SRP Patch Integration?

Dan Kaminsky dan at
Wed Feb 13 08:31:21 EST 2002

> Are you referring to the distinction between SRP and SRP-Z?  The SRP
> userauth mechansim is specifically based on RFC2945, which is
> royalty-free, and does not use SRP-Z in any way.  Or were there some
> other "restrictions" you were concerned about?

This is an uncomfortable situation for me, as I was one of the major
champions of getting SRP in.

My concern is that we have a "license" for integrating SRP in one specific
way, but the more we do to use it in new and interesting ways, the more we
leave the purview of what Stanford will allow us to do.

I'd like to use SRP to authenticate unknown host keys, for instance.  Is
that a new use?  Is it arguable?

Tom, I know the bar has been raised on you repeatedly, and every time you
manage to overcome one hurdle, another one pops up.  And that sucks, alot,
because SRP has a gynormous amount of potential.  (If there wasn't such a
feeding frenzy for the vaporware profits of certificate management, your
system would be *the* standard).  But I see Theo's worry:  The moment we
start using the SRP protocol a tiny bit outside the expected uses mentioned
in the RFC, we *might* fall out of compliance.

Yours Truly,

    Dan Kaminsky
    DoxPara Research

More information about the openssh-unix-dev mailing list