IDentified!

Identity spoofing is a major concern on the Internet where a person's identity and location can easily be hidden or masqueraded.

It is a growing problem as hackers and DoS attackers use spoofed identities to avoid detection and make it difficult for their victims to recover from the attacks. In early 2004, Microsoft unveiled "Caller ID for E-mail." This was aimed at preventing the use of spoofed identities in spamming and other email related abuse.

As it was proposed, DNS servers would maintain an ongoing list of authenticated e-mail senders. When recipients receive a message, its header would be opened, and its authentication data would be checked against this list, before it gets posted to the Inbox. If there was no match against the list, the e-mail would simply be deleted. As Microsoft described Caller ID for E-mail at the time, it was a mechanism for legitimate senders of mail to help ensure their Domain Name is not being abused by a spammer.

In a nutshell, Caller ID involves two key steps. First, senders of e-mail publish the IP addresses of their outgoing mail servers in DNS in an e-mail policy document. Secondly, the e-mail software at the receiving end of a message queries DNS for the e-mail policy and determines the 'purported responsible domain' of the message. This is done by comparing the information in DNS to ensure it matches the information on the originating mail. Microsoft claimed it was a technical solution that got at the root of the spam problem by helping to confirm legitimate senders.

In August of that year, in order to advance its development and approval, the Internet Engineering Task Force grafted Microsoft's proposal onto another concept which utilized a more complex and programmable system for a server determining whether a message should be forwarded, called Sender Policy Framework. The result was 'Sender ID.' Almost immediately, the IETF came under fire from some of its members, for advancing a framework as a public standard for which Microsoft was known to hold patents.

Apache announced that the Microsoft Royalty-Free Sender ID Patent License Agreement terms were a barrier to any ASF project which wants to implement Sender ID. They argued that the license was incompatible with open source, contrary to the practice of open Internet standards, and also incompatible with the Apache License 2.0 and therefore refused to implement or deploy Sender ID under the given license terms. The Debian Project also held a similar view.

Later on, Cisco Systems and Yahoo advanced an alternative specification called Domain Keys Identified Mail (DKIM). It's a far more complex system that involves authentication at both the sending end and the receiving end, which would also advance the notion of fully certified users that Cisco has always supported. While technically, both DKIM and Sender ID could co-exist, there may be no direct benefit in it; and DKIM's sender-side authentication, which Sender ID lacks, could be seen by network architects as an obvious advantage. DKIM has since garnered the support of e-mail providers such as AOL and Earthlink, and technology providers such as IBM, IronPort Systems, and Sendmail.

So in lieu of waiting for a fundamental overhaul of the IETF, Microsoft opted to gamble on turning over its share of Sender ID's intellectual property to the public, under a license-free scheme the company had originally created, to address some of the European Commission's more pressing concerns. Microsoft now says that their goal is to advance interoperable efforts for online safety worldwide by putting Sender ID under the Open Specification Promise. Under the basic terms of OSP, Microsoft agrees never to make any claims against developers' use of the technologies it covers, so long as they themselves refrain from making any claims against Microsoft for possible patent infringement.

No statements have been filed yet from Apache or Debian, or from the IETF. In a sign that Microsoft's move may thaw the ice at least partly, IronPort and Sendmail have both signed onto Microsoft's Sender ID announcement.