ietf-mxcomp
[Top] [All Lists]

RE: Microsoft Statement regarding Sender I.D. Update and Plans (forwarded by request)

2004-09-27 09:34:29

On Mon, 2004-09-27 at 04:29, John Glube wrote:
From: Anne P. Mitchell, Esq. 
Sent: September 25, 2004 3:40 AM
To: ietf-mxcomp(_at_)imc(_dot_)org
Subject: Microsoft Statement regarding Sender I.D. Update and
Plans (forwarded by request)

Thank you for posting the Speizle letter.

Although the Microsoft patent applications are quite broad,
I took solace from the good faith representations made in
the IPR filings and to the MARID list as to the actual
scope of these claims.

On September 21, 2004, a press spokesperson for Microsoft
is reported to have sent an email to Internetnews which
read:

|"The SPF technical alternative is just now becoming a real
|focus for the IETF. It is premature for the standards
|participants to disclose any IP they may own related to
|SPF. If SPF continues to work its way through the process,
|there will likely be a point where Microsoft and others
|will [be] asked to identify any essential IP claims and
|Microsoft will follow the IETF guidelines for disclosure at
|that time." 

http://www.internetnews.com/dev-news/article.php/3409971

This reported statement was cause for concern upon my part. 

I had hoped that Microsoft would clarify matters and simply
confirm the previous good faith representations.

Regardless of the promised arrangements Microsoft may claim in various
news articles, the rights of this IPR, if granted, could be sold to an
entity with a considerably different stance.

There is an inherent risk obtaining an address list rather than a name
list for such a large array of hosts.  There is an inherent risk using a
text script parser which may constrain the source port processing this
information from several DNS servers.  The use of scripts, to lookup
hundreds of records for addresses, creates a high risk for a denial of
service attack aimed at disabling the check, and allows just a DSL
connection to poison the DNS cache.  This scheme still allows spoofing,
and phishing, but now with possibility of false assurances.  Those
publishing this scheme also risk being exploited and unfairly having
their mailbox address blocked.

Using scripts, offers to DNS what they offered to mail.  Mail is not a
browser, and is not run at the behest of the user, but rather for total
strangers.  Lack of security has largely fostered the current situation.

-Doug