SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: New draft relevant to SRP



    Regarding the proposed alternatives to SRP-3 ...
    (http://search.ietf.org/internet-drafts/draft-jablon-speke-00.txt)
    
    At 03:31 PM 3/7/02 -0800, Tom Wu wrote:
    >The SPEKE techniques are, to my knowledge, patent-encumbered and
    >non-free, whereas SRP has a free patent license from Stanford and IP
    >issues that are nearing resolution. [...]
    
    First, your phrasing may suggest to some that the existence of the patent
    is or was hidden.  The commercial intentions for the SPEKE protocols and
    their patent status have been public knowledge since the first published
    paper in 1996, and the draft is clear on this too.
    
    >[...] It seems that presenting these 
    >techniques as fixes to "issues" with SRP (instead of as a supplement) is
    >misleading in this context.
    
    Stanford's generosity notwithstanding, today, there is an outstanding
    working group issue with SRP-3 and other patents.  David Black has
    urged me to try to get Phoenix to clarify its position on SRP-3, and I'm
    in the process of doing just that.  If you find specific text in the draft that
    is "misleading" in this context, or any other context, show me and I'll try to
    improve it promptly.  I also see no problem with the supplement approach.
    
    The draft is intended to facilitate public analysis of both patent issues
    and the technical merits of SRP-3 and the SPEKE, B-SPEKE and SRP-4
    alternatives.  For some people, the relative technical merits of SRP-3 and these
    alternatives may be minor -- they may shop around, first, based on price, and
    only then based on these differences.
    
    The bigger concern is when people don't shop around at all and leave
    major technical issues unaddressed.
    
    >Unless SPEKE, or some variant thereof, is made available under a license
    >as liberal as the SRP license, it seems that it would be more
    >appropriate to consider it for a future optional authentication method,
    >as opposed to a mandatory one.
    
    There's also a lot of room between MUST and MAY, and between 
    free and affordable.  The only thing that I find really annoying, and kind of scary,
    is when standards preclude or actively discourage strong options.
    
    -- David
    
    
    


Home

Last updated: Fri Mar 08 12:18:09 2002
9043 messages in chronological order