-----Original Message-----
From: Julian Mehnle [mailto:julian(_at_)mehnle(_dot_)net]
Sent: Saturday, 26. March, 2005 03:05
To: spiegel_online(_at_)spiegel(_dot_)de
Cc: frank_patalong(_at_)spiegel(_dot_)de
Subject: Ihre Artikel zu Spam/Absenderfaelschung
(Authentifizierungstechnologien "Sender-ID"/"SPF")
Ok, here is the translation. Enjoy. :)
[original text below]
---------------------------------------------------
Dear Mirror/Networld editors,
In the last months you have published two articles in the "Networld"
division, dealing with spam and sender-forgery:
* Bill Gates: Change of course in the battle against spam (June 29,
21004)
http://www.spiegel.de/netzwelt/technologie/0,1518,306341,00.html
* Internet security: AOL sets in on the Code-Card (September 29, 2004)
http://www.spiegel.de/netzwelt/technologie/0,1518,319053,00.html
In the first article you report about both Microsoft's
authentication-technology "Sender-ID", based on its predeccesor
"Caller-ID", and the standardization-attempts within the framework of The
Internet Engineering Task Force, IETF.
In the second article you report that AOL and other companies "[will] not
adopt the by Microsoft promoted 'Sender-ID' initiative, which Microsoft
has filed patent for," and that AOL "[will] soon use a 'free technology'
-- read: patent-unencumbered, for which no licence fees are to be paid.
The IETF was also working on such a system."
In the following [paragraphs] I would like to add a few things, as well as
briefly outline the state of development to date.
As co-organizer of the SPF-Project[1], I would like to point out to you,
that Microsoft's "Sender-ID" technology is not based on Microsoft's
"Caller-ID", but actually in large on the free technology "SPF" ("Sender
Policy Framework"), to which AOL also refers in their second article. SPF,
in turn, is based on several earlier ideas by various Internet-experts,
but essentially exists in its current form since 2003.
As already indicated in your first article, these technologies make it
possible for domain owners to publish a record of computers that are
allowed to use these domains as sender-address. This record (the so-called
Sender-Policy) can be applied by E-mail receivers to recognize address
forgeries. Between 2003 and today already over 750,000 of such
Sender-Policies were published, based on SPF records.
In the second half of the last year, there was indeed a several months
long attempt, within the framework of the IETF, to come to a rapid mutual
Standard on the basis of several "competing" proposals (SPF, Caller-ID,
and later Sender-ID, among others). At first, everything (including the
SPF-project) was geared towards Microsoft's heavily building on SPF
Sender-ID proposal, until it became known that Microsoft had filed patent
for several further than SPF going elements of its proposal.
After considerable discord, within the responsible IETF workgroup (called
MARID), on whether such a core Anti-SPAM and E-mail authentification
standard should be patented, the whole thing was called off, and the
workgroup disbanned.
Microsoft continues to push its own Sender-ID methodoly alone, ever since,
and has arranged for it to be reviewed by the IETF again. The SPF Project
has done likewise for its (unpatented) traject. As Sender-ID,
conceptually, and 'materially' builds on SPF, Microsoft has now taken the
liberty to fall back on the many already published SPF
Sender-Policies--even though it is, because of small differences in
application, technically unsound.
Nevertheless Microsoft tries to 'cash in on' SPF, not just technically,
but also marketwise. Among other things, on the Microsft website[2], and
in a recent press release[3], the impression is given as if SPF were
nothing more than an integral part of Sender-ID, and that the 750,000
published SPF-records effectively belong to Sender-ID. The SPF Poject
expressly opposes this (mis)representation[4].
Perhaps you would now like to take the opportunity, in a follow-up
article, to examine the matter a bit further, and to shed some light on
the development to-date and the current situation. I am, of course,
readily available for further questions.
With kind regards,
Julian Mehnle.
Footnotes:
1. http://spf.pobox.com, http://spf.mehnle.net
2.
http://www.microsoft.com/mscorp/safety/technologies/senderid/technology.mspx
3. http://www.microsoft.com/presspass/press/2005/mar05/03-02SIDFPR.asp
4. http://spf.mehnle.net/Press_Release/2005-03-23.de
---------------------------------------------------