Strong, Password only Encryption -SRP
Wachdorf, Daniel R
drwachd at sandia.gov
Fri Jan 30 09:54:48 EST 2004
I wasn't trying to turn this into a legal battle. There seems to be some
indication that Stanford has the IPR to SRP (at least SRP-3). The RFC
published by Phoenix Tech. had made me think that there might have been some
resolution to the legal matters.
It has become apparent to me that this is not the case.
From: Douglas E. Engert [mailto:deengert at anl.gov]
Sent: Friday, January 30, 2004 7:47 AM
To: Wachdorf, Daniel R
Cc: 'krbdev at mit.edu'; Nebergall, Christopher
Subject: Re: Strong, Password only Encryption -SRP
Anyone can write an RFC and it looks like they did and technically it
may be very good. But the question is still does someone have IPR
over SRP. This is a legal question, which will require lawyers,
and may turn out it will only be settled in court after something
So is Sandia willing to get their lawyers involved?
If there was a pre-auth using SRP would Sandia be willing to be the
first to use it, and do their lawyers believe it would stand up
Even if their are IPRs and licenses are required for use, an RFC
could still be written. Sandia people could write it, or hire
others to write it (so the others would have legel protection
just in case).
Nobody want to work on the RFC or modifications if they are not
going to be used.
We are like a heard thirsty animals looking at the crocodiles in
the water whole wondering if they are hungry. No one wants
to go first, and would rather die of thirst.
"Wachdorf, Daniel R" wrote:
> I know this subject has come up before, and i found the previous reply of:
> "The one solution that we know does work and that which seems most
> natural to the end user is the ZKI solution. You want frustrating?
> Talk to a bunch of lawyers over the question of whether or not the
> SP-EKE patent covers SRP. If it does not, we will implement SRP
> tomorrow and get this over with since Stanford already gave the
> community the right to use SRP for this purpose. However, if there
> is any doubt what so ever we can't implement it without opening the
> door to major patent infringement lawsuits for all involved." (Jeffrey
> Well, Phoenix Technologies has published an rfc of SPEKE
> (http://www.ietf.org/internet-drafts/draft-jablon-speke-02.txt) on
> They havn't reqliquished any of their IPR claims, but they do give credit
> Stanford for having the IPR for SRP. Specifically:
> "6. Intellectual Property Notice
> Phoenix Technologies Ltd. and Stanford University own patents that
> describe the SPEKE and SRP methods respectively. For more
> information, including contact information for resolving questions,
> readers are referred to the IPR statements available at
> Now stanford has given the right to use SRP
> Does this mean that the issue of SRP use in Kerberos can be revisted?
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev