Microsoft Will Submit 'Caller ID' To The IETF

An anonymous reader submits "According to a recent mailing list post by Harry Katz who is the Program Manager of Exchange at Microsoft, they plan to submit MSFT's "Caller ID" proposal to the IETF: 'I want to inform members of the MARID working group that Microsoft will shortly be submitting the Caller ID for E-mail specification to the IETF as an Informational RFC. We request that the Caller ID specification be considered an input document to the working group's deliberations.'"

Obligatory note...

[FooAtWFU]

Obligatory notes: a) What about SPF? b) The name sucks! c) Licensing issues exist.

Re:Obligatory note...

[.@.]

a) SPF is being considered by the same working group. Rather, the means of authenticating senders via DNS that both SPF and Caller-ID propose are being considered by the same working group. Caller-ID, however, is more focused on RFC2822 headers, whereas the working group is learning towards RFC2821 headers in its initial product.

b) "Caller-ID" is copyrighted, and will almost certainly not be used as a final name.

c) True. However, the working group will not be choosing one approach from whole cloth. Rather, it will be producing a DNS-based means of sender authentication, which other working groups will then build upon to produce a full-fledged mechanism, which may or may not be an existing mechanism, a combination of several, or something new.

Re:Obligatory note...

[BrynM]

c) Licensing issues exist.

From the MS License for this submission:

If you distribute, license or sell a Licensed Implementation, this license is conditioned upon you requiring that the
following notice be prominently displayed in all copies and derivative works of your source code and in copies of the
documentation and licenses associated with your Licensed Implementation:
"This product may incorporate intellectual property owned by Microsoft Corporation. If you would like a license
from Microsoft, you need to contact Microsoft directly."
By including the above notice in a Licensed Implementation, you will be deemed to have accepted the terms and
conditions of this license. You are not licensed to distribute a Licensed Implementation under license terms and
conditions that prohibit the terms and conditions of this license.
You are not licensed to sublicense or transfer your rights.

Hungh? Does this section mean that everyone who implements this must notify Microsoft that they are using it? If you're "not licensed to distribute a Licensed Implementation", then does each end user have to check in with MS? If I write, say an e-mail class in PHP that can use this spec for my personal web site, do I have to notify MS?

I may just be paranoid of the MS grab it all attitude, but I don't like the implications of this. Is this normal wording for such a license that involves Patented works in RFCs?

Re:Obligatory note...

[zero_offset]

The very first phrase answers all of your questions about the license itself:

If you distribute, license or sell a Licensed Implementation

Does this section mean that everyone who implements this must notify Microsoft that they are using it?

Only if you distribute, license, or sell it.

If you're "not licensed to distribute a Licensed Implementation", then does each end user have to check in with MS?

Since you're not licensed to distribute an implementation, you'd not supposed to have "end users" at all (other than yourself).

If I write, say an e-mail class in PHP that can use this spec for my personal web site, do I have to notify MS?

Not if it's for personal use. If your site "distributes" that capability to end users, it seems to me that you'd be in violation.

Of course, IANAL.

Re:Obligatory note...

[Zeinfeld]

I think folk need to take not of the fact that Microsoft is not merely submitting their scheme to the IETF group, they are working with the group and are very likely to accept the end product. This means that instead of us having six different RMX style proposals we will hopefully have one.

As for the cost of certificates, it really depends on what you are doing. If you are an enterprise of any real size or an ISP you are already spending hundreds of $ per month talking your way off various blocklists, and talking to other people who have wrongly ended up on your blocklist, or spammers trying it on...

There will still be a need for a certificate with CallerID or SPF, VeriSign are currently calling it an 'accreditation'.

Presumably they intend to make money out of this somehow. But then as they say in the Godfather 'none of us here are communists'. whatever happens the result is going to be a whole heck of a lot cheaper than the 'postage stamp' schemes some have been talking about. It is unlikely that any of those could be implemented without the cybercash patents - and guess who owns those?

As an RFC?

Good. I have a lot of comments; and while I'm glad they want to hear them, I think they'll regret it...

(Oooh. Bad punning and Microsoft bashing in the same post...)

Please come up with something ..

[naden]

As much as Microsoft can't be trusted .. i do hope many of the bigger companies/organisations do collaborate on some sort of standard.

