RE: 2004: The Year That Promised Email Authentication
I see RAHWEH is back from visiting the relatives... -TD From: R.A. Hettinga [EMAIL PROTECTED] To: cryptography@metzdowd.com, [EMAIL PROTECTED] Subject: 2004: The Year That Promised Email Authentication Date: Mon, 27 Dec 2004 16:49:01 -0500 http://www.circleid.com/print/855_0_1_0/ CircleID 2004: The Year That Promised Email Authentication By: Yakov Shafranovich From CircleID Addressing Spam December 27, 2004 As the year comes to a close, it is important to reflect on what has been one of the major actions in the anti-spam arena this year: the quest for email authentication. With email often called the killer app of the Internet, it is important to reflect on any major changes proposed, or implemented that can affect that basic tool that many of us have become to rely on in our daily lives. And, while many of the debates involved myriads of specialized mailing lists, standards organizations, conferences and even some government agencies, it is important for the free and open source software (FOSS) community as well as the Internet community at large, to analyze and learn lessons from the events surrounding email authentication in 2004. THE GHOST OF CHRISTMAS PAST The quest for email authentication did not start from scratch. Authentication systems are a well known field in computer security, and have been researched for quite some time. Nevertheless, it is only during this past year that email authentication has gained a prominent push mainly due to the ever increasing spam problem. As well known, the original email architecture and protocols was not designed for an open network such as the Internet. Therefore, the original designers failed to predict the virtual tidal wave of junk email that took advantage of lack of authentication in the Internet email. As the result, a junk email filter is considered one of the essential tools any Internet citizen must have in his toolkit today. The push towards email authentication started in earnest with the publication of a proposal called RMX by a German engineer called Hadmut Danisch in early 2003. While other previous proposals have been published, none have gained any kind of traction. Hadmut's proposal on the other hand coincided with the opening of the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF), which as an affiliate body of the IETF. The IETF created and currently maintains the Internet email standards, and an IETF affiliate was a logical body to work on addressing the spam problem on the Internet at large. Being that the ASRG brought together a sizable chunk of the anti-spam world, RMX gained more exposure that none of the previous work in the field ever had. What followed was a succession of proposals forked off the original RMX proposal until the spring of 2004 when most of them were basically confined to the dustbin of history together with RMX. In the end, only two proposals with any sizable following were left: Sender Policy Framework (SPF) and Microsoft's Caller-ID. The author of SPF, Meng Wong, managed to attract a large community to his proposal, giving it a much larger deployed base than any competitor. In many ways this effort can be compared to some of the open source projects, except this time this was an open standard rather than a piece of software. On the other side of the ring, so to speak, was Microsoft which surprised the email world with their own proposal called Caller-ID at the RSA conference in early 2004. Eventually, the IETF agreed to consider standardization of email authentication by opening a working group called MARID in March of 2004. With the merger of SPF and Microsoft's new Sender-ID proposal, hopes were running high about the coming success of email authentication and the coming demise of spam. Yet, ironically this working group earned itself a record by being one of the shortest in the existence of the IETF - it has lasted a little over six months until being formally shutdown in September of 2004. ALL THAT IS GOLD DOES NOT GLITTER During the work of IETF's MARID group the quest for the email authentication begun to permeate circles outside the usual cadre of anti-spam geeks. Technology publications, and even the mass media have begun to take note of the efforts occurring on an obscure mailing list tucked away among 200 other even more obscure groups, prodded in many cases by the public relations spokesmen of various companies in the anti-spam space, including Microsoft. Yet in many ways that was one of the fatal blows to the group and any hope of a common standard for email authentication. Several major issues arose during the operation of the working group. The first major issue that has been bubbling beneath the surface was technical in nature. SPF has come from a group of proposals that worked with the parts of the email infrastructure that was unseen by most users. This included email servers that exchanged email among ISPs and were unseen. In the technical lingo this type of
