On Sun, 29 Apr 2001, RJ Atkinson wrote:> At 06:26 27/04/01, Tom Wu wrote: > >For those of you who were following the discussion about the new draft > >and implementation of SRP-based password authentication in OpenSSH, I > >promised to have Stanford issue the IETF an official, explicit, > >statement reiterating the unencumbered royalty-free licensing terms. > >The new statement is now available from the IETF's IPR page. > > Thanks. > > For those who are having trouble finding the URL: > http://www.ietf.org/ietf/IPR/WU-SRP > > Note that there are specific limits to the Stanford grant of rights, > so I'd ask that we try to stay within the "no payment needed" > portion of SRP if SRP is adopted...Stanford University is granting a royalty-free license for RFC 2945 implementations -- and the OpenSSH SRP implementation is of that sort. That is, not only are we free and clear, but the algorithm is safe from future claimjumpers trying to patent it. Not to mention that it provides strong authentication of both client *and* server, even when the host key has changed or is unknown, and it doesn't leak any information to eavesdroppers or MITM. :-) So, SRP is ready to go. Speaking of which, an up-to-date tarball and patch are available: http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.tar.gz http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.patch.gz The patch is vs. the 20010501 CVS, the tarball is self-contained (remember to left-click on those links to download the files from Tripod). See the README.SRP file for more info and installation instructions. Here is the signature of the tarball (OpenSSH-2.9p1-srp7.tar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEABECAAYFAjruZOIACgkQiGAp74wl3UMoUwCfejrst7al79Ae7IKiqb/mBqbT 8KkAnjqAn06OLSYZYsrP9rsEMTNUu6PO =XcK7 -----END PGP SIGNATURE----- and here is the signature of the patch (OpenSSH-2.9p1-srp7.patch) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEABECAAYFAjruZmsACgkQiGAp74wl3UM7EQCfca/fV5WVzFCmY3WAyte7apCs pJMAnj02ym/1U1VPtKB7AI31Ovz35J5b =mNHP -----END PGP SIGNATURE----- My GPG public key is available from standard keyservers. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_
At 03:54 01/05/01, Tom Holroyd wrote:>Stanford University is granting a royalty-free license for RFC 2945 >implementations -- and the OpenSSH SRP implementation is of that sort. >That is, not only are we free and clear, but the algorithm is safe from future claimjumpers trying to patent it. > >Not to mention that it provides strong authentication of both client *and* server, even when the host key has changed or is unknown, >and it doesn't leak any information to eavesdroppers or MITM. :-)The Stanford IPR release to IETF is clear and says that bi-directional authentication mode (SRP-Z) requires a separate licence, and is not free. Only implicit server authentication mode is free. Your statement above appears at variance with the actual words from Stanford. I'd encourage folks to go read the actual words from Stanford, not anyone's interpretations of them. Ran rja at inet.org
> bi-directional authentication mode (SRP-Z) requires a > separate licence, and is not free. Only implicit server > authentication mode is free. > > Your statement above appears at variance with the actual > words from Stanford. I'd encourage folks to go read the actual > words from Stanford, not anyone's interpretations of them.Implicit server authentication mode is the mode detailed by RFC 2945. It is all that is necessary for our applications.
Tom Holroyd wrote:> > Not to mention that it provides strong authentication of both client *and* > server, even when the host key has changed or is unknown, and it doesn't > leak any information to eavesdroppers or MITM. :-) > > So, SRP is ready to go. > > Speaking of which, an up-to-date tarball and patch are available: > > http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.tar.gz > http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.patch.gz > > The patch is vs. the 20010501 CVS, the tarball is self-contained (remember > to left-click on those links to download the files from Tripod). See the > README.SRP file for more info and installation instructions.The patches look really good. Everything built right out of the box on Linux (glibc 2.1) and FreeBSD 4.2. The only hiccup was the strict permissions checking on /etc/tpasswd.conf, but that was easily resolved. Interoperation with EPS stuff looks clean.> Dr. Tom Holroyd > "I am, as I said, inspired by the biological phenomena in which > chemical forces are used in repetitious fashion to produce all > kinds of weird effects (one of which is the author)." > -- Richard Feynman, _There's Plenty of Room at the Bottom_Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..."