Subject: Re: SRP, was PROPOSAL: adding capability for blowfish passwords
To: None <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 05/23/2002 09:07:02
On Thu, 23 May 2002 firstname.lastname@example.org wrote:
> Any opinions of SRP (http://srp.stanford.edu/) as a password mechanism for
> local and remote users?
> (It wouldn't work as a crypt() replacement because it issues challenges.)
Yes, SRP is patented. So we and all NetBSD users would need licenses from
Stanford. While Stanford might be willing to give them, we'd still need
Additionally when SRP was discussed on the iSCSI list, Lucent and Phoenix
Technologies noted that SRP implementations "may" infringe on patents they
hold (the EKE patent for Lucent, don't recall for Phoenix). So not only do
you have to talk to Stanford, you have to talk to Lucent and Phoenix.
So we basically have to wait until the patents expire for these
technologies to be useful.