Microsoft may have misled others that SenderID and PRA algorithm can be
used by MUAs to verify email (because of their dominance in MUA market on
Windows PCs, they need something for MUAs). That is not true. SenderID is
designed to verify email for SMTP servers directly talking to each other,
it is NOT a good idea to use the same methods after the completion of
SMTP transmission! Although, if authentication did occur on the SMTP
level, it is a good idea to be able to inform end-users about that and
to inform them what address was verified.
For more information on why MUAs should not be used, please see the
following messages posted earlier:
http://www.imc.org/ietf-mxcomp/mail-archive/msg03769.html
http://www.imc.org/ietf-mxcomp/mail-archive/msg03961.html
I also would remind that MARID WG is about authentication methods for MTAs,
this group has not been chartered to produce specification to be used for
MUA verification of emails. Topics of MUA verification of email are
appropriate for S/MIME and OpenPGP workgroups. And please feel free
to reread the charter if you disagree with this statement. See:
http://www.ietf.org/html.charters/marid-charter.html
On Thu, 2 Sep 2004, Michael R. Brumm wrote:
I'm wondering, since there has been talk about displaying the SenderID PRA
in MUAs, would Microsoft's patent claims and licensing apply to MUAs also? I
imagine that the steps used by an MTA to extract the PRA for evaluation
would be the same as the steps used by an MUA to extract the PRA for
display...
If licensing FOSS MTAs are problematic with SenderID, I'd imagine that FOSS
MUAs would greatly compound the problem.
Michael R. Brumm
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net