Once I've taken a look at Dmitry's code, I'll send him a copy of my own for comparison and we can swap notes and see where we differ. If we can agree on the basic approach to implementation I don't see any problem with combining proposals into a super world dominating version ;). Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com
----- Original Message ---- From: Andi Gutmans <[EMAIL PROTECTED]> To: Pádraic Brady <[EMAIL PROTECTED]> Cc: Zend Framework General <[email protected]>; Dmitry Stogov <[EMAIL PROTECTED]> Sent: Tuesday, June 19, 2007 5:22:38 PM Subject: RE: [fw-general] The road to Zend_Service/Auth_Openid Message DIV { MARGIN:0px;} I actually think it'd be most beneficial for Dmitry and you to work on a proposal together. There have been past instances where we have had community members with similar proposals work together and figure it out. I'm sure each of you has advantages and disadvantages in your work and together you could figure out the best OpenId support on the net. This is a clear situation where 1+1 could equal 3. Andi From: Pádraic Brady [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 19, 2007 4:43 AM To: Andi Gutmans Cc: Zend Framework General Subject: Re: [fw-general] The road to Zend_Service/Auth_Openid Hi Andi, A few years I go I started to practice a policy of rant-then-edit. I'd write a fast and ranting post, wait two days, then edit out all the crap that did nobody any good. So the blog post wasn't intended as a rant. I threw that one into .trash on Saturday evening ;). The main critical part in the blog post was my paragraph of comments on what happened to provoke me into withdrawing my proposal. The main point being the unfortunate realisation that nobody checked existing proposals before committing to this one. I understand that OpenID 2.0 and Yadis are not obviously linked to the ignorant barbarian horde ;) but nobody considered the minimal research involved in finding it. The second critical mention was on the Proposals Process. The process according to the Wiki starts with notification and feedback from the mailing list. Something that was not done until I revisited my own proposal on the mailing list Saturday. That has since resulted in replies from yourself and Dmitry, and even the posting of code for review, and presumably a proposal in mere days. Quite a reaction. I feel like I poked a wasp nest and they're now buzzing around quite agitated. I could have commented further but I stopped there in the blog and turned to the more interesting topic of my approach to OpenID, what I hoped Zend would replication, and what to do with my library outside the framework since I might escape the delayed Proposal Review process. I suppose the further issue if you want an elaboration (.trash'd before it hit the blog) goes back to your original reply. I'm not sure you realise how much it sounded like a dismissal. I was sitting in front of my email client with an OpenID proposal a few months in the making sitting on my desktop ready for the wiki (just waiting for that final feedback on format), and I get a reply noting another project I never heard of is suddenly publishing theirs, and telling me to feel free to review it - apparently ignorant of my own intent to publish mine within days. Frustration barely covers it, maybe "exasperation"? My mental thesaurus is offline today...not enough caffeine yet. The main non-blogged point I figure is why should I not just stick my OpenID proposal online? Is there some pressing reason why three days later, and in a far more equanimous mood, I should wait an undetermined period for Zend's proposal when I already have a set of such prepared, ready to rock, and backed by fully functioning code I'm currently polishing and slapping a "New BSD" sticker on? As I closed my blog post, I had begun to realise where the Zend proposal was heading and it's nowhere close to where I am. And what I'm considering now is that unless Zend has a proposal ready to go right now there's no real reason I should consider mine dismissed except for questionable wording in a few emails. In a real way, you guys are actually playing catch up. In any case, 5 paragraphs is long enough for an email. So I'll sign off here before I spout another umpteen pages. I'll have a chance to review Dmitry's code this afternoon so I'll forward some comments around that time. Best regards, Paddy P??draic Brady http://blog.astrumfutura.com http://www.patternsforphp.com ----- Original Message ---- From: Andi Gutmans <[EMAIL PROTECTED]> To: Dmitry Stogov <[EMAIL PROTECTED]>; P?Ҥraic Brady <[EMAIL PROTECTED]> Cc: Zend Framework General <[email protected]> Sent: Tuesday, June 19, 2007 1:45:04 AM Subject: RE: [fw-general] The road to Zend_Service/Auth_Openid DIV { MARGIN:0px;} Padraic, I read your blog posting and I just wanted to follow-up one more time to clarify. We have absolutely every intention to "eat our own caviar" (a.k.a "eat our own dog food") and write an OpenId proposal which gives the community the ability to provide us feedback on the work we've been doing. I will definitely not allow anyone here including Dmitry to shortcut that process as I believe it's key to the quality and collaborative goals of the project. This doesn't only include the proposal process but also high quality unit testing and documentation. The reason why Dmitry started with implementation because there were two internal goals to this project set by me. The first to see if we're missing some functionality in core PHP (ext/openssl) in order to deliver good support for identity management (OpenId was not the only system looked at as part of that). Second, was to figure out the specification and create a proposal for Zend Framework. Dmitry felt more comfortable