Because all I need to be happy in this world is to fulfil my one last dream in life.

I won't go into it, but lets just say it involves a blowtorch, a pair of pliers and a tied up spammer.

Hope it won't be as bad as Caller ID

[Bishop923]

I don't know about other areas, but around here 90% of the telemarketer calls show up on Caller ID as one of the following:
"Out of the Area", "Private", or the state of origin. "Oh boy, someone in California is calling, that only narrows it down to 40 Million people..."

Doubt this will be different, just a few extra bytes added to every E-Mail, clogging up the networks worse than before.

Re:Hope it won't be as bad as Caller ID

[dacarr]

Lucky bastard. My caller ID shows collectors as "VOIP CALL" sometimes.

Re:Hope it won't be as bad as Caller ID

[DrSkwid]

I'm on the UK's do-not-call list http://www.tpsonline.org.uk

I had 1 call since Sept 2004, and the TPS is actively pursuing my complaint regarding that call, seeing as it was a criminal offence to make it.

The also handle SMS spam complaints too, now that that is illegal also.

What is an Informational RFC

[MerlynEmrys67]

Well honestly the bar is pretty low.

No blatant typos and grammer can't completely suck
Can't break the internet
Must show adherance to RFC 2026

Yup - that is about it, so they get an informational RFC out of it. Who cares if no one in the world implements it. I would be worried if they were getting a standards track RFC that implies that people actually had to agree that it was the right thing to do.

Re:What is an Informational RFC

[dustman]

No blatant typos and grammer can't completely suck

Oh, the irony!

If only there was something like this for phones

This sounds pretty cool. Microsoft needs to apply this "Caller ID for E-mail" technology to telephone calls. Then when the phone rang, you could tell if it's a telemarketer or your pal Rick.

They could call it "Caller ID for E-mail, for telephone calls".

Won't work

[ogre57]

If this scheme were magically globally implemented today it would reduce email spam by 50% at most, and for a few weeks at best. I see zero reason to believe that one month from now the spam rate would be even 1% less than it was yesterday, especially considering this years virus fun so far. Nor will it reduce the CAN-SPAM oxymoron of "legitmate spam", eg attempts to sell the political candidates.

With no reason to believe this RFC will accomplish even its purported intent no one sane will waste time and money to implement it. Expect the few morons who do to block more legit mail than spam.

My nerves...

[goranb]

"Microsoft believes that it has patent rights (patent(s) and/or pending applications(s)) that are necessary for you to license in order to make, sell, or distribute software programs that comply with one or more aspects of the Caller ID for E-mail Specification."

That's from the callerid_license.pdf document on their Technical Specification page...

True, it continues with:

"Microsoft and its Affiliates hereby grant you ("Licensee") a fully paid, royalty-free, non-exclusive, worldwide license under Microsoft's Necessary Claims to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations, provided, Licensee, on behalf of itself and its Affiliates, hereby grants Microsoft and all other Specification Licensees, a reciprocal fully paid, royalty-free, non-exclusive, worldwide, nontransferable, non-sublicenseable, license under Necessary Claims of Licensee to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations."

I get quite nervous when it comes to Misrosofts licences...
I actually stopped reading the document after the second quote...

Re:My nerves...

[http]

After reading that through four times slowly, I read it as:

You can use it only if you agree to let us use it however we want for free.

...with one extra comma thrown in between "provided" and "Licensee" for no other purpose than to obfuscate. This looks like a one-way version of the GPL to me. What am I missing here? IANAL, but I have read the GPL more than once, and I understand that MicroSoft rarely allows anything to slip past that does not benefit them in some way.

Man, what a hack....

[brianjcain]

If you're going to use a hack, why not use SPF? MS's hack doesn't look any better than SPF, from what I can tell. They both leverage reverse DNS lookups. All we need is for Sun, IBM, Oracle and SCO to develop their own DNS TXT-mail domain identity hacks.

"Long e-mail policy documents. Larger organizations with more complex e-mail topologies may need longer e-mail policy documents. If your organization has a large e-mail policy document, please refer to the Caller-ID specification for information on how to split it up."

