SRP secure remote password authentication

Jeremy Nysen jnysen-openssh at
Fri Sep 19 09:39:43 EST 2003

--On Thursday, 18 September 2003 4:21 AM -0500 Ben Lindstrom <mouring at> 

>> If you look carefully at such "claims", you'll see that they are filled
>> with "may"s and "might"s, if in fact there is any claim being made at
>> all.  Unless there is some more substantiation that would allow one to
>> distinguish them from frivolous claims designed to cause marketplace
>> confusion/fear, I don't see why anyone, especially OSS projects
>> ostensibly opposed to precisely this kind of patent abuse, should grant
>> them any kind of legitimacy.
> NORMALLY companies don't say "may" or "might" unless there is a damn good
> reason.  Most business really do want to be upfront and honest (there are
> accepts to this rule).
> Personally, I'd rather not touch it until those companies make an official
> announcement clearing or granted.  And so far neither are forth coming.
> So I don't see a need to be the first to jump into the pool just to be bit
> in the ass by the shark
> - Ben

SRP has already been implemented in many other opensource and commercial tools including 
Tom Wu's SRPTelnet/FTP, the Cryptix SASL library, the GNU gnutls library, lsh, C-Kermit, 
Netterm, Anzioterm and I'm sure many others. So OpenSSH will definitely not be the first 
to jump into the pool.

Do you have a list of the companies (besides Stanford) that are claiming ownership over 
some aspect of SRP? If so, it might be worthwhile having the inventor of SRP, Tom Wu, 
contacting them for clarification.

I know when speaking to Lucent, IBM, and other entities with large patent portfolios, 
they usually make the blanket statement that you are likely to be infringing on their IP. 
This is because they have so many claims across so many patents that pretty much anything 
is at risk - and this includes simple things that most programmers would deem blatantly 
obvious and non-inventive.

Statements like the 'might's and 'may's of the above are par for the course and it is up 
to the implementer seek clarification to reduce the risks.

If you were to approach the same companies and ask if OpenSSH _without SRP_ is infringing 
any of their patents, you would likely get the same 'might/may's. This is why it is 
important to have someone seek further clarification, and not be scared off by the 'cover 
all bases' approach of patent holders (or abusers).


More information about the openssh-unix-dev mailing list