Microsoft Corp. is continuing to beat the drum on security in its long run-up to the release of Windows Vista early next year. On Tuesday, the company's top security executive said in a keynote speech at the RSA Conference Europe in Nice, France, that Microsoft is now making its Sender ID Framework for email authentication freely available and will also develop a program for sharing malware samples with its security partners.
Sender ID, which Microsoft developed in conjunction with several security vendors, is now available under the company's Open Specification Promise (OSP) program . The OSP is essentially a promise from Microsoft not to sue anyone who uses Sender ID to build their own products. The framework is designed to verify that an email message originated from the mail server that it claims to have been sent from to reduce spam.
Microsoft accomplishes this by looking up the address of the sending server and checking the address against a list of authorized mail servers that the domain owner has published. The plan relies on help from ISPs, which actually perform the checks, and from domain owners, who must provide the lists of authorized mail servers. Sender ID has been deployed in a number of places for more than two years and Microsoft, of Redmond, Wash., claims upwards of 5 million domain holders have adopted it. It also has been approved as an Experimental Request for Comment (RFC) by the Internet Engineering Task Force .
By making the framework available under the OSP, Microsoft hopes to encourage vendors to build products that use Sender ID and help push it forward as a standard in the fight against spam and phishing.
Others involved in the fight against spam say that Microsoft's decision to make the Sender ID Framework available under the OSP is less about the technology itself than it is about sending a message to the rest of the security community.
"I think most vendors have deployed Sender ID in their products already because Microsoft had said in the past that it wouldn't enforce the intellectual property rights on it," said Paul Judge, chief technology officer at Secure Computing Corp., a San Jose, Calif., maker of mail security appliances.
Secure Computing, which acquired Judge's former company, CipherTrust, this summer, supports Sender ID in its offerings and Judge has been involved in the anti-spam effort.
"I think this was an opportunity for Microsoft to make it even clearer to the community that this was something they wanted the community to use," Judge said. "It's something that has a fair amount of value."
The Sender Policy Framework, an open standard developed by Meng Wong was merged in 2004 with Microsoft's Caller ID to form Sender ID. The merger has enabled the standards to become better understood by the community, resulting in greater use, Judge said. A separate SPF effort, Openspf.org , still operates independently. But neither of these efforts is ever going to stop spam outright, Judge said.
"There was some misunderstanding that SPF and Sender ID were a magic potion that would end spam," he said. "It's been great for stopping phishing and it's very good at what it's focused on."
In his keynote speech at the conference, Ben Fathi, corporate vice president of the Security Technology Unit at Microsoft, also announced the beta 2 release of Certificate Lifecycle Manager. CLM helps enterprises manage large infrastructures that rely on digital certificates and smart cards. Gemalto, a large smart-card provider, announced support for the new technology.
Fathi also confirmed that Microsoft will be including the CardSpace technology—formerly known as InfoCard—in Vista. CardSpace enables users to establish multiple digital identities for use in various contexts online.
Microsoft is currently not providing details about the new malware sharing program, except to say that it will outline plans in December. Mark Miller, who took over as director of the Microsoft Security Response Center in early October, said the company is working out the frequency of the sample distribution, what form it will take and how organizations that aren't members of the Microsoft Security Response Alliance can get information on it.
"We basically made the decision to do this because we have the samples and it's another way for us to help protect the ecosystem of PCs out there," Miller said.
Currently, Microsoft shares malware samples with the members of its Virus Information Alliance on an as-needed basis.