The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Created: September 03, 2004.
News: Cover StoriesPrevious News ItemNext News Item

Apache Software Foundation Rejects Microsoft Patent License Agreement for Sender ID.

Update 2005-07-09: Apache was in the news again July 08, 2005, this time having trouble with incorporation of WS-Security into its open source Axis SOAP stack. "Although WS-Security is available for implementation royalty-free, it still must be licensed from Microsoft and IBM. Apache raised concerns about this, mostly pertaining to a non-transfer clause that appears incompatible with open source licenses that allow for uninhibited transfer of technologies." Microsoft was apparently taking the same position with respect to WS-Security as in the Sender ID case: demanding that all implementers, including open source developers, explicitly execute a formal license with Microsoft. This demand is (apparently) incompatible with GPL, with the Apache Software License 2.0, and with many open source software licenses based upon the The Open Source Definition (Version 1.9, Clause 7) 'Distribution of License': "The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties."

Update 2004-09-23: On September 22, 2004 the IETF announced the termination of the MARID Working Group chartered to develop a DNS-based mechanism for storing and distributing information about individual hosts or nodes that are authorized to act as MTAs for messages sent from specified domains or networks. The FTC and NIST will host a summit on email authentication in November 2004.


An open letter from Apache Software Foundation (ASF) to the IETF MTA Authorization Records in DNS (MARID) Working Group announces the decision of ASF projects not to implement or deploy the IETF Sender ID specification under terms required by Microsoft's Patent License Agreement.

The letter from Apache also expresses concern that "no company should be permitted IP rights over core Internet infrastructure" and urges the IETF to "revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered."

The IETF Sender ID specification as governed by the Microsoft Patent License Agreement includes an Internet Draft Sender ID: Authenticating E-Mail and companion I-D Purported Responsible Address in E-Mail Messages. The Sender ID specification defines mechanisms by which SMTP mail servers can determine "what email address is allegedly responsible for most proximately introducing a message into the Internet mail system, and whether that introduction is authorized by the owner of the domain contained in that email address." The PRA document defines an algorithm applicable to a given an e-mail message by which one "can extract the identity of the party that appears to have most proximately caused that message to be delivered."

Microsoft has hoped for broad implementation of the Sender ID specification, said in its promotional web site to "address the widespread problem of domain spoofing. Domain spoofing refers specifically to the use of someone else's domain name when sending a message, and is part of the larger spoofing problem, the practice of forging the sender's address on e-mail messages. Eliminating domain spoofing will help legitimate senders protect their domain names and reputations, and help recipients more effectively identify and filter junk e-mail."

However, legal review of the Microsoft Patent License Agreement by Larry Rosen (General Counsel, the Open Source Initiative) and others has determined that the license terms are "generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0."

The license terms requiring software developers to individually and directly contact Microsoft to obtain, sign, and return a legal agreement illustrate on several levels why the mere promise of "royalty-free and otherwise reasonable, nondiscriminatory terms and conditions" guarantees little or nothing about the openness and implementability of a proposed standard. The Microsoft "Royalty-Free Sender ID Patent License Agreement" runs afoul of open source business models, development practices, and distribution processes on multiple counts.

Incompatibilities of the Microsoft reciprocal patent license with its "nontransferable, non-sublicenseable" language include the following (for example), according to Apache's open letter:

  • Microsoft's license grant is "nontransferable, non-sublicenseable, personal." Open source licenses, on the other hand, "contemplate that anyone who receives the software under license may himself or herself become a contributor or distributor. Software freedom is inherited by downstream sublicensees." The Microsoft terms present a "convenient fiction that there are 'End Users' who receive limited rights... [this] also imposes an impossible administrative burden on the open source development community and, in essence, creates additional downstream patent licenses that will be incompatible with the AFL/OSL and similar open source licenses, and with the open source development process."

  • Microsoft's grant with respect to source code distribution implies a legal requirement that downstream software developers divulge product development plans to Microsoft, since the distribution is required to contain the following notice: "This source code may incorporate intellectual property owned by Microsoft Corporation... If you would like a license from Microsoft (e.g., rebrand, redistribute), you need to contact Microsoft directly." Compliance with this demand, according to Lawrence Rosen's comment, "gives Microsoft information about its competitors' plans that it has no reason to know. No open source license — and all of them allow rebranding and redistribution — can be conditioned on informing Microsoft of anything at all. Other proposed licenses have been rejected by OSI and FSF because they required licensees to notify the licensor of their intentions."

  • The Microsoft definition of a licensed implementation pertains only to portions of products that "implement and are compliant with" all required portions of the PRA Specification. The Apache open letter says: "The scope of the patent license is limited to compliant implementations. This is incompatible with the broad grant of open source licenses to create any derivative work whatsoever. In addition, as Internet software is often non-compliant for many possible different reasons, this would restrict the use of Sender ID unacceptably... measurement of compliance is a problem. If compliance is needed to get a license, then it's a problem. If compliance is not needed to get a license, then the clause should just be dropped. Full compliance might be difficult to achieve for technical or resource reasons..."

Furthermore, the Microsoft' Sender ID Patent License Agreement refers to "patent rights offered by Microsoft" in connection with intellectual property incorporated into the IETF draft specifications ('marid-core-03' and 'marid-pra-00' in combination), but the specific claims to patentable technology are not revealed: the declaration refers to technology in an unpublished pending patent application or applications which cannot be evaluated by the software industry. The Apache open letter says that "dismissal of unspecified, pending, patent claims" (as inconsequential) "recklessly shifts the risk and potential burden onto implementors... Microsoft has not disclosed information about their pending patents that cover areas of -core and -pra; it is generally accepted that the PRA algorithm is covered, but any patents covering -core could cover far more than PRA."

A concluding statement in the Apache open letter addresses the larger concern that has come to play an increasingly visible role in the debate about software patents and "open" vs. "proprietary" (patent-encumbered) technology deliberately incorporated into proposed standards:

Finally, as developers of open source e-mail technologies, we are concerned that no company should be permitted IP rights over core Internet infrastructure. We believe the IETF needs to revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered.

The World Wide Web Consortium (W3C) is one of a growing number of standards organizations endeavoring to draft IPR policy which forbids or greatly discourages the introduction of proprietary IP and monopolistic control into open standards. The W3C Patent Policy of 5-February-2004 is designed "to assure that Recommendations produced under this policy can be implemented on a Royalty-Free (RF) basis," stating that "W3C will not approve a Recommendation if it is aware that Essential Claims exist which are not available on Royalty-Free terms." W3C's Patent Policy represents a major landmark, but the current Sender ID patent controversy reveals that "Royalty-Free" will sometimes not be enough to ensure standards openness. Non-monetary license terms demanded by a patent holder may prove just as crippling as license fees.

Chronicles, Press, and Commentary

  • [September 22, 2004] Internet Engineering Steering Group (IESG) Announces Closure of IETF MARID Working Group. From the 2004-09-22 announcement:

    The MTA Authorization Records in DNS (MARID) working group in the Applications Area has concluded. After an assessment of the current state of the MARID working group, its charter, and its milestones, the working group chairs and Area Advisor concluded that the MARID working group should be terminated...

    The group was originally chartered with a very tight time frame, with the expectation that a focused group of engineers would be able to produce in relatively short order a standard in the area of DNS-stored policies related to and accessible by MTAs. The group has had no lack of energy. From the outset, however, the working group participants have had fundamental disagreements on the nature of the record to be provided and the mechanism by which it would be checked. Technical discussion of the merits of these mechanisms has not swayed their proponents, and what data is available on existing deployments has not made one choice obviously superior. Each represents trade-offs, and the working group has not succeeded in establishing which trade-offs are the most appropriate for this purpose. These assessments have been difficult in part because they have been moved out of the realm of pure engineering by the need to evaluate IPR and licensing related to at least one proposal in the light of a variety of licenses associated with the deployed base of MTAs.

