Strong, Password only Encryption -SRP

Douglas E. Engert deengert at
Fri Jan 30 09:47:26 EST 2004

Anyone can write an RFC and it looks like they did and technically it
may be very good. But the question is still does someone have IPR
over SRP. This is a legal question, which will require lawyers,
and may turn out it will only be settled in court  after something 
is implemented. 

So is Sandia willing to get their lawyers involved?

If there was a pre-auth using SRP would Sandia be willing to be the
first to use it, and do their lawyers believe it would stand up 
in court?

Even if their are IPRs and licenses are required for use, an RFC
could still be written. Sandia people could write it, or hire 
others to write it (so the others would have legel protection
just in case).  

Nobody want to work on the RFC or modifications if they are not 
going to be used.  

We are like a heard thirsty animals looking at the crocodiles in 
the water whole wondering if they are hungry. No one wants
to go first, and would rather die of thirst.

"Wachdorf, Daniel R" wrote:
> Everyone,
> I know this subject has come up before, and i found the previous reply of:
> "The one solution that we know does work and that which seems most
> natural to the end user is the ZKI solution.  You want frustrating?
> Talk to a bunch of lawyers over the question of whether or not the
> SP-EKE patent covers SRP.  If it does not, we will implement SRP
> tomorrow and get this over with since Stanford already gave the
> community the right to use SRP for this purpose.  However, if there
> is any doubt what so ever we can't implement it without opening the
> door to major patent infringement lawsuits for all involved." (Jeffrey
> Altman)
> Well, Phoenix Technologies has published an rfc of SPEKE
> ( on 10/22/03.
> They havn't reqliquished any of their IPR claims, but they do give credit to
> Stanford for having the IPR for SRP.  Specifically:
> "6. Intellectual Property Notice
>    Phoenix Technologies Ltd. and Stanford University own patents that
>    describe the SPEKE and SRP methods respectively.  For more
>    information, including contact information for resolving questions,
>    readers are referred to the IPR statements available at
> Now stanford has given the right to use SRP
> (
> Does this mean that the issue of SRP use in Kerberos can be revisted?
> -dan
> _______________________________________________
> krbdev mailing list             krbdev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list