The Federal Trade Commission and NIST had a two-day Authentication Summit on Nov 9-10 in Washington DC. When they published their report explaining their decision not to create [PDF] a National Do Not Email Registry, the FTC identified lack of e-mail authentication as one of the reasons that it wouldn’t work, and the authentication summit was part of their process to get some sort of authentication going. At the time the summit was scheduled, the IETF MARID group was still active and most people expected it to endorse Microsoft’s Sender-ID in some form, so the summit would have been mostly about Sender-ID. Since MARID didn’t do that, the summit had a broader and more interesting agenda.

As part of the run-up to the summit, the FTC posed a series of questions about authentication. They got a few dozen more or less relevant responses including one that I wrote [PDF]. They also accepted requests to speak and set up an agenda.

At the conference, I got to go first, laying out [PDF] what authentication can hope to do and all the ways it could mess up mail if done poorly. After that there was a series of panels with technologists, marketers, lawyers, and a smattering of other interested parties. People’s positions fell into largely predictable groups. Microsoft talked about Sender-ID, which they think is wonderful. Since Sender-ID only really works for senders that have full control over their mail stream and send it all from one place, bulk e-mail marketers, who are just about the only mail senders that fit that description, also think that Sender-ID is wonderful. People who run more heterogeneous mail systems with more varied mail sending methods, such as consumer ISPs and universities, think that Sender-ID is considerably less wonderful. The consensus I heard among mail recipients is that while valid Sender-ID can help to whitelist known friendly domains, there are so many ways for legitimate mail to fail Sender-ID that nobody will ever reject mail based on failure.

A panel consisting largely of lawyers also had unsurprising results. Microsoft’s lawyer thinks that the license they offer for Sender-ID is just like every other patent license and is completely adequate for all purposes. Daniel Quinlan from the Apache Software Foundation explained why the open software world can’t use it but since he’s neither a lawyer nor a lobbyist, he didn’t make much headway. Yahoo’s Miles Libbey did say that their license for Domain Keys avoids the problems that Microsoft has. The Electronic Frontier Foundation reiterated their usual position against any kind of filtering of political or anonymous mail, but as usual failed to explain how we can tell political from non-political mail and how to deal with the costs of dumping vastly more spam into people’s mailboxes. The EFF rep said she manually sorts through 2000 spams a day and apparently believes that is a productive use of her time.

The next few panels described the various technical proposals. The audience expressed considerable interest in trying them all out, in one case despite an utterly baffling presentation.

On the second day, I sat in on the international panel, in place of the ailing Neil Schwartzman, to describe what’s happening in Canada (nothing too surprising.) Hadmut Danisch presented a proposal for country-specific mail sending scheme of debatable practicality, but went on to discuss the severe limits that European privacy laws can put on a reputation system. For example, if a domain belongs to an individual, like my johnlevine.com, information about that domain could be considered personal information subject to privacy laws. As far as I know, there’s no case law or regulatory statements to tell how serious an issue this is, but it’s not one that can be dismissed out of hand. I commented that reputation systems are likely to be country-specific since the mailers in the US are different from the mailers in Canada and other countries.

I missed the final panel on reputation systems, but I gather it said that they don’t exist, and they’ll be a challenge to create in ways that are both legal and effective. At the end of the conference, Commissioner Orson Swindle said there’d be another conference next year with the strong implication that we’d better have progress to report Or Else.