---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Charset: us-ascii X-Sun-Content-Lines: 56
> > I thought SRP6 was patented. Isn't SRP6 patented? Yes, here an excerpt from http://srp.stanford.edu/licence.txt SRP is royalty-free worldwide for commercial and non-commercial use. The SRP library has been carefully written not to depend on any encumbered algorithms, and it is distributed under a standard BSD-style Open Source license which is shown below. This license covers implementations based on the SRP library as well as independent implementations based on RFC 2945. The last sentence seems the key, > > Also, as pointed out by Steiner et al. [1] implementing SRP6 requires > modifying the hello messages and therefore compatibility with already > deployed openssl libraries is lost, isn't it? > > [1] Secure Password-Based Cipher Suite for TLS, M. Steiner, P. Buhler, > T. Eirich, and M. Waidner, ACM Transactions on Information and System > Security (TISSEC). > This text is from 2000 as far as I know, it may therefore be a little bit outdated in some respects, in particular, cannot cover the changes from SRP-3 to SRP-6. This article also says: "For compatibility reasons we should not alter messages which are sent before agreement on a cipher suite has been reached. This means in particular that we should refrain from modifying Clienthello." Excerpt from rfc2246 (jan 1999) Forward compatibility note: In the interests of forward compatibility, it is permitted for a client hello message to include extra data after the compression methods. This data must be included in the handshake hashes, but must otherwise be ignored. This is the only handshake message for which this is legal; for all other messages, the amount of data in the message must match the description of the message precisely. The modifications for SRP-6 are done using the proposed extensions technique for TLS 1.1. As far as I have tested, I can safely connect to any existing openssl library, and if I propose other ciphers than the SRP ones, they are selected. See also the GNU-TLS implementation which also includes SRP6. It's always good to have at least two independant implementations. If I am misusing this list, sorry. Peter ---------- X-Sun-Data-Type: html X-Sun-Encoding-Info: 7bit X-Sun-Charset: us-ascii X-Sun-Content-Lines: 44 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"> <title></title> </head> <body text="#000000" bgcolor="#ffffff"> Hi,<br> <br> I thought SRP6 was patented. Isn't SRP6 patented? <br> <br> Also, as pointed out by Steiner et al. [1] implementing SRP6 requires modifying the hello messages and therefore compatibility with already deployed openssl libraries is lost, isn't it?<br> <br> [1] Secure Password-Based Cipher Suite for TLS, M. Steiner, P. Buhler, T. Eirich, and M. Waidner, <font size="-1">ACM Transactions on Information and System Security (<b>TISSEC</b>).</font><br> <br> Thanks,<br> Olivier.<br> <blockquote type="cite" cite="[EMAIL PROTECTED]"> <pre wrap="">I just made available the second beta release of our patch for OpenSSL 0.9.7d implemeting the SRP6 TLS protocol. In addition, a first beta release of a patch for mod_ssl allowing to use the new protocol in an Apache Web Server is provided. More info and downloads are available here: <a class="moz-txt-link-freetext" href="http://www.edelweb.fr/EdelKey/";>http://www.edelweb.fr/EdelKey/</a> Regards. Peter Sylveter ______________________________________________________________________ OpenSSL Project <a class="moz-txt-link-freetext" href="http://www.openssl.org";>http://www.openssl.org</a> Development Mailing List <a class="moz-txt-link-abbreviated" href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</a> Automated List Manager <a class="moz-txt-link-abbreviated" href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</a> </pre> </blockquote> </body> </html> ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
