RMS Weighs In On SPF/Sender-ID License

NW writes "In a recent message to the MARID list RMS weighs in on the licensing issues of Sender-ID/SPF and Microsoft: 'Microsoft's Sender-ID license is directly incompatible with free software regardless of which free software license is used. Free software means users are free to run it, study and modify the source, and to redistribute it with or without changes. Free to do so means there is no requirement to ask or tell anyone that you are doing so.'" "MARID" stands for MTA Authorization Records in DNS; here's the IETF MARID working group's charter. (Read more below.)

Stallman's message continues: "The Microsoft license for Sender-ID directly forbids release of software with all these freedoms, so it is impossible for any program to be free software under Microsoft's regime. I've been expecting to see something like this ever since Gates started talking about spam. This license is an example of Microsoft's strategy for killing off free software as an alternative to Windows. Microsoft first patents something, then incorporates it into a format or protocol, then tries to make it de rigueur while excluding those it wishes to exclude. In the absence of resistance, Microsoft has a good chance of imposing whatever standards it likes. Let us, therefore, resist it here and now."

It's pretty simple

[Featureless]

If we let Microsoft, through some machinations during our anti-spam re-engineering or in any other manner, take any measure of control over what has, until now, been an 100% open-standard email infrastructure, email will be fragmented and ultimately ruined, far worse than any cadre of spammers could ruin it.

It is trivial to do what "caller ID" does in an open fashion. And it is absolutely crucial that we do exactly that. No "complicated" licenses, no fancy agreements, no lawyers. Just pick a standard, and follow it.

Letting Microsoft have any involvement in the email infrastructure - other than using it - will be a disaster. And it wll be all the more terrible because of how easily it can be prevented.

Re:It's pretty simple

[thogard]

The problem is no one has done it yet.
Every poject seems to get hijacked into committees that never get the real work done.

Take SPF for example. It was mostly pushed by one guy into some code and that is starting to move on, but why do I need to do that much extra work when the existnig DNSBL stuff works and could be used in nearly every MTA as is without doing any extra code?

I worked on the X.400 Gossip committee back in '92 or so. The result was the system was too big to be useable and the complexity was so bad that no one ever got it right. The fundamental with email is that I want any person in the world to be able to send me a message but I don't want spam. The problem is there is no tehcnial way to tell them apart.

I do agree with RMS that going down the MS path is a dead end that will only result in MS getting more money and gives them the ability to kill off all open source systems with their patents and I know they will use them. The one thing we have learned about patents is that it doesn't matter at all if someone gives us rights to use it, they can change their mind and then we have to pay.

Re:It's pretty simple

[gaijin99]

How does this stop anyone from writing SenderID checking software that is GPL'd or GPL friendly?

It stops it because MS has patents on some of the critical aspects of the "standard", and their license for using the "standard" can be modified to preclude someone from implementing a GPL'd implementation. It doesn't now, but they explicitly reserve all rights, and state that they can modify the license at any moment, so what keeps them from screwing us with this?

Look at what SCO is doing now, claiming to own ELF, using that as an attempt to demand money from Linux users. If we let MS's non-open "standard" become a real standard they'll wait a few years until everyone depends on it, then use it as a weapon to try and crush competition. I'm not being paranoid here, I'm simply extrapolating from MS's history; they do that sort of thing on a regular basis.

Re:It's pretty simple

[Zeinfeld]

Exactly my thought. So why is this an issue? Can we not write on own code for sendmail and other open email servers? Why does this sound like RMS is FUDing us just a bit? Sure MS' software will be non-GPL be we expect that. How does this stop anyone from writing SenderID checking software that is GPL'd or GPL friendly?

I am a member of the MARID WG. I have been working on this for two years. RMS has made no attempt to talk to anyone in the group to find out the real situation. All he did was to wade in and make a statement to promote his own agenda.

I'll not pretend that I am not pissed off with RMS, he is to the anti-spam world what Ralph Nader is to the anti-Bush world.

