community as some members have claimed. On the other hand, they can choose to approve Sender-ID, and either ignore the IPR claims as irrelevant or accept the IPR disclosure and licensing terms as acceptable to the IETF. In the process they risk alienating the FOSS community. And of course, any decision made by the chairs of the MARID WG is only the first step in the approval process. There is still approval by the IESG, and it is probable that no matter what decision is made by the MARID chairs and the IESG, it will be appealed through the IETF process all the way to the top. This may very well spark a new jihad between FOSS supporters and Microsoft, both sides severely over blowing the issues and possibly making fools of themselves in the eyes of the community. At the same time it is also sad to see that the IETF is being forced to decide this. While the IETF is very good at making decisions on technical issues, it is not the proper body to do the same on non-technical ones. Being forced to decide on the IPR issues might lower the reputation of the IETF in the eyes of both FOSS and commercial software community, which would be detrimental to everyone. Remember, they created and maintained most of the current Internet standards, and have done so in an open fashion for quite some time, longer than age of most commercial software companies and most FOSS projects. This also points to a simmering issue of software patents, something that other standards organizations such as the W3C have been struggling with as well

Of course, there is also a third option — both sides can negotiate something that will satisfy them, which is something that Microsoft has refused to do so far. Here, I tend to agree with the words of Eric Allman: "It's pretty clear that it's going to take an act of whatever deity Microsoft worships in order to get them to back down". It is most probable that the deity in question is Bill Gates, and he still has a chance to turn this from a tale of corporate greed to one of open standards.

Read Part I of this series.

By Yakov Shafranovich, Software Architect & Consultant. More blog posts from Yakov Shafranovich can also be read here.

Related topics: Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: Sender ID: A Tale of Open Standards and Corporate Greed? - Part II Paul Vixie  –  Sep 02, 2004 1:08 PM PDT

This whole debate is silly. There will never be a universal standard for e-mail authorship verification, no matter what IETF MARID or Microsoft do. Let a thousand flowers bloom. SPF works. Jim Miller's MAIL-FROM (which I documented here) works. Domain holders can put in metadata for all the verification styles they consider relevant, and mailserver administrators can look up the ones they consider relevant. Let's stop debating this and start implementing it. We're bogging down on questions of IPR and authorship when the fact is that a single standard isn't necessary (or possible). It's clear that IETF just can't settle this kind of controversy — but we all know that market forces can.

Re: Sender ID: A Tale of Open Standards and Corporate Greed? - Part II Yakov Shafranovich  –  Sep 07, 2004 10:39 AM PDT

As suspected, Microsoft's Harry Katz confirmed that the PRA algorithm itself is what the IPR claims are on. The rest of Sender-ID is unencumbered by IPR claims.

Re: Sender ID: A Tale of Open Standards and Corporate Greed? - Part II Yakov Shafranovich  –  Sep 08, 2004 7:17 PM PDT

Looks like Sender-ID has been basically killed in its current form according to a post from MARID chairs. More coverage at InternetNews.com and GrokLaw.

Re: Sender ID: A Tale of Open Standards and Corporate Greed? - Part II Ian Peter  –  Sep 13, 2004 5:17 PM PDT

As Paul Vixie points out, the world gets very difficult when IETF, a body of engineers, is called on to make decisions on intellectual property rights issues.

But that doesn't quite support the "let a thousand flowers bloom" argument for me. The thousand flowers that already exist in the area of email standards, conflicting algorithms in spam filtering services, blacklists, whitelists, grey lists, and varying authentication systems has resulted in a garden full of weeds which is choking a lot of legitimate email.

I've used the MARID exercise in a case study in my Internet Analysis Report 2004. (see www.internetmark2.org for details). It's instructive in terms of the difficulties we face when IETF has to make policy decisions which are essentially non-technical.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

IT Project Management: Best Practices in Small-Scale Engagements

DDoS Attacks in the United Kingdom: 2012 Annual Trends and Impact Survey

7 Keys to Professional Services Value: A Client-Side Perspective

Neustar Launches Global Partner Program

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

Neustar Chief Technology Officer Appointed to FCC's Technological Advisory Council

Hope is Not a Strategy: Neustar Releases 2012 Annual DDoS Attack and Impact Survey

How Neustar Technology Can Help Mitigate DDoS Attacks

Reducing the Risks of BYOD with Nominum's Security Solution

Neustar Launches Enterprise Professional Services Offerings

Nominum Releases New Security Intelligence Application

Sponsored Topics