[cm3]

Why is it that we didn't improve HTTP Digest Auth but let everyone implement their own mechanism, where the number of those using a challenge response protocol is not worth a mention? Do we have to wait until 2018 before https://tools.ietf.org/id/draft-yusef-httpauth-srp-scheme-00... can be a thing? Not saying SRP is the best option, but compared to what's implemented on websites right now, it is much better.

EDIT: I probably am missing details, but surely some secure challenge response protocol must be available for broad implementation in browsers without concern for patents, right?

[lann]

SRP is an "Augmented PAKE" which does not require the server to ever see the plaintext password. I'm not aware of any others that are claimed to be patent-free.

[cm3]

Avoiding patents of other protocols seems to have been one of the goals, but then Thomas has patented SRP itself. https://www.google.com/patents/US6539479 which is set to expire in two years minus 15 days (Jul 14, 1998).

[lann]

Ah right. It is patented, but the most common application of SRP can be used for free.

[cm3]

2 or maybe 4 years would be reasonable to earn back (some or all of) the investment, and allow others to improve upon and maybe even patent the new invention. As it stands, whole industries are held back due to 20 years for patents.

[colejohnson66]

Wouldn't that be 2 years and /a month/ minus 15 days? :)

[cm3]

You're right.