This is stupid -- DNS shouldn't have to be twisted into knots to get this to work. These solutions seem to be the lazy way of getting things done: "Distribution of trust is too hard. But we already trust DNS, so let's just mess with DNS until it does what we want it to."

How about a new version of smtp that signs emails using a trusted certificate (yes, I recognize that it's pretty unlikely that I'm the first to suggest this)? If browsers come with lists of trusted root certs, why can't SMTP daemons? Current SMTP servers can ignore the signature, and subsequent SMTP servers could use it as a cue to bypass spam filters (or skip directly to a "domain is known bad?" decision point).

While MS is mucking with stuff, why don't they have Windows automagically generate a cert for someone's identity when a new user is created, and then include email signatures by default in Outlook/OE? Outlook and OE seem to handle S/MIME just about as well as Mozilla/TBird do.

(Cue boilerplate "your solution to the problem of Spam sucks because of..." here).

Re:Man, what a hack....

[alienw]

Hey, dumbass, certificates cost money. Lots of money. If you want to pay through the ass to get every little e-mail server a certificate, then your idea is good. Otherwise, it's pretty stupid.

If you generate your own certificates, then there isn't much point in having the system, right smartass? Or do you think spammers would have a problem with generating a new certificate for every batch of spam?

Re:Man, what a hack....

[Jim_Maryland]

While MS is mucking with stuff, why don't they have Windows automagically generate a cert for someone's identity when a new user is created, and then include email signatures by default in Outlook/OE? Outlook and OE seem to handle S/MIME just about as well as Mozilla/TBird do.

I'm sure that spammers are using these products for their mass emailing instead of custom applications to obscure header information.

The reduction of spam (solution is too optimistic) will likely come from a multiple solution approach as a single approach will be circumvented. Approaches I think will help are:

Go after the person paying the spammer in the first place. Cut off the spam funding to reduce the amount of spam

Filters. While not perfect, they do catch at least the obvious spammers.

List. Again, not a perfect solution, but it can help.

SMTP rework. Certainly refining protocols can help as long as it's accepted by vendors. This may not solve every case, but may deter some spammers.
While I realize that spam is still flooding the Internet, I have noticed less in my inbox so something is working from my ISP and my employer.

Re:Man, what a hack....

[Mr.+Slippery]

Hey, dumbass, certificates cost money. Lots of money.

Verisign Class 1 Digital ID: $14.95 per year. I'm sure with some shopping around you can find a better deal.

Or there's the "web of trust" model.

Re:Man, what a hack....

[Bishop]

Certificates could work at nearly eliminatimg spam. The full infrastructure required in not currently in place though. Currently certificates are cheap and easy to get. Using (stolen) credit cards spammers could buy certs and basically spam as normal. To eliminate spam it is necessary to positively identify the originator of the spam. To achive that certificates would have to be harder to get. Certificate purchasers would have to provide positive proof of identification. Certificate issuers would have to stand behind the certificates they issue. An other nice to have feature would be the ability to instandly revoke certificates.

Re:Man, what a hack....

[brianjcain]

Hey, dumbass, certificates cost money. Lots of money. If you want to pay through the ass to get every little e-mail server a certificate, then your idea is good. Otherwise, it's pretty stupid.

Certificates do not cost much. I can understand individuals being hesitant to drop $15 or so per annum per domain, but for many businesses across the world (I'm going to guess they're among the largest consumers in email traffic) this is well worth the cost.

If you generate your own certificates, then there isn't much point in having the system, right smartass? Or do you think spammers would have a problem with generating a new certificate for every batch of spam?

Many people/organizations who own domains pay for certificates for their secure web sites. This is really no different. It might help to think of it as "express mail" -- less chance of getting a false positive from a spam filter (because maybe you skip the bayesian filters and go straight to a domain-name check, since you could now have faith in that "from" field). Those who wish to firmly establish their domain's identity can sign all of their outgoing email traffic and those who are curious are free to try to authenticate the signature.

Individuals without the means to purchase certificates issued by trusted certificate authorities may miss the boat a bit on this suggestion, I suppose. But I don't see a reason why governments can't act as CAs and verify the identity of their citizens (especially if their citizens found this service to be worth the cost). Yeah, I know, I don't like to give any more power to the government, but assuming this remained an opt-in service, it seems like a good deal.

