SRP Patch Integration?

[Theo de Raadt]

> Are you referring to the distinction between SRP and SRP-Z?  The SRP
> userauth mechansim is specifically based on RFC2945, which is
> royalty-free, and does not use SRP-Z in any way.  Or were there some
> other "restrictions" you were concerned about?

The space is specifically not free. 

> > It is not clear if EKE or SPEKE patents are required for a SRP
> > implementation.
> > 
> > As far as I see it, everything that is patented is tainted.
> > Somebody who has money to pay a lawer needs to investigate
> > this further.
> 
> This is an unreasonable position.  Are you familiar with U.S. Patent
> number 5,231,668?  Its title is "Digital Signature Algorithm".  Doesn't
> OpenSSH uses DSA?  Who paid for that investigation?

I read a decleration that the US government, in making DSA a standard,
protects the community from patent issues.  As I understand, the same
kind of protection exists for DES and now for AES.

I've had other dealings with Stanford over patents and such.  They've
been the biggest assholes I've ever had to deal with.  Xerox was
easier to deal with.  I don't even want to bother touching anything in
their space.

> The reasoning is backwards, that's the problem.  Being patented is
> clearly not the issue here.  If it were, half the algorithms in OpenSSH
> would fail that test.  One still needs to come up with a reason why a
> patent would pose a problem for OpenSSH, and no such good reason has
> surfaced for SRP, which leads me to believe the IP issue is a red
> herring.

Well, tough.

You just seem to be upset because we've decided to wait for something
else to show up in the field.

I think the benefit to threat ratio is bad enough that we should just
wait.

Sorry Tom.  You should have fought the lawyers more when you sold your
soul.