Re: New draft relevant to SRP

To: Tom Wu <tom@arcot.com>
Subject: Re: New draft relevant to SRP
From: David Jablon <dpj@world.std.com>
Date: Fri, 08 Mar 2002 15:04:01 -0500
Cc: ips@ece.cmu.edu
Content-Type: text/plain; charset="us-ascii"
In-Reply-To: <3C87F83B.343502C8@arcot.com>
References: <5.1.0.14.0.20020307203102.00a246a0@pop.theworld.com>
Sender: owner-ips@ece.cmu.edu

Regarding the proposed alternatives to SRP-3 ...
(http://search.ietf.org/internet-drafts/draft-jablon-speke-00.txt)

At 03:31 PM 3/7/02 -0800, Tom Wu wrote:
>The SPEKE techniques are, to my knowledge, patent-encumbered and
>non-free, whereas SRP has a free patent license from Stanford and IP
>issues that are nearing resolution. [...]

First, your phrasing may suggest to some that the existence of the patent
is or was hidden.  The commercial intentions for the SPEKE protocols and
their patent status have been public knowledge since the first published
paper in 1996, and the draft is clear on this too.

>[...] It seems that presenting these 
>techniques as fixes to "issues" with SRP (instead of as a supplement) is
>misleading in this context.

Stanford's generosity notwithstanding, today, there is an outstanding
working group issue with SRP-3 and other patents.  David Black has
urged me to try to get Phoenix to clarify its position on SRP-3, and I'm
in the process of doing just that.  If you find specific text in the draft that
is "misleading" in this context, or any other context, show me and I'll try to
improve it promptly.  I also see no problem with the supplement approach.

The draft is intended to facilitate public analysis of both patent issues
and the technical merits of SRP-3 and the SPEKE, B-SPEKE and SRP-4
alternatives.  For some people, the relative technical merits of SRP-3 and these
alternatives may be minor -- they may shop around, first, based on price, and
only then based on these differences.

The bigger concern is when people don't shop around at all and leave
major technical issues unaddressed.

>Unless SPEKE, or some variant thereof, is made available under a license
>as liberal as the SRP license, it seems that it would be more
>appropriate to consider it for a future optional authentication method,
>as opposed to a mandatory one.

There's also a lot of room between MUST and MAY, and between 
free and affordable.  The only thing that I find really annoying, and kind of scary,
is when standards preclude or actively discourage strong options.

-- David

References:
- New draft relevant to SRP
  - From: David Jablon <dpj@world.std.com>
- Re: New draft relevant to SRP
  - From: Tom Wu <tom@arcot.com>

Prev by Date: RE: iSCSI: Question: ISID Rule?
Next by Date: Re: iSCSI: Question: ISID Rule?
Prev by thread: Re: New draft relevant to SRP
Next by thread: iSCSI - Range of values can be negotiated for integers?
Index(es):
- Date
- Thread

Home

Last updated: Fri Mar 08 12:18:09 2002
9043 messages in chronological order