Re:Man, what a hack....

[brianjcain]

I'm sure that spammers are using these products for their mass emailing instead of custom applications to obscure header information.

Are you serious? I kinda doubt it. I'm almost positive that there are custom spammer apps (some probably do web spidering too). I don't think they use them solely for obscuring header info. Anyways, that's not the point. I'm not suggesting that spammers couldn't mimic S/MIME, because they absolutely could. But assuming message-signing became so prevalent that it was used to help discern "spam" from "ham", once spammers signed their emails using a certificate from a trusted source, their identity could be added to lists of "known spammers" not unlike the RBLs, etc. that exist now. Of course, spammers would no doubt escalate things by continuously purchasing legitimate domains and legitimate domain certs, but as those got blacklisted, I imagine that they would approach some sort of bound (certainly the number of legal characters for a domain name ^ the length of a domain name, I guess). I suppose CRLs might come into play there, too (assuming admins updated their lists).

The reduction of spam (solution is too optimistic) will likely come from a multiple solution approach as a single approach will be circumvented.

I'm not so naive as to think spam would be quieted by any one technical solution. Digital signature-esque solutions like the one(s) I pose are probably slightly more difficult to circumvent brute-force wise.

Just imagine if you could use aggresive email filters, but never had to worry about losing a co-worker's important business message because your company compelled everyone to sign their email messages (at least internally). Maybe your non-work email address(es) would still get spam, but your work address(es) would probably get far fewer!

Re:Man, what a hack....

How about a new version of smtp that signs emails using a trusted certificate (yes, I recognize that it's pretty unlikely that I'm the first to suggest this)? If browsers come with lists of trusted root certs, why can't SMTP daemons? Current SMTP servers can ignore the signature, and subsequent SMTP servers could use it as a cue to bypass spam filters (or skip directly to a "domain is known bad?" decision point).

How about using certificates with STARTTLS? It's already available off-the-shelf, comes with sendmail and most other MTA software, and it's backwards compatible with SMTP. Even Outlook & Outlook Express support it.

It uses certificates to authenticate SMTP clients & servers, and can encrypt your email while in transit.

My company has been using it for a few years now...

Re:Man, what a hack....

[Jim_Maryland]

I guess I should have double checked my posting. I was writing it in between other task at my desk. Started out as sarcasm but obviously ended up the wrong way. It should have read as you pointed out (that custom applications are used rather than the MS mail clients...my bad).

Re:Man, what a hack....

[Joe+U]

I thought those $15 certs were for personal email signing only.

I think we are more likely to see the $350 SSL type certs from Verisign.

What's so special about "CallerID" anyway?

[parvenu74]

From the MS website:

Caller ID for e-mail would verify that each e-mail message originates from the Internet domain it claims to come from.

Given that email headers indicate the IP address of the originating email server, and the 'from address' indicated the alleged originating domain, isn't this already possible by means of a simple DNS lookup?

Or is that CallerID really is under the hood and MS is trying to 'license' it to folks?

(Amd with all the money MS has, can't they hire tech writers who know not to end a sentence with a preposition???)

Re:What's so special about "CallerID" anyway?

Given that email headers indicate the IP address of the originating email server, and the 'from address' indicated the alleged originating domain, isn't this already possible by means of a simple DNS lookup?

Sometimes legitimate users send legitimate email from IP addresses that have DNS names that are different from the "From: address".

SPF and this caller-id functionality try to manage this.

Caller ID a broken system

[0x0d0a]

Caller ID suffers from most of the same flaws that SPF does (and is only marginally better than the latter system).

I find it phenomenally frusterating that the single company best positioned to provide the only real long-term fix -- a worldwide PKI/trust network via Outlook and Exchange -- is bound and determined to stick with another short-term hack.

Worse, this is a short-term hack that produces pain-in-the-ass side effects that will be with us for decades.

Re:Caller ID a broken system

[base3]

PKI? You're kidding, right? I am most decidedly not interested in paying a tithe (either directly, or via my ISP) to RSA, Verisign, Microsoft, or whoever the root CA would be in order to send email. I doubt too many other people are, either.

