SRP secure remote password authentication

Tom Wu tom at
Fri Sep 19 04:48:42 EST 2003

Ben Lindstrom wrote:
> Personally, I'd rather not touch it until those companies make an official
> announcement clearing or granted.  And so far neither are forth coming.

It seems a bit naive to expect a company who patents technology A and 
wants to make money licensing it, to issue a statement saying technology 
B (which happens to workaround the patent) is not covered by their 
patents.  They have no obligation to and do not stand to profit from this.

And the comment about being "bit in the ass by the shark" seems a bit of 
a red herring fallacy, since other Open Source projects include support 
for algorithms that are known to be patented with royalties required 
(OpenSSL/IDEA) and allow the customer to compile/not-compile support in. 
  To date I have heard no reports of sharks.

If the OpenSSH group wants to adopt this kind of policy, despite the 
fact that this strengthens the hand of software patent holders and 
legitimizes the "DoS" technique of scaring people away from competing 
open/free technology with intimidating IP claims, that's their perogative.

Frankly, I see integrating SRP as a compile-time choice as the best 
compromise, so the customer can make this decision instead of having it 
forced on him/her.  It can be default enabled or disabled, at the 
discretion of the OpenSSH devs.  The code's already written, and it 
should be fairly easy to audit - I'd even volunteer to help in that regard.

Tom Wu
Chief Security Architect
Arcot Systems
(408) 969-6124

More information about the openssh-unix-dev mailing list