Two prominent open-source software groups have rejected
the Sender ID technology standard backed by Microsoft.
Sender ID would close a loophole used to send unsolicited
commercial ("spam") e-mail.
Apache Software Foundation and the Debian Project said they will
not be able to support the Sender ID e-mail authentication standard
in their products, citing unresolved patent and licensing issues
with the standard.
Debate has been growing for months within the open-source
software and internet standards communities as Microsoft tries to
garner support for its nascent standard, while also protecting its
intellectual property rights.
As currently proposed, the Sender ID licence does not meet the
standards that each group holds for software distributed with their
products, making it incompatible with open-source products, the
groups said.
Other open-source groups, including the Free Software
Foundation, have also voiced reservations about the Sender ID
patents.
Sender ID is a technology standard that closes loopholes in the
current system for sending and receiving e-mail that allow senders,
including spammers, to fake, or "spoof," a message's origin.
Organisations publish a list of their approved e-mail servers in
the DNS (domain name system). That record, referred to as the
sender policy framework (SPF) record, is then used to verify the
sender of e-mail messages sent to other internet domains using
Sender ID.
Tens of thousands of internet domains have published SPF records
since the standard was introduced by Meng Weng Wong of
Pobox.com.
In May, Microsoft and Meng reached an agreement to merge SPF
with a Microsoft-developed standard called Caller ID to form the
new Sender ID standard, which Microsoft submitted to the Internet
Engineering Task Force in June for approval.
At the heart of the dispute between Microsoft and the
open-source community is language in the Royalty-Free Sender ID
Patent Licence Agreement, which Microsoft requires those using
Sender ID technology to sign, according to John Levine, a member of
the Internet Research Task Force's Anti-Spam Research Group.
Open-source software advocates are uncomfortable with a
prohibition against transferring or "sublicensing" Sender ID
licences to others in the open-source community, and with a
requirement that all licensee's contact Microsoft directly to
receive a copy of the licence, Levine said.
The right to transfer and sublicense technology is common within
the open-source community and is perceived as a key component ,
which relies on the contributions of labour and expertise from
thousands of developers, who in exchange have unencumbered access
to and use of open-source software.
In contrast, Microsoft's licence for Sender ID treats recipients
of the licence like "end users" who have limited rights, according
to a copy of an e-mail to Microsoft from Lawrence Rosen, general
counsel of the Open Source Initiative, that was posted by the
Apache Software Foundation on its website.
In a statement issued to the Internet Engineering Task Force,
the Debian Project said the inability to freely distribute, modify
and use the Sender ID technology violates the Debian Free Software
Guidelines, preventing that group from distributing Sender ID with
any Debian software, or even supporting Sender ID.
Beyond the dispute about sublicensing, open-source software
groups are also suspicious of Microsoft's refusal to say what
pending patents the company has around the Sender ID
technology.
Without information on what technology Microsoft is claiming
patents on, open-source groups are wary about implementing Sender
ID for fear that Microsoft's patents, when finally disclosed and
then granted, will be broad, according to the Apache Software
Foundation.
The breakdown between leading open-source groups and Microsoft
may slow the momentum behind Sender ID adoption, which Microsoft
has been aggressively pushing in recent months.
Patent disagreements aside, the Sender ID technology has not
proven to be as popular or as effective at stopping spam as some
had hoped, Levine said.
A recent survey conducted by e-mail security company CipherTrust
found that only about 5% of inbound e-mail comes from domains that
have published SPF records. Of the 3%-5% of mail that does come
from an e-mail domain with a valid SPF record, more is spam than
legitimate e-mail, the survey showed.
With only middling performance in spotting spam and a host of
legal concerns surrounding it, Sender ID may fall by the wayside,
as companies look with increasing interest at competing standards,
such as DomainKeys, a sender authentication standard backed by
Yahoo, Levine said.
Paul Roberts writes for IDG News Service