September 2, 2004 5:55 PM PDT

Apache, open-source groups wary of Sender ID

The Apache Foundation, an open-source development group, on Thursday pulled its support of the proposed antispam standard Sender ID, saying Microsoft's license requirements are too strict.

The move by the group responsible for the popular Apache Web server comes as other open-source developers also voiced reservations about Microsoft's attempts to apply stringent license requirements to its contribution to the spam-fighting technology.

"We believe that the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with Apache License 2.0," the group wrote Thursday in its letter to the technical committee working on the technology.

The criticism of the licensing requirements for the Sender ID standard were published in response to a request for opinions of the possible standards.

The request came from the chairpersons of the Internet Engineering Task Force (IETF) working group responsible for Sender ID, which is meant to block spam by confirming the source of an e-mail. Dozens of others also contributed their comments, the overwhelming majority of which were critical of the new standard and Microsoft's attempt to place license requirements on the specification.

"Microsoft's license for patent claims made on Sender ID prevent (the specification) from being a standard in the open-source community," one member of the working group wrote in a posting titled "Motion to abandon Sender ID."

A Microsoft representative was not immediately available to comment on the issue.

Many of the license provisions worry open-source developers. According to an analysis done by Larry Rosen, general counsel of the Open Source Initiative, Microsoft's License would require mail service providers incorporating Sender ID into their products to tell Microsoft about customers using it.

The software giant also has not informed the IETF of potential patents pending on the technologies, and the license is not compatible with open-source development groups and requires users to be subject to U.S. export control laws, the analysis stated.

Sender ID is a combination of two proposed standards that would create a system to positively identify whether the source address of an e-mail message is the actual source of the message. One specification, Caller ID for E-mail, was proposed by Microsoft; the other, Sender Policy Framework (SPF), was proposed by Meng Wong, the founder of e-mail service provider Pobox.com.

The use of Microsoft's technology in the standard means that the company can specify a license that potential users have to agree to before using the code.

On Monday, Sendmail, developer of an open-source mail server, released a version of a module that could be added to any Sendmail server for Sender ID functionality in software.

While the module, called milter, is open-source, users may still have to agree to Microsoft's licensing restrictions. However, Sendmail's CEO, David Anderson, said his company was not going to sign the license agreement. Moreover, the company's lawyers do not think that anyone needs to.

"Microsoft has said that this is free, and it doesn't say that you need a license for this technology," he said. "I can't figure out why I would want to sign this license."

Microsoft has actively lobbied other companies to accept the Sender ID framework and its license that would accompany the code. In August, the company collected more than 80 members of the Email Service Provider Coalition to tout the benefits of the antispam technology.

"This is a good tool," J. Trevor Hughes, executive director of the ESPC, stated in an e-mail to the IETF working group. "The actions of the various parties involved are understandable and reasonable. The license terms are workable and within the scope of IETF standards and history. And it will have a positive effect on our ability to reduce phishing and protect legitimate e-mail."

Internet services firm VeriSign also signaled its support for the Sender ID specification in an e-mail to the IETF.

"We see Sender ID as a good, easy-to-implement solution to stop e-mail domain spoofing and an important first step towards truly authenticating the sending party," Bruce Ong, senior product manager for the company, wrote in the e-mail.

VeriSign can sympathize with Microsoft's situation: The firm has also been accused of and sued for trying to co-opt parts of the Internet infrastructure with its Site Finder service, which redirected Web surfers to a VeriSign-branded search page if they mistyped a .com or .net Web address.

Despite these votes of support, open-source groups may be a harder nut to crack.

"As developers of open-source e-mail technologies, we are concerned that no company should be permitted IP (intellectual property) rights over core Internet infrastructure," the Apache Foundation wrote, adding that "we will not be implementing support for Sender ID until such time, as the issues with the license are fixed and acceptable."

6 comments

Join the conversation!
Add your comment
Go Apache and OS community
The Open Source Community has this right.
MS is trying to take control of e-mail as well as their control over
the browser. We have seen the benefits of MS and IE, do we
really want MS to give us the same quality with their anti-spam
technology? And they want to patent it and license it. Yeah MS is
really looking out for our best interest. Actually I have very little
spam because I don't use MS Outlook or Exchange servers. This
has prevented my e-maill address from being harvested.

As reported in the article, "As developers of open-source e-mail
technologies, we are concerned that no company should be
permitted IP (intellectual property) rights over core Internet
infrastructure," I must agree. This is a community and the
community's best interest is more important than MS making a
few extra pennies off of this.
Posted by wrwjpn (113 comments )
Reply Link Flag
you my friend, are mistaken
Not using MS Outlook or Exchange does not prevent you from having your email address "harvested" as you say. In the past, email addresses have been bought and sold by scrupulous individuals with access to those lists. I will admit that using these tools may expose you in certain ways, but you are mistaken if you believe that you are not at risk.

As with anything, diversity is the key. Using these tools puts you "at risk" because you are part of a large group. Open source advocates preach the security of their products, but what they fail to mention is that they are a small portion. I believe Sendmail, an open source project, has been found to have security issues. It became a target due to its high use. The same will happen to the Linux kernel in time.

I will, however, say that if MS wants to provide a specification for sender validation, then it needs to reconsider its patenting and licensing strategy for the greater good of the internet.
Posted by jamie.p.walsh (288 comments )
Link Flag
microsoft: when are you going to learn?
microsoft: when are you going to learn?

microsoft must stop with it's licensing insanity! if they were allowed, they would patent and license everything. the more they continue in this vein, the more unpopular they are going to become. It worked for THEM in the 20th century, but their mentality is no longer relevant in the 21st. It's a good thing that there are more and more savvy people and users standing up to them.
Posted by (2 comments )
Reply Link Flag
Typical of Microsoft
Leave it to Microsoft to take an idea that maybe could have done some good and turn it into something to their own liking. Makes me think of Smart Tags and DRM.

As if Microsoft hasn't already taken enough. But I guess once one way street, always one way street. Don't blame them, they simply don't know any better. And since there's no "parent" around to show them the errors of their way... They're basicly the super rich single kid and spoiled brat. Never satisfied. Always wanting more their way.

Have fun having that in your house.
Posted by arthur-b (31 comments )
Reply Link Flag
What were the IETF folks thinking?
They should have known better than to involve Microsoft in this endeavor. They are no sticklers to open standards. See how they are fragmenting HTML. They decimated Kerberos. There have patents targeted at cornering XML. Just because Microsoft introduced it does not mean they would stick to it either -- they will attempt to wear other other parties out on an impossible 'hurry to catch up' rat race. Microsoft feels it has a right to control the Internet. It is up to the IEFT to let them.
To me, this whole issue is a no-brainer. There are efforts from other quarters that aim resolve this issue of e-mail authentication, e.g. Yahoo DomainKeys and AOL's Sender Permitted From (SPF). Why don't the IEFT look at their offerings in comparison with Microsoft's that is bereft in a quagmire of patents and stringent licensing requirements?
Well, thanks to the proliferatio of web based e-mail services (which I have come to depend on), I am not going to lose much sleep over this.
Posted by (23 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.