The real situation is that the licensing issue was considered when the original submissions were made. Then when Caller-ID and SPF were merged for sound technical reasons the licensing issue has to be revisited. We asked Harry and Jim to take up the licensing issue with their lawyers about a week ago. They are meant to come back with a reply before we have the MARID meeting at the San Diego IETF the week after next.

Obviously the group is not going to accept an encumbered specification. The brutal fact is however that if you do not patent the ideas behind a protocol someone else will. Remember the $500 million Eolas judgement? So now we have to go through the licensing issue every single time we write a standard.

The fact is that I have never been in a situation where we have failled to get a satisfactory license grant with respect to any technology that was held by a vendor who actually makes products. I have negotiated with Microsoft on this issue many times and have always ended up with a license acceptable to all parties including OSS.

Now less than 24 hours after Microsoft go off to talk with their lawyers people start campaigning to take the Microsoft technology out using the licensing issue as an excuse. This came mainly from a group of tourists who had had nothing to do with the group previously. It is very obviously a campaign by people whose priority is not getting the best MARID spec we can.

This type of scheming is both unprofessional and damaging. Microsoft are on notice that they have to deliver a satisfactory license in the next 9 days. It has been made clear that this will have to have a sublicense clause and allow both commercial and GPL implementations.

The purpose of MARID is to address the spam problem. People who have other agendas, particularly using it as a forum to attack Microsoft are so not wellcome. The IETF is already in a very weak state, over the past ten years its influence has declined from being the most influential Internet standards body to being a distant third. One of the reasons commercial vendors have learned to avoid the IETF is that more effort is spent on ideological food fights than engineering issues. The point of MARID was to try to prove that the IETF can produce specifications in a timely manner relevant to real world issues - i.e. less than five to ten years. That point is lost if we have people trying to prevent commercial vendors having any influence in the process. At the end of the day the only reason any standards group has influence is that it can influence vendors and major OSS projects that have influence.

The complaints are not about the license issue, that is being addressed. This is the machinations of a faction who want to use MARID for conducting a vendetta against Microsoft and don't care what the effect on MARID is.

Re:It's pretty simple

[wayne]

PHB?

RMS has made no attempt to talk to anyone in the group to find out the real situation.

I'm not sure how you know this. Apparently he was communicating with Michel Bouissou.

We asked Harry and Jim to take up the licensing issue with their lawyers about a week ago. They are meant to come back with a reply before we have the MARID meeting at the San Diego IETF the week after next.

For those who aren't in on who's-who on the IETF MARID working group, Harry and Jim are two of the folks from Microsoft who are working on the SenderID proposal.

However, I know that I have been asking for resolution for this licensing issue on the working group for much more than a week. This is not a new issue.

Now less than 24 hours after Microsoft go off to talk with their lawyers people start campaigning to take the Microsoft technology out using the licensing issue as an excuse. This came mainly from a group of tourists who had had nothing to do with the group previously. It is very obviously a campaign by people whose priority is not getting the best MARID spec we can.

This is almost completely not true. Microsoft lawyers have been in discussions over the license issue since early June (6 weeks ago). While there were indeed some luckers who posted first about the license issue, many of the active participants in the working group started the license discussion. People who object to the current SenderID license for MS do want the best proposal possible. If no one objected to the license, we would have a bad proposal.

Re:Define 'free'

[AKnightCowboy]

Strange, I thought free meant you didn't have to pay for it. 'Free' does not necessarily mean open source.

Not exactly. To the Free Software Foundation, "Free" has *always* been about being "open source" as you would put it. "Open source" was a relatively recent term adopted by people because people kept confusing zero cost with freedom to modify the source code and do what you want with it. RMS has been using the term "free" to describe that for decades.

OK lets look at the license

[blowdart]

Here is the microsoft license. It applies to the original Microsoft Sender ID spec. This is not the new spec, where they merged with SPF.

So, the license RMS is ranting about doesn't apply, and there doesn't appear to be another license on the Microsoft site. Having said that the Microsoft license does not stop the distribution of source, in fact there's a specific clause allowing it (2.2), you just have to include a paragraph in the source code. Nor does RMS say what his problem is, aside from "Grrr, it's Microsoft".

