Microsoft Releases Patent on SenderID 128
wayne writes "Microsoft has now put the SenderID patents under the OSP. The Open Specification Promise was discussed on slashdot before in conjunction with web services and it is good to see that they are opening up even more. There are still technical problems with SenderID compared with SPF and, of course, SPF isn't problem free. Still, over the last year, the number of SPF records has more than doubled from around 1.7 million to 4.1 million, with rate of growth increased in the last 6 months."
Have they released a SenderID SDK? (Score:3, Interesting)
Sender ID, SPF, DomainKeys (Score:5, Interesting)
So now we have Sender ID [wikipedia.org], SPF [wikipedia.org], and DomainKeys [wikipedia.org].
AFAICT, they all aim to accomplish similar things. Unfortunately, there's no consensus on which to use, and that means that they're all basically useless. One of these mechanisms would only become useful if virtually everybody used it, because then people could refuse to accept e-mail that didn't use it. Gmail and yahoo both use DomainKeys, which suggests that it's something that can really be implemented successfully in the real world. Looking at the Wikipedia articles, Sender ID seems to have problems because it breaks preexisting standards (see "Standardization issues"). My impression is that a lot of people looked at DomainKeys and said, "oooh, scary, it uses crypto." But hey, this is 2006, not 1992. Strong crypto is everywhere. Is there any reason not to go ahead and standardize on DomainKeys?
Why not just fix Windows? (Score:1, Interesting)
It won't be an easy task for Microsoft, but they'll need to bring the security level of Windows up to at least that of Linux, Solaris, MacOS X and the BSDs. Not only will they have to manage that for any new Windows products, but they'll also have to retrofit those security enhancements all the way back to at least Windows 95. They'll have to make sure that those changes don't break any existing applications, so it'll be a very significant challenge.
Re:Sender ID, SPF, DomainKeys (Score:2, Interesting)
Re:Sender ID, SPF, DomainKeys (Score:4, Interesting)
The following is from one of my emails:
That's peculiar because Yahoo! doesn't publish SPF records.
Typical SPF Record:
Yahoo!
Re:Why not just fix Windows? (Score:2, Interesting)
nice, but lacking teeth (Score:3, Interesting)
The trouble is that it's a "promise". A "promise" on a web page is not the same thing as a legally binding commitment.
The proper thing to handle this would be for Microsoft to submit the specification to a standards body with a legally binding contract and steep penalties should Microsoft break the contract and take legal action against anybody implementing the specification.
I can't tell why they aren't doing this. It could be
* arrogance ("we're too big to have to make a binding commitment to anybody"),
* it could be ignorance ("if we promise, it ought to be good enough"),
* or it could be nefarious ("the OSP will be good enough for commercial implementors, but it's not FOSS compliant", "they think it's open and binding, but we have hidden this pitfalls in the fine print").
Any guesses?
Note that Microsoft's spec is not needed, since there are already alternatives.
Re:Breaking SMTP not a solution (Score:2, Interesting)
That's a fair point. I suggested the DJB link as a talking point, and I'm glad it brought out an intelligent response. I just said it was an "interesting take" and has some ideas which are worthy of discussion.
For major businesses RSS & such would be a good way to deliver "subscriber" content. Bloggers can do the same. They can also take advantage of proxy hierarchies. Bandwidth is getting cheaper anyway. Newsletters sent massively are exploiting the same weak link that SPAMmers exploit, so it's a tough call!
The line between SPAM and opt-in newsletters is something that makes the process difficult. Most Internet protocols are based on trust, store & forward, and good network configuration. Where you can catch SPAM is to axe everything in your policy to fight it around bad config.
That is what I retain as my key point: better DNS config, better SMTP/MTA config... if marketing people have to send better formatted newsletters and run well configured DNS servers... Hotmail / GMail / Yahoo can already fix some rules for that and begin to oblige the newsletter sender's SMTP/MTA/DNS chain to be better configured.
The original MS patent license & v=spf1 vs. PR (Score:2, Interesting)
Some of what you write is debatable, but some isn't.
Saying that is ignoring the facts. Both the ASF [apache.org] and the Debian [debian.org] project classified the Microsoft's license for their patent as inherently incompatible with free software. And patents on e-mail standards, unlike patents on many other IT technologies, are a very particular problem because a very large (if not the larger) part of the e-mail server world runs on free software. Go read the ASF's and Debian's explanations, they certainly did do their homework.
(To be explicit about my motives: I am the one who appealed to the IESG/IAB on behalf of the SPF project about the reuse of "v=spf1" records for the PRA algorithm [wikipedia.org] in the Sender ID specification.)
You correctly point out that a communication standard is little more than a silent agreement between senders and receivers that only works if the receiving party tries their best not to misinterpret what the sending party meant. But then you simply quit the subject, assuming that communication standards will work even with everyone interpreting stuff their way, because, after all, there is no protocol police, thank you. Sorry, but "compatible" means something else to me.
Again you are missing the facts. Quoting from my appeal to the IESG:
Read the appeal [ietf.org]. It connects a lot of dots that many do not like to remember.