    Efforts to reach consensus by compromise and by inclusion have been attempted on multiple occasions. Despite early hopes of success after each such attempt, post-facto recycling of technical issues which these efforts should have closed has shown that the group remains divided on very basic issues...

    Concluding a group without it having achieved its goals is never a pleasant prospect, and it is always tempting to believe that just a small amount of additional time and energy will cause consensus to emerge. After careful consideration, however, the working group chairs and area advisor have concluded that such energy would be better spent on gathering deployment experience..."


  • [September 16, 2004] Microsoft Patent Application[s] Relative to Sender ID. Reducing Unwanted and Unsolicited Electronic Messages by Preventing Connection Hijacking and Domain Spoofing. United States Patent Application #20040181571. Application publication date: September 16, 2004. Application Serial Number: 684020. Series Code: 10. Date filed: October 10, 2003. The "Invention": attributed to Atkinson, Robert George; (Woodinville, WA); Goodman, Joshua T.; (Redmond, WA); Lyon, James M.; (Redmond, WA); Williams, Roy; (Woodinville, WA); Ahmed, Khaja E.; (Bellevue, WA); Katz, Harry Simon; (Bellevue, WA); Rounthwaite, Robert L.; (Fall City, WA).

    According to a posting from Harry Katz, "Microsoft is aware of the existence of US, EP; JP; CN; KR; and IN patent applications that are likely to include claims that would necessarily be infringed when implementing the combination of the specifications entitled 'Purported Responsible Address in E-mail Messages', file name draft-ietf-marid-pra-00.txt, and located at the following link on August 23, 2004, url: and the specification entitled "Sender ID: Authenticating E-mail", file name: draft-ietf-marid-core-03.txt, url:" US Title: "Reducing Unwanted And Unsolicited Electronic Messages By Preventing Connection Hijacking And Domain Spoofing", Serial no. 10/684020. Title for other jurisdictions is "Coordinated Reduction of Unwanted and Unsolicited Electronic Mail Messages". EP Serial no. 04005644.2; JP Serial no. 2004-71769; CN Serial no. 200410028682.3; KR Serial no. 10-2004-16409; IN Serial no. 298/DEL/2004.

    Abstract: The present invention provides for generating inputs that can be provided to a message classification module to facilitate more reliable classification of electronic messages, such as, for example, as unwanted and/or unsolicited. In one embodiment, a sending messaging server provides an appropriate response to address verification data thereby indicating a reduced likelihood of the sending messaging server using a forged network address. In another embodiment, it is determined if a messaging server is authorized to send electronic messages for a domain. In yet another embodiment, electronic message transmission policies adhered to by a domain are identified. In yet a further embodiment, a sending computer system expends computational resources to solve a computational puzzle and includes an answer document in an electronic message. A receiving computer system receives the electronic message and verifies the answer document.

    See also the Microsoft patent application (with identical abstract) which addresses a network connectable receiving domain (rather than a sending computer system), and an act of receiving an electronic mail message (rather than an act of sending Transmission Control Protocol connection initiation data. "Reducing Unwanted and Unsolicited Electronic Messages by Exchanging Electronic Message Transmission Policies and Solving and Verifying Solutions to Computational Puzzles." United States Patent Application #20040181585. Patent application publication date: September 16, 2004. Patent application serial number: 683624. Filed: October 10, 2003. "Invention" attributed to: Atkinson, Robert George; (Woodinville, WA); Goodman, Joshua T.; (Redwood, WA); Lyon, James M.; (Redwood, WA); Williams, Roy; (Woodinville, WA); Ahmed, Khaja E.; (Bellevue, WA); Katz, Harry Simon; (Bellevue, WA); Rounthwaite, Robert L.; (Fall City, WA); Goldberg, Andrew V.; (Redwood City, WA); Dwork, Cynthia; (San Francisco, CA).

    Abstract: "The present invention provides for generating inputs that can be provided to a message classification module to facilitate more reliable classification of electronic messages, such as, for example, as unwanted and/or unsolicited. In one embodiment, a sending messaging server provides an appropriate response to address verification data thereby indicating a reduced likelihood of the sending messaging server using a forged network address. In another embodiment, it is determined if a messaging server is authorized to send electronic messages for a domain. In yet another embodiment, electronic message transmission policies adhered to by a domain are identified. In yet a further embodiment, a sending computer system expends computational resources to solve a computational puzzle and includes an answer document in an electronic message. A receiving computer system receives the electronic message and verifies the answer document."

    Comment and (legal) commentary on the Microsoft patent applications:

    • Analysis of Microsoft Patent Applications Pertaining to Sender ID. By John Levine. Posted to the IETF MARID WG mailing list ''. September 17, 2004. See also published by CirdleID.
    • "Exposed Sender ID Patents Up Debate." By Jim Wagner. From (September 20, 2004). Yakov Shafranovich doubts that the "invention," if any is embodied in the Microsoft patent, is the invention of Microsoft: "... A former co-chair of the ASRG [Anti-Spam Research Group], Yakov Shafranovich, questioned whether the patents actually reflected Microsoft inventions. In an e-mail to Shafranovich claimed that Microsoft had been tracking the progress of e-mail authentication schemes as far back as March 2003 on the Internet Research Task Force (IRTF) e-mail discussion lists, five months before filing for the two patents on Oct. 10, 2003. 'It was very clear to me as a former co-chair of ASRG that Microsoft simply took a developing standard in the IRTF, added a patent to it, and brought it back to the IETF,' he said in the e-mail. He contended that Microsoft's patents are based on ideas brought forward by the IRTF and that their applications could be invalidated on the grounds that prior art on the invention existed before the patent application..." [also from WinPlanet]
    • "Microsoft Patent Could Hamper E-Mail Authentication Group." By Matt Hicks. In eWEEK (September 17, 2004).

  • [September 15, 2004] AOL Moves Forward With SPF. According to AOL spokesperson Nicholas Graham, as communicated by, "AOL has decided to move forward with SPF." From the article "AOL Dumps Sender ID," by Jim Wagner:

    "AOL has withdrawn its support for Microsoft's controversial Sender ID technology and is falling back on Sender Policy Framework (SPF), has learned. Given recent concerns expressed by the Internet Engineering Task Force (IETF), coupled with the tepid support for Sender ID in the open source community, AOL has decided to move forward with SPF [Sender Policy Framework],' Nicholas Graham, AOL spokesperson, told via e-mail. Microsoft was not available for comment at press time. Despite the bombshell decision, the world's top ISP isn't completely severing its ties to Sender ID: The company still will publish Sender ID files so its users' e-mails are compliant with Sender ID-enabled servers and applications. But it's enough of a vote of no confidence in Microsoft's e-mail authentication strategy to warrant concern for Sender ID proponents. The Redmond giant has been steadfast in its refusal to disclose specifics on patents surrounding the Sender ID technology, saying only that the claims involve Sender ID and the Purported Responsible Address (PRA) algorithm used in conjunction with it. Microsoft also is requiring Sender ID implementers to sign a license agreement to protect those unspecified patents, the terms of which have the open source community up in arms. It's the second setback for Microsoft in a week: Over the weekend, the MTA Authentication for DNS (MARID) working group missed its deadline for moving the Sender ID specification onto the next step in the IETF standards process, the Internet Engineering Steering Group, and is currently working on re-drafting certain aspects of the technology to assuage critics..."


  • [September 11, 2004] IETF MARID WG Co-Chair Judgment of Consensus on Sender ID Last Call. On September 11, 2004 Andrew Newton posted an opinion of the co-chairs "relating to consensus within the MARID working group during the last call period of 23-August-2004 through 10-September-2004." With respect to Microsoft's patent claims and license agreement, the co-chairs ruled

    On the issue of ignoring patent claims, the working group has at least rough consensus that the patent claims should not be ignored. Additionally, there is at least rough consensus that the participants of the working group cannot accurately describe the specific claims of the patent application. This stems from the fact that the patent application is not publicly available. Given this, it is the opinion of the co-chairs that MARID should not undertake work on alternate algorithms reasonably thought to be covered by the patent application. We do feel that future changes regarding the patent claim or its associated license could significantly change the consensus of the working group, and at such a time it would be appropriate to consider new work of this type.

