Re: SRP

To: debian-legal@lists.debian.org
Subject: Re: SRP
From: Andres Salomon <dilinger@voxel.net>
Date: Mon, 02 Aug 2004 00:14:09 -0400
Message-id: <[🔎] pan.2004.08.02.04.14.09.135080@voxel.net>
References: <1090786082.1834.13.camel@ellobo.intranet-casa> <87ekmy2o8h.fsf@windlord.stanford.edu>

On Mon, 26 Jul 2004 19:11:26 -0700, Russ Allbery wrote:

> MiguelGea <Correo@miguelgea.com> writes:
> 
>> Hello debian-legal,
>> I'm thinking about packaging SRP for debian. 
> 
>> Question 1: I'm not sure if there are any problem on packaging it. What
>> do you think about?
> 
> Please note that SRP is patented; that's part of SRP's licensing that
> tends to make people nervous.  The most current information that I have on
> the SRP patent is at:
> 
>     <http://availtech.stanford.edu/Scripts/otl.cgi/docket?docket=97-006>

Actually, I remember looking at SRP a while back; I noticed they had two
different algorithms/releases/versions.  I assume both are patented;
however, one required royalties, the other was free for use.  Grabbing
srp-2.1.0-beta1.tar.gz and peeking at docs/LICENSE, I see the following
that was left out of MiguelGea's initial post:

SRP is royalty-free worldwide for commercial and non-commercial use.
The SRP library has been carefully written not to depend on any
encumbered algorithms, and it is distributed under a standard
BSD-style Open Source license which is shown below.  This license
covers implementations based on the SRP library as well as
independent implementations based on RFC 2945.

The SRP distribution itself contains algorithms and code from
various freeware packages; these parts fall under both the SRP
Open Source license and the packages' own licenses.  Care has
been taken to ensure that these licenses are compatible with
Open Source distribution, but it is the responsibility of the
licensee to comply with the terms of these licenses.  This
disclaimer also applies to third-party libraries that may be
linked into the distribution, since they may contain patented
intellectual property.  The file "Copyrights" contains a list
of the copyrights incorporated by portions of the software.

Broader use of the SRP authentication technology, such as variants
incorporating the use of an explicit server secret (SRP-Z), may
require a license; please contact the Stanford Office of Technology
Licensing (http://otl.stanford.edu/) for more information about
terms and conditions.

Also, following your link, I see:

Licensing:

    * Non-commercial or commercial use of SRP/SRP-3 in its
    implicit-server-authenticating form (e.g. RFC2945) is royalty-free,
    and you can download the license at
    http://otl.stanford.edu/pdf/97006.pdf. Use of SRP for explicit
    bidirectional authentication (e.g. SRP-Z for explicit server
    authentication) is specifically not included under the royalty-free
    license. Please contact Mary Watanabe for license terms. 

I'm not sure how to interpret this; I'm not familiar enough w/ SRP-Z.  Is
this a different algorithm, such that the source would need to be
significantly modified (such that SRP-Z is essentially a separate thing,
convered by its own license; converting SRP-3 to SRP-Z is just as
difficult as converting openssh to SRP-Z)?  Is this merely a layer on top
of SRP-3 (thereby restricting a derived work, and making it
DFSG-incompatible)?

Reply to:

Follow-Ups:
- Re: SRP
  - From: Edmund GRIMLEY EVANS <edmundo@rano.org>

Prev by Date: Re: Free non-software stuff and what does it mean. [was Re: General Resolution: Force AMD64 into Sarge]
Next by Date: Re: MySQL FOSS Exception
Previous by thread: Re: Free non-software stuff and what does it mean. [was Re: General Resolution: Force AMD64 into Sarge]
Next by thread: Re: SRP
Index(es):
- Date
- Thread