COMMENTARY --
MARID, the most promising of current attempts to create an e-mail authentication standard for combating spam, is dead.Citing irreconcilable differences among its participants, the Internet Engineering Task Force's (IETF) MTA Authorization Records in DNS working group, otherwise known as MARID, has been shut down.
The group was exploring options for establishing an Internet standard for how e-mail senders can be authenticated by the systems through which their e-mail passes. Sender authentication, because of the way it can improve the reliability of filtering mechanisms while also making it easier to track down hackers and spammers, is widely acknowledged as the first of many technical steps that must be taken in order to defeat unwanted e-mail, including spam, e-mail borne virii, and phishing attempts.
MARID's work had been hampered by technical disagreements among, and the competing interests of, the most influential members of the Internet's e-mail ecosystem. There were also concerns regarding Microsoft's application for a patent that covered the techniques being considered by the group. Any exclusive intellectual property rights (IPR) to an Internet protocol (especially one for a killer app like e-mail) can afford a patent holder significant control over a part of the Internet. It's no surprise, then, that IPR has a history of mixing with unencumbered standards (technologies with no licensing restrictions or royalty payments connected with them) the way oil mixes with water. (For more on this, you can read a column I wrote over two years ago that's still relevant today).
Proprietary spam solution providers who are threatened by such standards must have breathed a huge sigh of relief at MARID's passing. They get a new lease on life, while we users face buying their solutions or living with spam.
One hope on the sender authentication front is continued momentum for Meng Weng Wong's Sender Policy Framework (SPF). Prior to MARID's deliberations, Wong offered his SPF specification to the world on an open source basis. Meanwhile, under the directive of Bill Gates, Microsoft was rapidly evolving its own sender authentication specification known as Caller ID. The two specifications, with resolvable technological differences, merged to produce Sender ID. And it is the kernel of SenderID -- the focus of MARID's work -- that now hangs in a limbo brought about by concerns regarding Microsoft's licensing terms and a patent application.
Now, with CallerID and SPF appearing to have returned to their respective camps, Wong is forging ahead with something he calls Unified SPF. Meanwhile, Microsoft has said that it will continue to publish both SPF and PRA so that other systems can use either to check the authenticity of senders, but that it will only check for PRA on inbound e-mail. PRA, otherwise known as Purported Responsible Address, is a sender authentication technique that's specific to Microsoft's original contribution to the merged Sender ID specification.
Now, the stage is set for a David and Goliath battle with reverberations into the larger struggle of the open source movement vs. proprietary software. In one corner is Meng Weng Wong and his open-sourced SPF. From an implementation point of view, SPF is by far the most widely adopted sender authentication specification. In the other corner is Microsoft. Between the software giant's inbox services (Hotmail), its Outlook e-mail clients, Exchange Server, its considerable presence in desktop and notebook computers, and the patent it seeks -- the application of which appears to cover the techniques found in SPF -- not only does this Goliath have considerable influence over the direction of the Internet's e-mail system, but it may have the intellectual property rights to keep David (Wong) and all of his supporters at bay. (Microsoft doesn't have to aggressively enforce its rights. It need only remind the industry that it has them, if it gets them.)
Doubters need only recall the battle between Internet Explorer and Netscape Navigator. Netscape's browser was all but vanquished and, although it appears to have come back from the dead (with a vengeance and a different name), the single most discussed barrier to its adoption is the prevalence of Web pages that will only display properly in Internet Explorer. It's a example of how difficult it is to break the grip of proprietary technologies once they achieve de facto standard status. We, the end users, run a very real risk of repeating that mistake with e-mail if we so willingly anoint another proprietary de facto (Microsoft-provided, or otherwise) standard. Though Microsoft obviously plays a central role in where this mess ends up, blaming it for MARID's demise may be unjustified. My understanding of standards-setting sessions is that they can often involve extremely contentious battles of wills and interests on all sides of the table.
The sad thing is, that when the technology industry can't seem to get its act together -- as is the case here -- big business has a way of stepping in. At a gathering of the nation's state bankers last year, I learned of how the competing interests of technology companies led to a similar impasse in the setting of standards for electronic funds transfers. How was it resolved? An organization known as the Financial Services Roundtable, composed of the largest banking institutions in the U.S., stepped in and set its own standards. The technology industry had little choice but to follow.
Perhaps that's what we need here. Given the headaches that phishing has caused for the financial services business, maybe the roundtable should step in and take care of business for us. I, for one, would welcome it. These developments are disastrous blows to technology users whose Internet experience is being ruined by unwanted e-mail and to businesses who could have used e-mail for important customer relationship management (but can't because those customers are afraid of being phished). Moreover, these developments are a tragic setback to standards-setting in general.
Though hope remains that the pieces can be reassembled in a way that puts a sender authentication standard (perhaps non-IETF) back on track, MARID's dissolution is an example how corporate greed, proprietary interests, and ego can drive the cost of computing through the roof. Without unencumbered standards, we'll only be left with costly proprietary solutions -- and a lot of difficulty in switching should we ever become dissatisfied with what we choose, or what's forced upon us.
You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check my blog Between the Lines or my archives.
