Microsoft 'Opens Up' Sender ID Spec

In its continuing efforts to re-ingratiate itself in the hearts and minds of Internet developers, Microsoft today announced that the specification it had advanced two years ago to the IETF as a standard for e-mail sender authentication, will now be released for license-free use under the “Open Specification Promise” terms it devised last month.

In February 2004, before an RSA security conference, Microsoft chairman Bill Gates unveiled what the company was then calling "Caller ID for E-mail." As it was proposed, DNS servers would maintain an ongoing list of authenticated e-mail senders. When recipients receive a message, before it gets posted to the Inbox, its header would be opened, and its authentication data would be checked against this list. If there was no match against the list, the e-mail would simply be deleted.

As Microsoft’s anti-spam general manager, Ryan Hamlin, described Caller ID for E-mail at the time, “Essentially, it's a mechanism for legitimate senders of mail to help ensure their Domain Name is not being abused by a spammer. In a nutshell, Caller ID involves two key steps. One, senders of e-mail publish the IP addresses of their outgoing mail servers in DNS in an e-mail policy document."

"Two, the e-mail software at the receiving end of a message queries DNS for the e-mail policy and determines the ‘purported responsible domain’ of the message," Hamlin continued. "This is done by comparing the information in DNS to ensure it matches the information on the originating mail. We believe this technical solution gets at the root of the spam problem by helping to confirm legitimate senders."

In August of that year, in order to advance its development and approval, the Internet Engineering Task Force grafted Microsoft’s proposal onto another concept which utilized a more complex and programmable system for a server determining whether a message should be forwarded, called Sender Policy Framework. The result was "Sender ID."

Almost immediately, the IETF came under fire from some of its members, for knowingly advancing a framework as a public standard for which Microsoft was known to hold patents.

"The current Microsoft Royalty-Free Sender ID Patent License Agreement terms are a barrier to any ASF project which wants to implement Sender ID," stated a message from the Apache Software Foundation on September 2, 2004. "We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0. Therefore, we will not implement or deploy Sender ID under the current license terms."

Two days later, the Debian Project released a very similar statement, which closed with this: "We are also concerned that no company should be permitted intellectual property rights (IPR) over core Internet infrastructure. We believe the IETF needs to revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered."

In the intervening years, Cisco Systems and Yahoo advanced an alternative specification called DomainKeys Identified Mail (DKIM). It’s a far more complex system that involves authentication at both the sending end and the receiving end, which would also advance the notion of fully certified users that Cisco has always supported. While technically, both DKIM and Sender ID could co-exist, there may be no direct benefit in it; and DKIM’s sender-side authentication, which Sender ID lacks, could be seen by network architects as an obvious advantage.

DKIM has since garnered the support of e-mail providers such as AOL and Earthlink, and technology providers such as IBM, IronPort Systems, and Sendmail.

So in lieu of waiting for a fundamental overhaul of the IETF, Microsoft opted to gamble on turning over its share of Sender ID’s intellectual property to the public, under a license-free scheme the company had originally created to address some of the European Commission’s more pressing concerns.

"There have been lingering questions from some members of the development community about the licensing terms from Microsoft and how those terms may affect their ability to implement Sender ID," stated Microsoft corporate vice president for Windows Live, Brian Abrogast, today. "By putting Sender ID under the Open Specification Promise, our goal is to put those questions to rest and advance interoperable efforts for online safety worldwide."

Under the basic terms of OSP, Microsoft agrees never to make any claims against developers’ use of the technologies it covers, so long as they themselves refrain from making any claims against Microsoft for possible patent infringement.

"If you file, maintain or voluntarily participate in a patent infringement lawsuit against a Microsoft implementation of such Covered Specification, then this personal promise does not apply with respect to any Covered Implementation of the same Covered Specification made or used by you," states Microsoft’s OSP page.

No statements have been filed yet from Apache or Debian, or from the IETF. In a sign that Microsoft’s move may thaw the ice at least partly, IronPort and Sendmail both signed onto Microsoft’s Sender ID announcement this morning.