SRP Patch Integration?

Theo de Raadt deraadt at cvs.openbsd.org
Wed Feb 13 05:36:19 EST 2002 

> > The space is specifically not free.
> 
> It's no less free than the public-key signature space, yet you use
> digital signature algorithms in OpenSSH.

As far as I know, the space of algorithms we are using today is in use
by so many parties under the understanding that noone will ever be able
to realistically make an attack against that space.

> > > This is an unreasonable position.  Are you familiar with U.S. Patent
> > > number 5,231,668?  Its title is "Digital Signature Algorithm".  Doesn't
> > > OpenSSH uses DSA?  Who paid for that investigation?
> > 
> > I read a decleration that the US government, in making DSA a standard,
> > protects the community from patent issues.  As I understand, the same
> > kind of protection exists for DES and now for AES.
> 
> Where can I find a copy of this statement?

I cannot precisely remember, but I recall it because it felt so nice and
cosy.  It was the US government trying to make sure the user had some
protection.  I am tired of people like Stanford having such protection,
when we do not. 

> I'd like to see if Stanford
> can be persuaded to issue a similar statement, since it appears to offer
> you sufficient assurance.

Simple.  Have them drop the patent, make it free.

Standards should not contain references to patents.  I am firm.  It is
why we are fighting Cisco in the VRRP space as well.

>  AFAIK, the USG said, "we don't think there
> are any patent concerns" and that was it.  In _Applied Cryptography_, p.
> 493, Schneier gives a more in-depth detailing of the IP situation, which
> mirrors that of SRP precisely.

Schneier apparently did not think of it as a crime against society.

> > I've had other dealings with Stanford over patents and such.  They've
> > been the biggest assholes I've ever had to deal with.  Xerox was
> > easier to deal with.  I don't even want to bother touching anything in
> > their space.
> 
> Can you give an example of this behavior?

I have been talking with Stanford for over a year trying to get a few
measly copyright notices on some ancient crappy multicast tools
slightly modified to permit completely free use.  5 other groups
involved in that code, including University of Southern California and
Xerox, responded quickly, tried to understand the situation, and then
fixed their licenses.  Stanford is the biggest pain in the ass I have
ever dealt with on a legal front (worse than ssh.com) and I do not
want to have anything further to do with them.

> Are you honestly saying that
> it's fair to punish someone (me) for behavior that I had no control or
> knowledge of?

I am not punishing you.  I am protecting us.

> Are you saying that even if Stanford makes an effort to
> improve its practices, that it's too late and that your mind is closed
> to the possibility?

Go ahead, try to convince them.  I am not going to bother talking to
their lawyers again.

> > > The reasoning is backwards, that's the problem.  Being patented is
> > > clearly not the issue here.  If it were, half the algorithms in OpenSSH
> > > would fail that test.  One still needs to come up with a reason why a
> > > patent would pose a problem for OpenSSH, and no such good reason has
> > > surfaced for SRP, which leads me to believe the IP issue is a red
> > > herring.
> > 
> > Well, tough.
> > 
> > You just seem to be upset because we've decided to wait for something
> > else to show up in the field.
> 
> I'm upset because you seem to be giving a (poor) reason for refusing to
> consider SRP,

I feel our reasons are well founded.

> and then refusing even to apply that same reasoning to
> other technologies that OpenSSH already uses.

The other technologies are well established, and we are protected by the
entire industry.

With SRP, we become a first user, and a target.

It's an RFC.  Wow.  So is VRRP, and look how screwed up that space is with
patents.

> It's the lack of
> integrity that bothers me.

Oh, really.  Thanks.  I'll remember that comment.  How funny.

> > I think the benefit to threat ratio is bad enough that we should just
> > wait.
> > 
> > Sorry Tom.  You should have fought the lawyers more when you sold your
> > soul.
> 
> The ad-homming doesn't really help either.  I suppose fighting to make a
> technology royalty-free is "selling one's soul" given sufficiently
> twisted definitions.

I am not attacking you.  I am making a stand against new IP questions.

Sorry if you feel otherwise.

More information about the openssh-unix-dev mailing list