writing the code and figuring out both the former goal and the proposal as a derivative of that, i.e. sometimes you need to get your hands dirty to figure stuff out. This was done with his knowledge that at the end of that I would still require him to go through the proposal process (which you probably saw from the docs in that .tar.gz that he had already started working on and which he'll refine for the proposal). I'm sure there'll be future work where Zend or community members might decide that writing the code ahead of time will make it easier for them to write a proposal. That's absolutely fine as long as it doesn't change the way we accept contributions into the project and we don't loose our flexibility for making changes as part of the proposal process. The same has happened in the past and it's often a more convenient way of doing things, depending on what the actual component/project is. The only unfortunate issue in the process was that I didn't know there was a parallel process in place or I would have encouraged him to touch base with you. I don't get a chance to read all posts nor did I have any clue that Yadis is in anyway related to OpenId as I was quite ignorant on the topic :'( Anyway, I definitely respect you wanting to get your code out there. If you are up to it it'd also be great if you can contribute on some of the other missing pieces and provide feedback to Dmitry. At the end of the day our goal is to deliver a high-quality and easy-to-use framework which embraces best practices and can be broadly adopted. The journey will have its bumps here and there but I think overall the community and the framework team have done a great job in working towards the goal within the framework of additional bureocracy this project has in order to keep everything aligned with the goals. Andi From: Dmitry Stogov [mailto:[EMAIL PROTECTED] Sent: Sunday, June 17, 2007 11:37 PM To: 'P?Ҥraic Brady' Cc: 'Zend Framework General'; Andi Gutmans Subject: RE: [fw-general] The road to Zend_Service/Auth_Openid Hi Padraic, I've attached proposed implementation (I am going to post it to ZF proposed WiKi). It is near-full implementation of OpenID 2.0 authentication protocol backward compatible with OpenID 1.1. It still needs some work. Especially XRI and Yadis discovery and SREG support, integration with Zend_Auth_... I would very glad to hear your opinion on implementation as you may have more experience with OpenID and ZendFramework. Thanks. Dmitry. -----Original Message----- From: Andi Gutmans [mailto:[EMAIL PROTECTED] Sent: Saturday, June 16, 2007 7:02 PM To: P?Ҥraic Brady Cc: Zend Framework General; Dmitry Stogov Subject: RE: [fw-general] The road to Zend_Service/Auth_Openid Hi Padraic, Yes it's unfortunate and had I realized I would have had Dmitry work with you on this. I didn't know very much re: OpenId so I had no idea Yadis was connected. Also, I asked one of our core PHP contributors to look at this because I wanted to make sure that if we have to extend OpenSSL for best support that we'd be able to do that (which would be a side benefit of this project). I'll ask Dmitry to connect with you and share the work we have done. There's a chance there might be functionality like Yadis which we haven't implemented yet. Best, Andi From: P??draic Brady [mailto:[EMAIL PROTECTED] Sent: Saturday, June 16, 2007 4:13 AM To: Andi Gutmans Cc: Zend Framework General Subject: Re: [fw-general] The road to Zend_Service/Auth_Openid Hi Andi, It started as an internal library so it's advanced to 1.1 level and 2.0 is getting there. I had posted a Zend_Service_Yadis proposal for the purpose (mainly as a standalone element since OpenID adopted it but isn't specific to it) which should have tweaked someone by now. I've been aware of Wez's patch - he had commented on the original proposal on my blog. Having the god awfully slow DH in openssl with PHP 5.3 will be great. It's almost a curse when two groups have piled ahead duplicating effort on such a library. The code I have is intended to be open sourced so it seemed a natural fit given I've been using the framework so much. Hindsight being so easy, I wish this had been disclosed before now. It's a little frustrating that mine has been informally proposed to the list, discussed, blogged about several times, posted again to the openid list as a heads up, and the Yadis portion even formally proposed on the ZF Wiki and still nobody working on this effort picked up on it. It's been sitting in plain sight since late February; a google search for "zend framework openid" sticks me out like a sore thumb for the whole of page one. That's the extent of my venting for today ;). While I'm very disappointed something so obvious was missed, C'est juste la vie. Under the assumption this is an officially sponsored effort I withdraw my proposal and will assume the same for Zend_Service_Yadis and the other components noted in my email. I now just need to rethink how it enters the open source ecosystem outside the framework. I have invested a too much time to its development to just let it sit on a handful of servers as a write-off. I will of course offer feedback on Dmitry's proposal when it's published. I have had tons of feedback myself since starting my own proposal effort and having a well designed PHP5 library (or two apparently ;)) was a popular need. Best of luck, P??draic P??draic Brady http://blog.astrumfutura.com http://www.patternsforphp.com ----- Original Message ---- From: Andi Gutmans <[EMAIL PROTECTED]> To: P??draic Brady <[EMAIL PROTECTED]>; Zend Framework General <[email protected]> Cc: Dmitry Stogov <[EMAIL PROTECTED]> Sent: Saturday, June 16, 2007 6:29:18 AM Subject: RE: [fw-general] The road to Zend_Service/Auth_Openid DIV { MARGIN:0px;} