Re: SRP is being patented - don't be so quick to use it.

[Tom Wu <tom () ARCOT COM>]

Ken Raeburn wrote:
> David Wheeler <dwheeler () IDA ORG> writes:
> > Trouble is, I understand that SRP is in the process of being patented,
>
> > A _very_ large number of developers, including essentially all open source
> > developers, _automatically_ avoid all patented algorithms unless there's
> > a generous patent grant. Patented algorithms cannot be used at all
> > in open source programs unless there's a patent grant to permit it.
>
> I got two things on this from Tom Wu when we talked at the last IETF
> conference about using SRP to better protect the initial exchange in
> Kerberos:
>
>  1) Stanford has granted such permission regarding the SRP algorithm
>     described in RFC 2945, and the IETF has been sent a letter saying
>     so.  However, I haven't seen the letter and don't know the exact
>     terms, so don't take this as gospel.

A copy of the letter/grant is in the LICENSE file in the SRP
distribution.  The algorithm described in RFC 2945 is royalty-free
worldwide.  This *is* gospel.  :-)

>  2) There's another SRP variant, which I think is supposed to be a
>     little more efficient in terms of message traffic in some
>     situations, which is also (being?) patented, and for which this
>     permission has not been granted.  I don't know how the two differ.

The variant in question is known as SRP-Z, and uses an explicit
public/private parameter for each server instead of a fixed z.  This
variant, which is not described in RFC 2945 nor implemented currently in
the SRP distribution, is less free.

> Since these problems have (supposedly) been addressed, I'm looking at
> moving forward with an Internet Draft for this use with Kerberos,
> pending my actually finding out the terms of the letter.  (Though I'm
> also looking at Radia Perlman's "pseudorandom moduli" work.)
>
> Ken

Tom
--
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124