On Sun, 29 Aug 2004, Nick Shelness wrote:
All,
I don't really want to enter this discussion, but I believe it is
necessary.
For those that don't know me, I'm the ex-CTO of Lotus (98-01) and thus
someone who professionally had to spend a great deal of time (too much)
worrying about IP issues, and consulting with IP lawyers. I was also the
source of a private suggestion to Harry Katz that [E]SMTP be extended to
identify the email submitter as an alternative to mucking about with RFC
[2]822 headers. At the time, Harry indicated that this idea was new to him
and Microsoft. I leave it to Harry to indicate whether he has subsequently
encountered a prior claim to this idea.
It is nice to have confirmation that idea of SUBMITTER did not come from
Microsoft. On this I'll note that there are alternatives available to
current CallerID system which take major parts from it, including
SUBMITTER and authentication of external (independent network-network)
connections and establishing party responsible for introduction of
processing of email for each such network, but this does not use PRA
algorithm and would probably not be bound by Microsoft IPR claims (hard to
confirm these things when you dont know what exactly they claim is invented)
Since chairs specifically asked not to discuss any alternatives to CallerID
until we decide on current set of documents based on last call, I will not
be mentioning any details, but if you do like the parts of CallerID approach
mentioned above but believe IPR claims and other tech issues are significant
that CallerID should not go forward as is, this does not mean the whole
approach is necessarily dead and the only options are envelope bounces-to
(the so called envelope "mail-from") and EHLO identities and that RFC822
From and what is shown to MUAs can not be protected by MARID design.
At the same time, I also believe that protecting just one idenity and
designing protocol such that is so specific to just that idenity with
no support for scoping and other identities is bad, if we put aside
current documents which were done in way too much haste (they leave too
many technical issues and errors unresolved and should probably not go
forward even if there was not such an IPR controversy) then we may have
opportunity to work on more complete approach to authentication of email
session with help of DNS records which is what MARID was charted to do.
I'm also leaving below some other parts of the email I replied to which
are relevent to what I just wrote above.
2. Limit the scope of marid to the [E]SMTP MAIL FROM: command, with or
without the SUBMITTER parameter. RMX, SPF, etc. which operated on the MAIL
FROM: address almost certainly constitute prior art, and I am the source
of the proposal to Microsoft that [E]SMTP be extended to identify a
submitter, and gladly waive any and all rights, etc. Sadly, their may
other earlier claims to the idea of extending [E]SMTP.
3. Attempt to find a non-PRA based approach to verifying the message (SMTP
DATA) content.
The above does not propose a solution to the problem at hand, but I hope
at least lays out the alternatives that may be pursued by
implementors/marid.
Nick Shelness
Independent Technology Consultant <nick(_at_)old-mill(_dot_)net>