Andy,
Thank you for facilitating an answer to my concern.
As Harry noted in his response:
As I stated above, we are not aware of any Microsoft IPR
claims on MAIL FROM checking, so our license is not
relevent. So, to be as clear as I can, if you're
implementing spoof checks of both PRA and MAIL FROM under
the framework described in Core (and our patent application
is granted) then you would need a license for the PRA check
but not the MAIL FROM check. If you are implementing spoof
checking of MAIL FROM and _not_ PRA, we have no IPR claims,
and no license to offer.
This answer clearly sets out the issue. The question
remains as to whether it resolves the problem.
A number of comments:
* Unfortunately, based on my read of the most recent
version of the FAQ, along with posts made to this mailing
list, there continues to be a fundamental issue surrounding
the lack of compatibility between Microsoft's draft patent
license with the GPL.
From where I sit, this problem requires resolution for
smooth implementation of the consensus call. Why? One of
the driving forces behind pra is the expressed need of the
financial sector to control phishing attacks, along with
the general desire of all domain owners to thwart spoofing
and phishing attacks to retain brand integrity.
Without resolution between Microsoft and the open source
community this means pra checking will not be as widely
implemented, so diminishing the effectiveness of this part
of the layered defence for the benefit of those who need it
most.
As such this remains an underlying stumbling block which I
suggest the WG chairs must consider in deciding how best to
proceed with the consensus call.
* The other concern I have revolves around the lack of an
operational and security review by greybeards of both pra
and mailfrom checking. This is not a new issue.
Sender authentication, without implementation of reputation
and accreditation services along the Aspen model will not
achieve the ultimate objective of providing a reliable
methodology for UBE volume control.
(Please note, I do not believe we will ever be able to stop
abusive behaviour online. The best we can hope for is to
bring the problem under control.)
There has been much discussion on this list about the merit
or lack of merit of the two proposed "scopes" as
underpinnings for use in developing reliable reputation
models.
I strongly believe such a peer review would help to flush
out and resolve these issues, along with any underlying
operational and security issues. If nothing else, it would
certainly give added comfort to those who have to implement
all of this.
Until these two concerns are resolved, it remains my view
that this WG can only proceed with "pra and mailfrom" as
experimental protocols.
I find this position somewhat awkward. I want sender
authentication to succeed. I acknowledge there is a
dramatic sense of urgency. Email is broken and needs
fixing. I appreciate and support the vision. I acknowledge
a number of large organizations have stepped forward and
expressed a willingness to back "pra and mailfrom."
Yet, I am reluctant to proceed full steam ahead when I can
see cracks in the foundation which I believe will come back
and bite us all at the end of the day.
Thank you again for taking the time to listen to my
concerns.
John
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.752 / Virus Database: 503 - Release Date: 03/09/2004