Of course the SPF implementation is still "non-licensed", there's no mention of restrictions, although they do point out there are patents all over the anti-spam arena.

But hey, we don't expect people to look at this stuff, lets just add yet another protocol.

Re:What's the big deal?

[Smallpond]

From the copyright for RFC2821: (SMTP):

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.

From the copyright for Sender ID:

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights

Note that "the authors" is:
J. Lyon
Microsoft Corp
M. Wong
pobox.com

I used to be an SPF fan, largely because it was the source of many hilariously mistaken /. posts, but now I think I need some clarification.

Probably shouldn't worry yet...

[Ianoo]

So, we have Microsoft in the distinctly red corner with their proprietary standard.

Let's face it, as vocal as the OSS community is these days, there's not a lot that can be done to stop Microsoft from doing whatever the hell they like, so long as it's legal(!). Sure, sendmail is OSS software, but I got the impression that SPF is pretty much independent of the MTA software anyway.

But, in the blue corner, we have plenty of heavyweight companies who are big on Linux and big on e-mail who have teams of lawyers that have undoutedbly been over this license already, and found the problems.

We have IBM, the people who make Lotus Notes, which is still pretty widely used, IIRC. We have Novell, who now own SuSE/Ximian and are betting the shop on Linux, who produce NetWare. We also have Sun, who are getting vocal on OSS, which produces Solaris, which seems to power a large proportion of MTAs around the globe.

The best defense, surely, is to make sure these companies understand the issues with SPF, and don't implement it in their own products. After all, Microsoft won't get that far without support from other companies, since much as they'd like to, they don't currently control the world's Internet server market....

MS license perspective from a SPF developer

[wayne]

I've been very active in the SPF project for a long time and have been very active in the IETF MARID working group that is standardizing the merged SPF and Caller-ID spect. In particular, I have been a very vocal critic of the MS license have have tried to work both within the IETF working group and outside to make the license compatible with all major mail servers (MTAs) and other packages, such as spam filters.

I have personally met several of the Microsoft employees who are doing the work on Sender-ID. I have ever reason to beleive that they are working in good faith to try and make sure this technology can be deployed by everyone, including GPLed software. The problem is that Microsoft is a huge company and things like the licensing issue are handled by Microsoft lawyers, not the people directly involved in SenderID.

I know that the SenderID MS folks are working with MS lawyers, and the MS lawyers are working with lawyers from the FSF, Open Source Initiative (OSI), and IBM (for postfix). The IETF working group co-chair has given MS until early August to get this problem resolved.

Personally, I'm going to give Microsoft lawyers a little more time before I try to outright kill the SenderID RFC.

Re:standards and stuff

[Pharmboy]

After a quick view of the license, here are the obvious problems I found with it, and why it is not compatible with Free software:

1. You can only use the code for software that is related to Caller ID (section 2.1)

2. Annoying advertising clause that says if you want to rebrand the code you must get permission from Microsoft. In other words, you can't fork the code under a different name. (section 2.2)

3. Overall reading seems to indicate that you must accept the license in order to USE the software, even though you did not sign anything. This is directly in opposition to the GPL.

4. The focus of the document is how you have the "right" to use their "patented" code. If this doesn't throw up red flags, nothing does. This means they can withdraw the license at any time, since it is more of a contract to use patented software than it is a license to distribute.

5. The clause in section 2.4 "Defensive Suspension" gives Microsoft broad discression to "terminate all license grants" if _they_ are sued in any way regarding the technology. This means, "sue us over the restrictions and we can instantly take away your right to use it, and thus your right to transfer email". It guarantees a bullet proof monopoly on the Patented technology.

And yes, there are plenty of other things that are at odds with the GPL, those are just the EASY to find items. See it yourself at the PDF link you provided.

One question for all of you...

[gillbates]

Why shouldn't free software be the first to implement secure email? Imagine how much easier Linux advocacy would be if we could say: "SPAM? - I thought that was a Windows problem?..."