RE: 2004: The Year That Promised Email Authentication
I see RAHWEH is back from visiting the relatives... -TD From: R.A. Hettinga [EMAIL PROTECTED] To: cryptography@metzdowd.com, [EMAIL PROTECTED] Subject: 2004: The Year That Promised Email Authentication Date: Mon, 27 Dec 2004 16:49:01 -0500 http://www.circleid.com/print/855_0_1_0/ CircleID 2004: The Year That Promised Email Authentication By: Yakov Shafranovich From CircleID Addressing Spam December 27, 2004 As the year comes to a close, it is important to reflect on what has been one of the major actions in the anti-spam arena this year: the quest for email authentication. With email often called the killer app of the Internet, it is important to reflect on any major changes proposed, or implemented that can affect that basic tool that many of us have become to rely on in our daily lives. And, while many of the debates involved myriads of specialized mailing lists, standards organizations, conferences and even some government agencies, it is important for the free and open source software (FOSS) community as well as the Internet community at large, to analyze and learn lessons from the events surrounding email authentication in 2004. THE GHOST OF CHRISTMAS PAST The quest for email authentication did not start from scratch. Authentication systems are a well known field in computer security, and have been researched for quite some time. Nevertheless, it is only during this past year that email authentication has gained a prominent push mainly due to the ever increasing spam problem. As well known, the original email architecture and protocols was not designed for an open network such as the Internet. Therefore, the original designers failed to predict the virtual tidal wave of junk email that took advantage of lack of authentication in the Internet email. As the result, a junk email filter is considered one of the essential tools any Internet citizen must have in his toolkit today. The push towards email authentication started in earnest with the publication of a proposal called RMX by a German engineer called Hadmut Danisch in early 2003. While other previous proposals have been published, none have gained any kind of traction. Hadmut's proposal on the other hand coincided with the opening of the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF), which as an affiliate body of the IETF. The IETF created and currently maintains the Internet email standards, and an IETF affiliate was a logical body to work on addressing the spam problem on the Internet at large. Being that the ASRG brought together a sizable chunk of the anti-spam world, RMX gained more exposure that none of the previous work in the field ever had. What followed was a succession of proposals forked off the original RMX proposal until the spring of 2004 when most of them were basically confined to the dustbin of history together with RMX. In the end, only two proposals with any sizable following were left: Sender Policy Framework (SPF) and Microsoft's Caller-ID. The author of SPF, Meng Wong, managed to attract a large community to his proposal, giving it a much larger deployed base than any competitor. In many ways this effort can be compared to some of the open source projects, except this time this was an open standard rather than a piece of software. On the other side of the ring, so to speak, was Microsoft which surprised the email world with their own proposal called Caller-ID at the RSA conference in early 2004. Eventually, the IETF agreed to consider standardization of email authentication by opening a working group called MARID in March of 2004. With the merger of SPF and Microsoft's new Sender-ID proposal, hopes were running high about the coming success of email authentication and the coming demise of spam. Yet, ironically this working group earned itself a record by being one of the shortest in the existence of the IETF - it has lasted a little over six months until being formally shutdown in September of 2004. ALL THAT IS GOLD DOES NOT GLITTER During the work of IETF's MARID group the quest for the email authentication begun to permeate circles outside the usual cadre of anti-spam geeks. Technology publications, and even the mass media have begun to take note of the efforts occurring on an obscure mailing list tucked away among 200 other even more obscure groups, prodded in many cases by the public relations spokesmen of various companies in the anti-spam space, including Microsoft. Yet in many ways that was one of the fatal blows to the group and any hope of a common standard for email authentication. Several major issues arose during the operation of the working group. The first major issue that has been bubbling beneath the surface was technical in nature. SPF has come from a group of proposals that worked with the parts of the email infrastructure that was unseen by most users. This included email servers that exchanged email among ISPs and were unseen. In the technical lingo this type of
