SRP Patch Integration?

Tom Wu tom at
Wed Feb 13 06:22:27 EST 2002

Theo de Raadt wrote:
> > > The space is specifically not free.
> >
> > It's no less free than the public-key signature space, yet you use
> > digital signature algorithms in OpenSSH.
> As far as I know, the space of algorithms we are using today is in use
> by so many parties under the understanding that noone will ever be able
> to realistically make an attack against that space.

So your argument is based on the "everybody else is doing it" fallacy? 
Do you think a judge would accept that argument if you were sued? 
Besides, OpenSSH would hardly be the "first user" as you claim below.

> > > > This is an unreasonable position.  Are you familiar with U.S. Patent
> > > > number 5,231,668?  Its title is "Digital Signature Algorithm".  Doesn't
> > > > OpenSSH uses DSA?  Who paid for that investigation?
> > >
> > > I read a decleration that the US government, in making DSA a standard,
> > > protects the community from patent issues.  As I understand, the same
> > > kind of protection exists for DES and now for AES.
> >
> > Where can I find a copy of this statement?
> I cannot precisely remember, but I recall it because it felt so nice and
> cosy.  It was the US government trying to make sure the user had some
> protection.  I am tired of people like Stanford having such protection,
> when we do not.

That last statement makes no sense.  Stanford is trying to make sure the
user has some protection as well, by *specifically* making anything
based on RFC2945 free.

> > I'd like to see if Stanford
> > can be persuaded to issue a similar statement, since it appears to offer
> > you sufficient assurance.
> Simple.  Have them drop the patent, make it free.

Yet you did not demand this from the USG.  Strange, and inconsistent.

> Standards should not contain references to patents.  I am firm.  It is
> why we are fighting Cisco in the VRRP space as well.
> >  AFAIK, the USG said, "we don't think there
> > are any patent concerns" and that was it.  In _Applied Cryptography_, p.
> > 493, Schneier gives a more in-depth detailing of the IP situation, which
> > mirrors that of SRP precisely.
> Schneier apparently did not think of it as a crime against society.

Right, and neither is the royalty-free license for SRP.

> > > I've had other dealings with Stanford over patents and such.  They've
> > > been the biggest assholes I've ever had to deal with.  Xerox was
> > > easier to deal with.  I don't even want to bother touching anything in
> > > their space.
> >
> > Can you give an example of this behavior?
> I have been talking with Stanford for over a year trying to get a few
> measly copyright notices on some ancient crappy multicast tools
> slightly modified to permit completely free use.  5 other groups
> involved in that code, including University of Southern California and
> Xerox, responded quickly, tried to understand the situation, and then
> fixed their licenses.  Stanford is the biggest pain in the ass I have
> ever dealt with on a legal front (worse than and I do not
> want to have anything further to do with them.

Which group at Stanford controlled these multicast tools?  Stanford's a
pretty big place.  Isn't it possible that the group you're dealing with
has nothing to do with the people handling SRP?  Are you the slightest
bit interested in getting at the truth of the matter?

> > Are you honestly saying that
> > it's fair to punish someone (me) for behavior that I had no control or
> > knowledge of?
> I am not punishing you.  I am protecting us.

More information about the openssh-unix-dev mailing list