ANSI - American National Standards Institute
 Print this article  Previous Next 

FTC and NIST to Host Email Authentication Summit

Several proposed anti-spam standards will be considered

New York, Nov 04, 2004

The Federal Trade Commission (FTC) and the Department of Commerce’s National Institute of Standards and Technology (NIST) will host an Email Authentication Summit on November 9-10, 2004, at the FTC Conference Center in Washington, DC, to explore the development and deployment of technology that could reduce spam. The summit will focus on challenges in the development, testing, evaluation, and deployment of domain-level authentication systems.

The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act), which went into effect on January 1, 2004, called for the FTC to deliver a plan and timetable for establishing a nationwide marketing Do-Not-E-Mail registry. Further study by the Commission, however, found that the registry was not the ideal solution to the spam problem. A June 15, 2004, FTC Report to Congress regarding the proposed National Do Not Email Registry claimed that “significant security, enforcement, practical, and technical challenges rendered a registry an ineffective solution to the spam problem.” The report, however, identified domain-level authentication as a promising technological development that would enable Internet Service Providers (ISPs) and other domain holders to better filter spam, and provide law enforcement with a potent tool for locating and identifying spammers.

Standards work (which has occurred primarily outside of traditional standards developing bodies) in the area of authentication has faced a dearth of consensus. A working group called MARID (MTA Authorization Records in DNS) was chartered by the Internet Engineering Task Force (IETF) to create a standard for mail authentication for the fight against spam, mail worms and other e-mail abuse. The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. Citing a lack of agreement on basic issues in the discussions of the working group, the IETF dissolved the group in September 2004.

Another issue arose from the MARID group, however, when Microsoft Corporation claimed intellectual property rights over some technologies in the standard under consideration, now known as Sender-ID. Sender-ID allows ISPs to verify that an email message actually comes from the Internet domain the address claims to represent. Microsoft has since revised the Sender-ID standard protocol which works in concert with other proposed standards, including the Sender Policy Framework (SPF), authored by entrepreneur Meng Weng Wong. Many in the industry are opposed to the Sender-ID standard, however, due to the patents Microsoft holds on the underlying technology, although the software giant has claimed it will not charge for the use of the technology. Sender-ID has been submitted to the IETF for approval, and is among the proposals being considered at the November FTC summit.

In anticipation of the summit, the FTC solicited public comment on the effectiveness of the proposed authentication standards, on the challenges that ISPs might face if they do not participate in an authentication regime, and on the ease and speed of adopting an Internet-wide authentication system.

The event is open to the public, and there is no pre-registration and no attendance fee. For more information, please visit http://www.ftc.gov/bcp/workshops/e-authentication/index.htm.

Learn how strategic standardization is helping companies build their bottom line