Want CNET to notify you of price drops and the latest stories?

Apache, open-source groups wary of Sender ID

The Apache Foundation pulls support for the antispam technology because of Microsoft's license requirements.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
The Apache Foundation, an open-source development group, on Thursday pulled its support of the proposed antispam standard Sender ID, saying Microsoft's license requirements are too strict.

The move by the group responsible for the popular Apache Web server comes as other open-source developers also voiced reservations about Microsoft's attempts to apply stringent license requirements to its contribution to the spam-fighting technology.

"We believe that the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with Apache License 2.0," the group wrote Thursday in its letter to the technical committee working on the technology.

The criticism of the licensing requirements for the Sender ID standard were published in response to a request for opinions of the possible standards.

The request came from the chairpersons of the Internet Engineering Task Force (IETF) working group responsible for Sender ID, which is meant to block spam by confirming the source of an e-mail. Dozens of others also contributed their comments, the overwhelming majority of which were critical of the new standard and Microsoft's attempt to place license requirements on the specification.

"Microsoft's license for patent claims made on Sender ID prevent (the specification) from being a standard in the open-source community," one member of the working group wrote in a posting titled "Motion to abandon Sender ID."

A Microsoft representative was not immediately available to comment on the issue.

Many of the license provisions worry open-source developers. According to an analysis done by Larry Rosen, general counsel of the Open Source Initiative, Microsoft's License would require mail service providers incorporating Sender ID into their products to tell Microsoft about customers using it.

The software giant also has not informed the IETF of potential patents pending on the technologies, and the license is not compatible with open-source development groups and requires users to be subject to U.S. export control laws, the analysis stated.

Sender ID is a combination of two proposed standards that would create a system to positively identify whether the source address of an e-mail message is the actual source of the message. One specification, Caller ID for E-mail, was proposed by Microsoft; the other, Sender Policy Framework (SPF), was proposed by Meng Wong, the founder of e-mail service provider Pobox.com.

The use of Microsoft's technology in the standard means that the company can specify a license that potential users have to agree to before using the code.

On Monday, Sendmail, developer of an open-source mail server, released a version of a module that could be added to any Sendmail server for Sender ID functionality in software.

While the module, called milter, is open-source, users may still have to agree to Microsoft's licensing restrictions. However, Sendmail's CEO, David Anderson, said his company was not going to sign the license agreement. Moreover, the company's lawyers do not think that anyone needs to.

"Microsoft has said that this is free, and it doesn't say that you need a license for this technology," he said. "I can't figure out why I would want to sign this license."

Microsoft has actively lobbied other companies to accept the Sender ID framework and its license that would accompany the code. In August, the company collected more than 80 members of the Email Service Provider Coalition to tout the benefits of the antispam technology.

"This is a good tool," J. Trevor Hughes, executive director of the ESPC, stated in an e-mail to the IETF working group. "The actions of the various parties involved are understandable and reasonable. The license terms are workable and within the scope of IETF standards and history. And it will have a positive effect on our ability to reduce phishing and protect legitimate e-mail."

Internet services firm VeriSign also signaled its support for the Sender ID specification in an e-mail to the IETF.

"We see Sender ID as a good, easy-to-implement solution to stop e-mail domain spoofing and an important first step towards truly authenticating the sending party," Bruce Ong, senior product manager for the company, wrote in the e-mail.

VeriSign can sympathize with Microsoft's situation: The firm has also been accused of and sued for trying to co-opt parts of the Internet infrastructure with its Site Finder service, which redirected Web surfers to a VeriSign-branded search page if they mistyped a .com or .net Web address.

Despite these votes of support, open-source groups may be a harder nut to crack.

"As developers of open-source e-mail technologies, we are concerned that no company should be permitted IP (intellectual property) rights over core Internet infrastructure," the Apache Foundation wrote, adding that "we will not be implementing support for Sender ID until such time, as the issues with the license are fixed and acceptable."