Internet Week: AOL Drops Microsoft's Sender ID

[Mister Happy]

http://www.internetweek.com/allStories/showArticle.jhtml?articleID=47212349

AOL Drops Microsoft's Sender ID

By Gregg Keizer, TechWeb News

Less than a week after a standards-setting group rejected Microsoft's scheme to stymie spam, America Online added to the company's woes by dumping the software giant's proposed Sender ID.

America Online (AOL) spokesman Nicholas Graham didn't mince words in the statement he e-mailed to TechWeb.

"Given recent concerns expressed by the Internet Engineering Task Force (IETF), coupled with the tepid support for Sender ID in the open source community, AOL has decided to move forward with SPF-only checking on inbound email at this time," Graham wrote.

"This means AOL will now not be moving forward with full deployment of the Sender ID protocol," he added.

Sender ID, a Microsoft-backed standard to authenticate e-mail senders in the hope of stemming the flood of address-spoofing spam, was a combination of the Redmond, Wash.-based developer's own Caller ID for E-mail scheme and the long-available Sender Policy Framework (SPF). Uncertainty about patents related to Caller ID's part in Sender ID, said an IETF working group this weekend, made the scheme unworkable.

At that time, analysts held out hope for Sender ID in part because of AOL's backing of the authentication standard. Now that support's vanished.

"AOL has serious, technical concerns that Sender ID appears not to be fully, backwardly-compatible with the original SPF specification, a result of recent changes to the protocol and a wholesale change from what was first envisioned in the original Sender ID plan," Graham went on in his e-mail.

What tipped the scales, he said, was "the lack of acceptance for Sender ID among the free and open-source online community." The whole Sender ID brouhaha began two weeks ago when the open-source Apache Software Foundation rejected the standard, saying that the licensing terms set by Microsoft were too strict.

What tipped the scales, he said, was "the lack of acceptance for Sender ID among the free and open-source online community." The whole Sender ID brouhaha began two weeks ago when the open-source Apache Software Foundation rejected the standard, saying that the licensing terms set by Microsoft were too strict.

Instead, Graham said that AOL would fall back on SPF, which it's been using since December 2003, and in yet another black eye for Microsoft, would test "cryptographic solutions such as DomainKeys as a longer term protocol that can work side-by-side and in tandem with SPF."

DomainKeys is a Yahoo-developed authentication protocol that was viewed by most analysts as a competitor for first Caller ID for E-mail, then Sender ID.

Microsoft tried to put a good face on the news that AOL was dropping full support of Sender ID.

"AOL hasn't abandoned it per se." said Microsoft spokesman Sean Sundwall. True enough. AOL will, said Graham, continue to publish a Sender ID record on outbound mail. But it will not on mail incoming to AOL subscribers, meaning that Sender ID won't be one of the standards used to reduce spam that the Reston, Va.-based ISP's members receive.

And the fact that what was proposed as a single standard -- Sender ID -- is not essentially back to its component parts of SPF and Caller ID? "Sometimes a standard doesn't turn out to be one thing, but turns out to be two," Sundwall said. "Two [standards] is better than five or ten."

Yet to John R. Levine, who chairs the Anti-Spam Research Group of the Internet Research Task Force (IRTF), a parallel organization to the standard-setting IETF that does longer-range thinking and looks at emerging standards before they're really ready to be considered, things are a lot clearer.

"Outside of the suburban Seattle area, I'd say Sender ID is now on life support," said Levine.

"There were two problems with Sender ID," added Levine. "First, its dubious patent status, and second, it just doesn't work that well.

"Sometimes I think Microsoft's like the Holy Roman Empire, with a bunch of little fiefdoms," said Levine. "It's really great that [Microsoft] got involved in the standards-setting process, but it's unfortunate that its lawyers can't figure out a way to let the tech guys participate with open-source. IBM's figured it out. Why can't Microsoft?"

But Microsoft's not giving up on Sender ID. "Microsoft is absolutely committed to Sender ID," said Sundwall. "We [Microsoft and AOL] may differ on how we're going to check e-mail, but we're both committed to doing it."