    Newton also wrote: "... it is also the opinion of the co-chairs that any attempt by the MARID working group to define any new scopes other than 'mailfrom' and 'pra' for the SPF syntax will at this time result in failure to find consensus within the working group. The document authors have agreed to producing new drafts intended to meet the chartered work item, and a consensus call on them or the appropriate diffs will be forthcoming. This work plan does not include scopes outside of 'mail from' and 'pra', and it is our opinion that no new work items of this type should be considered until MARID has successfully produced a first specification..." This reasoning and its language proved so clever, subtle, and convoluted that not all WG members understood what the ruling about the work plan meant, and not all press journalists were led to entirely correct conclusions about the co-chairs' ruling on what would happen next:

  • [September 06, 2004] Debian Project Rejects Microsoft's Sender ID License Agreement Terms. On September 4, 2004 the Debian Project According to the mesage from Martin Michlmayr (Debian Project Leader): "This message summarises the position of the Debian project, producer of the universal operating system: Debian GNU/Linux. The Debian project abides by a social contract to our users that specifies all software included in the operating system will be Free Software, meaning that it can be freely redistributed, modified, used, etc. as defined under the Debian Free Software Guidelines (DFSG)... We believe the current license and resulting encumbrances are incompatible with the DFSG, unlike other Internet standards that Debian is able to support. Therefore, we cannot implement or deploy Sender ID under the current license terms. Indeed, we would be forced to remove SenderID support from software we ship that does support Sender ID upstream according to the terms of our social contract... We are also concerned that no company should be permitted intellectual property rights (IPR) over core Internet infrastructure. We believe the IETF needs to revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered..." See the posting to the ietf-mxcomp list and the copy on the Debian Project web site.

  • [September 04, 2004] Earthlink Will Not Deploy Sender-ID. A message from Tripp Cox (based upon advice from Earthlink counsel) declared that the Sender-ID would not be deployed at EarthLink. Under the subject "Insufficient Microsoft IPR disclosure," the Earthlink statement cites "Timing of the disclosure" and "Substance of Grant and Lack of Disclosure" as two of the areas of concern for EarthLink. (1) Timing: "The IPR for the IETF requires timely disclosure of all relevant licensing terms. As stated in Section 6.2 of Intellectual Property Rights in IETF Technology: 'Timely IPR disclosure is important because working group need to have as much information as they can while they are evaluating alternative solutions'." (2) Disclosure of terms: "Microsoft's proposed license does not meet the requirements of the IPR. While Microsoft states that it is willing to license all of its potential IPR to implement the standard on a royalty-free basis, Microsoft must also disclose any other terms and conditions in connection with this license. The disclosure by Microsoft fails to indicate these terms and conditions. As a result, we are not able to determine whether the license granted by Microsoft will fully enable the full use of Sender ID within a proposed standard and if there are any other impacts to integrally related areas that may not explicitly be included in the standard but may be necessary to fully exploit the standard..." See details in the posting.

Technical Experts, Lawyers, Business Models, and Social Concerns

The controversy on the IETF MARID Working Group list about Microsoft's IPR licensing terms provides witness to a critical process question showing up with increasing frequency in standards development — especially in working groups where patent owners seek to have discussion about IPR issues declared off limits for the working group technical list: [to what extent] will the working group members be allowed to discuss IPR issues in connection with technical work?

  • Position One

    • Engineering design within standards bodies is about science and technology, representing an expert domain and set of concerns entirely independent from legal, economic, and social domains
    • Design choices (viz., selecting technology solutions from among a set of competing alternatives) should be made independent of the legal, economic, and social implications, and especially, independent of concerns about licensing, so long as declared IP is offered on the minimal [RAND ++/--] terms as required by the sponsoring SSO/SDO
    • If you are an engineer serving on a working group or technical committee and you have questions about intellectual property and licensing claims made in connection with technology being incorporated into the draft standard, ask your company lawyers to contact the legal team of the company/companies making IPR declarations claims and setting licensing terms
    • If the license terms announced for IPR being incorporated into the draft standard are incompatible with the business model in your company, have your business managers discuss the issues with the business managers of the company/companies making IPR declarations claims and setting licensing terms
    • If you have concerns about the IPR being incorporated into the draft standard because of a perceived negative impact upon key segments of society, ask relevant consumer advocacy groups, legal clinics, and civil rights groups to study the issues and address them on behalf of the parties affected
    • If you have questions or objections to patent claims and licensing terms, do not introduce these into technical discussions of the working group; the various company representatives are engineers, not legal experts or product managers. Realize that the discussion list moderator is empowered by the SSO/SDO operational guidelines to remove you from the working group if you do not comply with this instruction [IEEE].
    • If you believe the IPR policy of the SSO/SDO hosting the standards work does not adequately support the concerns you have about patent disclosures in a particular case, appeal to the SSO/SDO IPR Committee, but do not detail your concerns in view of the working group

  • Position Two

    • Engineering design in connection with public standards does not represent a set of concerns entirely independent from legal, economic, and social concerns; this convenient fiction serves the financial interests of companies having large patent portfolios and those seeking to dominate markets by incorporating their patented technology into standards
    • Informed selection of technology solutions from among a set of competing technical alternatives must allow all participant stakeholders to take into consideration a range of concerns beyond mere technical excellence: business models and social consequences of technology selection are two key factors that often merit open discussion
    • Members of a working group must be provided sufficient information about proprietary technology and licensing terms to help determine whether they wish to incorporate patented technology or whether they wish to consider alternative technical designs that are not thusly IPR-encumbered; sensitive weighing of the technical alternatives cannot be done optimally outside the technical committee process where qualified experts can discuss the feasibility of end-run solutions around patent roadblocks
    • Most companies cannot assess the risks and benefits of allocating technical (human) and financial resources to a standards effort without knowing what parts of the technology are proprietary and how the resulting standard will be licensed in terms of declared IP; general statements like "on reasonable, non-discriminatory and other [unspecified] terms governing unpublished pending patents" are inadequate
    • It is unrealistic and unreasonable to demand that considerations about business models and social impact of IPR-encumbered standards be ignored by members of a working group — on the assumption that other ad hoc private venues and SSO/SDO IPR (Meta-level) Committees are constituted and empowered to address these concerns independent of particular patents and particular design efforts

See the MARID WG archives on this point, e.g., "not salient for this list" (Ted Hardie, IETF Applications Area Advisor); "without regard to the IPR issue" (Andrew Newton and Marshall T. Rose, IETF MARID WG co-chairs); "this is not a technical issue" (Phillip Hallam-Baker).

About the Apache Software Foundation

"The Apache Software Foundation provides organizational, legal, and financial support for a broad range of open source software projects. The Foundation provides an established framework for intellectual property and financial contributions that simultaneously limits contributors potential legal exposure. Through a collaborative and meritocratic development process, Apache projects deliver enterprise-grade, freely available software products that attract large communities of users. The pragmatic Apache License makes it easy for all users, commercial and individual, to deploy Apache products.

Formerly known as the Apache Group, the Foundation has been incorporated as a membership-based, not-for-profit corporation in order to ensure that the Apache projects continue to exist beyond the participation of individual volunteers. Individuals who have demonstrated a commitment to collaborative open-source software development, through sustained participation and contributions within the Foundation's projects, are eligible for membership in the ASF. An individual is awarded membership after nomination and approval by a majority of the existing ASF members. Thus, the ASF is governed by the community it most directly serves — the people collaborating within its projects..."

Apache projects include, for example:

Principal References

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: