Musings – Abhay S. Kushwaha

I just caught it on /. that ASF has refused to implement Sender ID. They’ve written an open-letter to MARID IETF Working Group about it.

The current Microsoft Royalty-Free Sender ID Patent License Agreement terms are a barrier to any ASF project which wants to implement Sender ID. We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0. Therefore, we will not implement or deploy Sender ID under the current license terms.

This was inevitable and will probably make other organisations with similar issues raise their voice. I suppose ASF will now become a leading voice in why Sender ID should not be implemented in larger, long-term interest of people who believe in Open-Source. When I had first read of SPF and Microsoft’s additions to it, I was impressed. The very commentary that provided me the intro also pointed out how this would conflict with certain established licenses and ideologies. It hadn’t occured to me then though that big organisations and influential voices would simply say no. Now that they have, it seems the logical thing too. I wonder how things will stand a few months down the line with Microsoft’s implementation of Sender ID coming into effect and many other organisations also following suit while many others that use ASF products don’t, not that they are technologically incompatible or anything.

Let’s see who fires the next round, at whom and how.

UPDATE: September 3 (2:06pm)
Expectedly, Microsoft‘s “Harry Katz, program manager for Microsoft Exchange, has made three points about how it (Sender ID’s license) will be interpreted in a message to a standards group of the Internet Engineering Task Force named MTA Authorization Records in DNS, or MARID, which is working on Sender ID” reports eWeek.

Has Microsoft blinked on its licensing requirements for Sender ID, making it more acceptable to the open-source community? Some open-source leaders and companies think that it has, while others vehemently disagree.

Sendmail, Inc. has released a milter for its MTA that incorporates implementation of Sender ID authentication specification for testing and that too under their own Sendmail Open Source License. Further, Dave Anderson, Sendmail’s CEO has made it clear that he has no intention to sign Microsoft’s license. eWeek quotes him, “This isn’t just for testing. I plan on going into production with no signed agreement.”

Interesting.

In his column titled I Come to Bury Sender ID, Not to Praise It, eWeek’s columnist Larry Seltzer makes numerous points on how “Microsoft’s uncompromising licensing attitudes show a blindness worthy of King Lear.” I reluctantly have to agree with him when he states his opinion on the outcome of this mess.

The rest of the SID standards process will now be a waste of time thanks to Microsoft, and the other participants will afterwards pick up the pieces and get the job done with another spec.

When one looks at the issue in light of the recent report by CipherTrust, a messaging security firm in Atlanta (Full story @ TechNewsWorld), one gets a sinking feeling that perhaps this will indeed turn out to be merely a new fad technology that delivers little. They analysed two million messages received between May and August and came to the conclusion that “spam messages were three times more likely to pass an SPF check than legitimate mail.” Ouch.

CipherTrust Research Engineer Dmitri Alperovitch told TechNewsWorld, “There was a perception out there that SPF was designed to stop spam, and it wasn’t. It was designed to authenticate the sender of a message, and that’s exactly what it’s doing. Spammers aren’t circumventing this, but adopting it and adopting it at a greater rate than legitimate senders.” That is indeed the case actually. The whole Sender ID technology has come to mean “anti-spam” while in reality is nothing more than “anti-spoof”.

I’m keeping my eyes and ears open for more on this while the issue heats up more as expected.

Update: September 5 (8:15pm)
Closely following ASF, Martin Michlmayr, Debian Project Leader, has written to MARID IETF Working Group rejecting Sender ID as well.

We believe the current license and resulting encumbrances are incompatible with the DFSG, unlike other Internet standards that Debian is able to support.