Re:Caller ID a broken system

[Mr.+Slippery]

PKI? You're kidding, right? I am most decidedly not interested in paying a tithe (either directly, or via my ISP) to RSA, Verisign, Microsoft, or whoever the root CA would be in order to send email.

Thawte has free personal certificates, and an interesting "Web of Trust" idea for e-mail certificates.

Re:Caller ID a broken system

[base3]

That would be useful on an individual basis, but I can't envision a way that certificates could be used at an SMTP server level to decided to accept or reject email in the absence of some kind of centralized authority. And I'd rather deal with spam with other tools (stopping the flow of money by denying merchant accounts to companies who advertise with spam, for example) than to do something that would inevitable result in "postage" for email.

Re:Caller ID a broken system

[0x0d0a]

I am most decidedly not interested in paying a tithe

There's no need to do so.

The fees on certs for, say, web servers are justified by reason of verifying a RL ID/key mapping. There's no need for this in simply ensuring the trustworthiness of a key owner not being a spammer.

I mean, sure, it's possible to have commercial signers (among others). If Verisign wants to endorse your ID not being that of a spammer and charge $50 to do so, that's fine. But even in such a scenerio, I wouldn't expect signers to sign each email.

Re:Caller ID a broken system

[vegetablespork]

But if you're going to trust mail servers based on their signing keys, and there's no central trust provider (e.g. a root CA), then you have to decide to trust each mail server yourself--and there are many, many mail servers. I suppose SPEWS or another current RBL provider could trust server keys, then you could transitively trust them, but the RBL provider will also want to be paid for that service.

Re:Caller ID a broken system

[0x0d0a]

No -- you can have many root trust providers. The leaf nodes of the trust network would be users -- each user would sign their emails, not each server signing emails sent through them. You would use transitive trust, as you've pointed out. The task of a root trust provider can be very simple -- there might be, say, one that does nothing but sign four certs -- say one for an association that signs a cert for all registered businesses in the United States, one that does so for an association that signs a cert for all registered businesses in Japan, etc. Such a root cert provider requires a minimal amount of work. Such an association would sign certs for businesses belonging to it -- it's only to such an association's benefit to do so. Each business has no reason not to sign certs for its employees (and ensure that said employees do not spam). If employees *do* start spamming, the business loses a bit of trust, the association loses a bit less, and the root cert provider a bit less.

Elements of a trust network can *always* charge for service -- even today, I can walk into a GPG key signing party and pay someone to take the trouble to verify my information and sign my key. There are, however, many people who will sign my key without requiring me to pay money -- the noncommercial providers. Such a system absolutely does not require fees per-user or per-email to work.

Eliminate spam: Use GPG

[aminorex]

I have *never* recieved a spam email which was
encrypted with my public key.

If GPG shipped with every email app out of the box,
there would be no spam. It's free, it's here now.

I will not read your unencrypted email.

Re:Eliminate spam: Use GPG

[Anonnymous+Coward]

This scheme works great if all your friends happen to be hopeless nerds. Unfortunately, some of mine aren't :).

Re:Eliminate spam: Use GPG

[aminorex]

It continues to work great even with clewless
lusers, if the nerds get their butts in gear and
make using GPG transparent and default.

Easy to solve

[poptones]

I have no friends. I also (almost) never get spam or virii. My cousin started mailing me a lot one time, but I kept telling her to stop sending me all that aol shit until she finally did and I haven't heard from her since.

Every now and then I get an email telling me I sent someone a virus, but those are always being returned from the "russian women" mailing list I was on a year ago. Since every person I contact gets their own "from address" at my domain, I never see third party spam. Either folks like ebay and paypal and my cc company and amazon and yahoo are true to their word, or they see that from address with their name on it and know I would know immediately who leaked my email address, so they don't. Seems to work pretty well, and I don't have to rely on everyone using encryption (although I wish they did).

Re:Eliminate spam: Use GPG

[Xenna]

It may help for a while until the spammers start harvesting public keys together with addresses. One of the reasons spam is so hard to fight is that many of us want to be able to receive mail from people we don't know. That means we need our e-mail addresses to be public, and in a GPG world we'd need our public keys to be public also. GPG can easily be integrated in spamming software...

X.

Re:Eliminate spam: Use GPG

...but you can't send one encrypted mail to 20squillion email addresses, and have them all be able to decode it