As a followup, I spoke to an IETF friend who's used and implemented both
SRP and SCRAM. He agrees that SRP is cryptographically solid, that it's
significantly more difficult to implement (and therefore has a bit of a
monoculture risk overall, though of course that wouldn't apply to us if
we were to write the code from scratch).
Apparently the patent status is still not entirely clear. Two of the
patents expired, but there are others that may be relevant. Stanford
claims a patent, but apparently grant a free license if you do meet
certain conditions. But he doesn't know of anyone having to go to
court over the use of SRP.
-- Abhijit