Imagine this conversation:

Tech: What's the problem?

User: I get all this SPAM, and I can't read my real email.

Tech: Let me guess, you're still using Windows, right?

User: How'd you know?

Tech: Because you're still getting SPAM. If you upgrade to Linux, which uses the SPAM-blocking mail protocol, your SPAM problem will go away... I'll send you a CD in the mail.

What really irks me is that rather than invent new solutions to existing problems, the free software community waits for a commercial vendor to implement a solution, and then copies it. What we should really be doing at this point is implementing a SPAM-free mail protocol in free software, which, once it became the standard, would force commercial companies into compliance, rather than trying to play a game of dodge-the-patent-lawsuit by copying someone else's improperly done anti-SPAM protocol.

Let's face the facts here, folks: if we wait for Microsoft to implement an anti-SPAM protocol, they'll do it wrong, and the free software world will be stuck trying to ensure compatibility with an interface that is fundamentally broken in the first place.

The problem IS the paragraph

[NigelJohnstone]

'Microsoft license does not stop the distribution of source, in fact there's a specific clause allowing it (2.2), you just have to include a paragraph in the source code. Nor does RMS say what his problem is, aside from "Grrr, it's Microsoft". '

The problem *IS* that paragraph, it makes the license extendable, since anyone who wants to use/give away/do anything with, it in future would have to get permission from MS.

"Our provision of this source code does not include any licenses or any other rights to you under any Microsoft intellectual property. If you would like a license from Microsoft you need to contact Microsoft directly"

There is no limit set on that permission, so MS can change the license terms using that paragraph at any time for any future product.

"So, the license RMS is ranting about doesn't apply"
Yes it does (Published 23rd June 2004):

http://www.microsoft.com/mscorp/twc/privacy/spam _s enderid.mspx

"If you are a software developer and are interested in implementing this specification in software, please review the terms of the Caller ID for E-Mail Implementation License before you begin, as the patent license discusses the rights that Microsoft would grant you or your organization."

The IETF's position on the MS license issue

There was a big discussion on the IETF MARID mailing list about the problems with the license. Finally, the IETF posted this: IETF 's says we shouldn't worry about the license

From: Ted Hardie
Subject: Regarding the recent licensing thread
To: ietf-mxcomp@imc.org
Date: Mon, 19 Jul 2004 11:27:41 -0700

Some points on the recent licensing postings:

1) This discussion has been unprofessional in the extreme. Contributors to this working group have been accused of failing in a duty they did perform, and that is rude and unproductive. The Microsoft IPR filing related to callerid was posted with their first ID, which is exactly what is required. Those who have been waiting for such a statement either don't understand the process or have not been paying attention, and their acting offended about things now carries no weight. A refresh with the new name and some details on coverage is warranted for clarity before the documents go to the RFC editor, but that is a paper trail issue, not substantive.

2) The IETF is an engineering body, and it makes engineering decisions. It cares about licensing only as it affects the ability to implement and deploy a standard. Religious opinions on the sanctity of specific license texts belong elsewhere. The sudden appearance of this as a separate topic without reference to the engineering choices misses the point of how the IETF makes these calls: in the context of the engineering decisions. Comments based solely on the licensing terms without regard to the engineering choices they affect *do not speak to the question working groups need to decide*. The sudden appearance of new working group participants after postings inviting them to comment is welcome *if they contribute to the engineering discussion*. But if you are here to comment on licensing outside of the engineering context, you are wasting your electrons.

3) The IETF has published standards with defensive patents many times, and the use of a reciprocal/royalty free license is a common way for contributors to protect themselves from later claims while still encouraging the creation of an interoperable, open standard. Trying to persuade the working group that something is outside the norm when the IETF IPR page is full of contrary examples insults the intelligence of the group, as well as insulting the contributors who are providing a royalty free license.

