SRP Patch Integration?

Tom Wu tom at
Wed Feb 13 04:05:18 EST 2002

Theo de Raadt wrote:
> Niels says there are patent issues.  Now someone will stand up and say
> that there are no issues.  Such a person would be wrong.  There ARE
> issues.  The rules say that we can instrument a cut-down version of
> the full EKE protocols, but not a full version.  The rules constrain
> our development freedom.  Well, want to know what my opinion is about

The above indicates a serious misunderstanding of the distinction
between SRP (which is free) and SRP-Z (which needs licensing).  SRP is
not a "cut-down version" of EKE, it is a functionally-equivalent
workaround.  If you want absolute ability to modify algorithms without
fear of patents, then you've excluded most public-key algorithms
already.  By your standards, you shouldn't be using DSA, since minor
modifications/tweaks to it can result in a patented discrete-log
signature scheme.  Are you really willing to apply this stance
objectively and uniformly to all of OpenSSH?

> such rules?  The people who made such rules can rot in hell.  Perhaps
> we will just wait for an alternative that has no stupid rules.
> We've been doing a good job of sticking it to patent idiots, and I do
> not think we should stop.
> Stanford wants to slow use of new technology.  Fine with me.  Other
> technology will appear.  I urge other people to developer alternatives
> to the EKE stuff.

You seem to have interpreted the situation precisely backwards.  EKE is
the patented, non-free technology.  I invented SRP and insisted that it
be available royalty-free so that Open Source developers had the
opportunity to use strong password technology without having to pay
royalties.  I respect your opinions, but please make sure you get the
facts straight about who is really "slow[ing] use of new technology".

Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."

More information about the openssh-unix-dev mailing list