0161 215 3700
0800 458 4545
0800 230 0032
0161 215 3711

Cisco and Yahoo discuss authentication differences

Cisco and Yahoo discuss authentication differences

Yahoo and Cisco are working to find some common ground in their respective email authentication specifications. Often confused as anti-spam technology, email authentication attempts to verify that an email is really coming from the person listed in the email header. The technology is then used as a foundation for traditional anti-spam software and hardware like those provided by Symantec, McAfee, Postini, CipherTrust and many other vendors. One of the big topics during last week's Internet Engineering Task Force (IETF) meeting was word of whether Yahoo and Cisco had combined their two similar signature-based specifications. Dave Crocker, principal at Brandenburg InternetWorking and author of the Bounce Address Tag Validation (BATV) email authentication specification, said the work of the two companies is slated to become the foundation for an IETF working group, as soon as the two combine their technologies. Crocker said that it's not good for the Internet community to have two competing specifications that are so similar in nature and function. However, he said, the differences in IIM and DomainKeys are significant. "Usually the efforts to merge competing proposals don't go very well inside the IETF. So the feeling is that the IETF has to wait until that merger is complete and then they can consider pursuing a standards process for the result." Yahoo's DomainKeys and Cisco's Identified Internet Mail (IIM) are both very similar in that they use public-key technology to determine whether a message is really coming from the individual named in the e-mail header. Both use RSA (define) public-key encryption as their foundation; both append the signature in the message header; and signing and verification typically take place at the MTA (define), though the option exists at the MUA (define). But, as the saying goes, the devil is in the details; some fundamental differences have kept the two from merging in the past. One of the biggest differences between the two technologies is that, while in IIM, the public key is tacked onto the email message and authorized through the DNS. In DomainKeys, public keys are stored in DNS TXT records. Also, while the IIM specification can use the DNS to verify keys, it prefers the Key Registration Server (KRS) for more flexibility, while DomainKeys relies on DNS alone. The tradeoff is that IIM can provide user-level keys and outsource email addresses, and DomainKeys can only register keys by domain. Email outsourcing isn't available. Miles Libbey, anti-spam product manager at Yahoo, said that from a project manager's point of view, the differences are highly technical but not insurmountable. "Conceptually, DomainKeys and Identified Internet Mail are extremely similar. The general concepts are effectively identical, so we think that it will be possible to have a merged spec," he said. "Certainly, the individual technology choices that are made in both specs would make one incompatible with the other today, but a lot of those things are easily overcome." An IETF working group infrastructure is already in place for a combined specification, in the form of the unofficial Message Authentication Signature Standards (MASS). While DomainKeys and IIM are the leading contenders in the group, others are under consideration: Microsoft's Email Postmarks; Entity to Entity S/MIME; MTA Signatures; BATV; and Trusted Email Open Standard (TEOS). According to Jim Fenton, co-author of IIM, a combined technology should be ready in the coming months but much depends on the review processes at the two companies. The combined specification won't incorporate many new ideas, he said, but find common ground and incorporate the best ideas of both technologies. "It's really hard for me to put a specific timeline on it," he said. "We know that the industry is very anxious for this hybrid to get going and so there's a lot of urgency. I would certainly hope it would be this year. "I would be extremely disappointed if it didn't happen this year, but whether it's springtime or summertime, I don't know," he added. "It becomes a lot more complex when we have more authors and more review that needs to go on." Both companies have picked up corporate support for their respective technologies, though Cisco officials said they are keeping a low profile on announcing companies testing and deploying their technology. Yahoo, on the other hand, has reported that Google, EarthLink, SBC and even its own service are using DomainKeys. UKFast is not responsible for the content of external Internet sites.

print this article

Return to internet news headlines
View Internet News Archive

Share with: