SRP Patch Integration?
Theo de Raadt
deraadt at cvs.openbsd.org
Tue Feb 12 20:00:44 EST 2002
> >Simply stated, SRP is a strong password authentication protocol that
> >resists passive/active network attack, and when used in conjunction with
> >OpenSSH, solves the "unknown host key" problem without requiring host
> >key fingerprint verification or PKI deployment (e.g. X.509 certs). Put
> >another way, is there any good reason *not* to fold these patches into
> >OpenSSH proper?
> SRP would be useful to have. However, as it is patented I do not know
> if it can be included in OpenSSH. The grant in the patent seems to
> place restrictions on the licensee.
>
> It is not clear if EKE or SPEKE patents are required for a SRP
> implementation.
>
> As far as I see it, everything that is patented is tainted.
> Somebody who has money to pay a lawer needs to investigate
> this further.
Niels says there are patent issues. Now someone will stand up and say
that there are no issues. Such a person would be wrong. There ARE
issues. The rules say that we can instrument a cut-down version of
the full EKE protocols, but not a full version. The rules constrain
our development freedom. Well, want to know what my opinion is about
such rules? The people who made such rules can rot in hell. Perhaps
we will just wait for an alternative that has no stupid rules.
We've been doing a good job of sticking it to patent idiots, and I do
not think we should stop.
Stanford wants to slow use of new technology. Fine with me. Other
technology will appear. I urge other people to developer alternatives
to the EKE stuff.
More information about the openssh-unix-dev
mailing list