Subject: Re: SRP, was PROPOSAL: adding capability for blowfish passwords
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: Bill Studenmund <>
List: current-users
Date: 05/23/2002 11:37:09
On Thu, 23 May 2002, Greg A. Woods wrote:

> [ On Thursday, May 23, 2002 at 09:07:02 (-0700), Bill Studenmund wrote: ]
> > Subject: Re: SRP, was PROPOSAL: adding capability for blowfish passwords
> >
> > On Thu, 23 May 2002 wrote:
> >
> > > Any opinions of SRP ( as a password mechanism for
> > > local and remote users?
> > > (It wouldn't work as a crypt() replacement because it issues challenges.)
> >
> > Yes, SRP is patented. So we and all NetBSD users would need licenses from
> > Stanford. While Stanford might be willing to give them, we'd still need
> > them.
> Careful how you define "users".  Unless USA patent law has been
> seriously mangled in recent years end users do not need patent licenses
> -- only manufacturers.  So, yes, TNF would need a license, as would a
> third-party developer who "manufacture" separate releases which include
> the patented technology (eg. me, except I'm in Canada so unless I
> distribute my work into the USA I don't need to worry about foreign
> patents).  TNF doesn't have to worry about third party developers either
> -- only the patent owner does (and of course so do the developers who
> might use the patented technology, if they're worried about getting sued
> or some such).  The good thing about not-for-profit stuff though
> (eg. TNF, right?) is that it's pretty damn difficult to get blood from a
> stone.  About the best the likes of Stanford might be able to do is get
> a court order to prevent TNF from using the patented technology.

Technically you are correct. However it has been NetBSD's policy for quite
a while to ship an OS that third party developers could readily use
without hinderance. i.e. without patents.

Thus SRP is a no. :-|

Take care,