4) Armchair lawyers often assume things about patents and licensing which aren't true. Get a real lawyer to read things you're concerned about and have them talk to the contributor's lawyers about things that concern you. The creation of a licensed "libipr" called by other applications may be all it takes to have licenses with severe restrictions co-exist with royalty free/reciprocal licenses; this isn't something you can assume one way or the other. You really have to have professionals check. And when you find things that concern you, be aware that this license isn't responsible for ways you may already have bound yourself; if you signed an agreement with HP Lovecraft that said "I will only acknowledge Chthulhu in my code", don't blame Microsoft for requiring an IPR notice. Take it up with the Elder Gods.

5) Generic rants about patents belong on your national I-hate-the-patent-office list. Rants about the IETF's standing decision *against* requiring a specific license or class of licenses belong on the IPR list, but are very likely to be redundant to arguments already made. Read the archives.

New drafts are now out, waiting for careful review. I urge the working group to review them carefully and to focus on how they can be interpreted, coded, and deployed. We have a lot of work to do.

Ted Hardie

Re:What's the big deal?

The primary authors of SPF saw the deal with Microsoft as an opportunity to get Microsoft to incorporate SPF into their SMTP servers and mail clients. They were trying to get SPF as widely used as possible, to reap the maximum benefits. This is good. Plain old SPF is extremely lightweight, extermely effective, and can put a bullet through almost all the domain forged spam on the planet.

Microsoft wants to incorporate CallerID, which is theirs, proprietary, and allows owners of CallerID tickets to be allowed to get past SPF. Its a typical use of their monopoly power to warp a standard, but the SPF authors accepted it to get wide usage. It's too bad: CallerID is Microsoft patented XML code in the email header, which means adding a patented XML parser to SMTP servers and email clients, and which means you can't do filtering with it at connect time the way you can with SPF. It means you have to *take the whole email message* before you can filter it, which is a stupid burden for a mail server being spammed to pieces by email viruses.

Now, anyone sane writing software that does this will leave in a switch to say "Use SPF only, and ignore Caller-ID", and leave Microsoft to stew in its own silliness. Expect the open-source toolsets to do this, and Microsoft to mandate the Caller-ID check, which will help accelerate people away from Microsoft mail servers.

Also, fortunately, the MARID proposals threw out most of the Caller-ID features in the proposal because of the underlying stupidity of using XML in your mail servers. There are things XML is good for, but Microsoft is betting the farm on XML in many of their products such as Microsoft Word, because they own patents on it and can keep out open source readers that way, and because it solves a lot of problems for dealing with their bloated document formats.

The SPF authors made a nasty deal with Microsoft to get their stuff into use and try to turn the tide on spam. And frankly, I think they were right. The time saved dealing with email viruses and spam can be spent doing real work, like getting rid of more fundamentally Microsoft software in the workplace.

Re:standards and stuff

[Pharmboy]

So it's more BSD-like then, big deal.

Actually, it is a big deal. The old BSD license that had the advertising nag is NOT GPL compatible, per the FSF.

They're both licences that apply to the use of software.

You need to READ the GPL. It flatly says you need NO license to use it, only to distribute it. This is a major difference in Free and non Free licenses.

Newsflash: licences are contracts.

Not according to the law. A license is a grant to someone to use copywrited material. There is more than enough case law on the differences that I won't go into detail here, google it.

Isn't that more of a self-defence clause in case people find bugs and want to sue Microsoft about it?

Yes. And it is so vague and broad in scope that the potential for abuse is a serious concern.

Big deal. Why does everything have to be GPL compatible? What would be wrong with, say, a BSD-style license for this particular application?

That would be fine. A modern BSD license *is* GPL compatible. (without the ad nag). This license is not "Free". Its not the worse license in the world, but its still not Free. When it comes to software that sets standards for the entire internet, it is much better for it to be Free, so that one company does not abuse it. Technically, this license would allow MS to change its mind once the technology is developed, and start charging people to use the technology. THAT is why the license must be free, to protect everyone who uses the internet, including your right to sell the software for any price you want.

I don't care about the license for MS Office, I can choose to use Open Office, but if MS patents this, then gets greedy, I can't run mail servers without paying a royalty (at least the servers wont be able to connect to other servers that require this 'patented' protocol). This is not acceptable to me, even if it is not likely to happen.

Burying his head in the sand

[NigelJohnstone]

"1) This discussion has been unprofessional in the extreme. "

Get a thicker skin.

"2) The IETF is an engineering body, and it makes engineering decisions. It cares about licensing only as it affects the ability to implement and deploy a standard. "

The wording requires you get a license from Microsoft and that any future products require a license too. So clearly this problem comes under the "ability to implement" part of the sentence.

3) There is no such thing as a 'defensive' patent. Ted cannot see into the mind of Microsoft and determine their intent is to only use it for defence. Therefore he cannot make this statement with any substance behind it.

4) Non substantial argument. The license is very clear, show me a lawyer that says otherwise.

5) Agreed.

"New drafts are now out, waiting for careful review. I urge the working group to review them carefully and to focus on how they can be interpreted, coded, and deployed. We have a lot of work to do. "

Oh boy, we have a spec that has issues XYZ,
he's telling them to look at X and only X. i.e. to ignore Y & Z and make a decision based on only part of the information.

Re:What's the big deal?

[voixderaison]

Your analysis seems to make sense if the patented components of Caller ID strictly concern the XML stuff which is not included in the Sender ID draft specification. In an effort to learn more about this, I looked over the Microsoft site for a pointer to the relevant patents or patents pending, and didn't find one. So then I googled around looking for this, and found mostly references to, and quotes from, the same Microsoft Caller ID license page.

Caller ID licensing for software developers
"If you are a software developer and are interested in implementing this specification in software, please review the terms of the Caller ID for E-Mail Implementation License before you begin, as the patent license discusses the rights that Microsoft would grant you or your organization."

Then I tripped over this article, which is a bit clumsy, and a dated reference to Caller ID (rather than a current discussion of Sender ID), but which contains an interesting and relevant idea.

Eben Moglen on Microsoft's Caller ID Patent License
"Note, however, that a developer could specifically *disclaim* the Microsoft patent license, which--since it does not actually identify any patent claims being licensed--could be said to be a nullity in any event. Such a developer could legitimately distribute under GPL, which would arguably be the wiser course."

That makes some sense, although I suspect that Microsoft has a large enough patent archive and accompanying staff of attorneys that they could bog down or possibly shut down almost any Sender ID project they choose by taking them to court, citing relevant patents at that time.

Then I tripped over another reference that indicates that there may be other IP issues which could affect Sender ID.

Bill Gates Is A Thief
"We believe that, totally bereft of their own ideas and lacking any in-depth understanding of the issues, Mr. Gates and company were absolutely desperate to appear relevant in the struggle against SPAM, if nothing else to deflect culpability and bad press for the unrelated, clumsy, and manifestly irresponsible security issues and quality failings in virtually every Microsoft product to date. In an odd twist of the same logic that two weeks ago had them beating up a 17-year-old over his website MikeRoweSoft.com (because it merely sounded like Gate's company site), they presumed FailSafe Designs would be too small and too timid to stop them from taking yet something else they wanted that wasn't theirs (as has been Microsoft's habit since inception). Had they merely asked, we would have considered selling or licensing our products, trademarks, patent rights, and other intellectual and real property, but Mr. Gates never stoops to common decency whenever any opportunity to bludgeon someone avails itself."

I suppose these other IP claims against Microsoft regarding their Caller ID specification might invalidate the presumed Microsoft patents relevant to Sender ID as "prior art". However, they might also directly encumber Sender ID if it includes components contributed by Microsoft but patented by another party.

In any case, it seems that this standard is important enough that it should be clearly unencumbered. This will require clear statements from Microsoft about which patents, if any, apply to Sender ID, and to which portions of Sender ID they apply. This disclosure seems to be required by the IETF. However, if Sender ID is to be adopted universally in the SMTP universe, a license that allows free software to use the patented methods without restriction is also clearly required -- and this situation at present seems anything but clear.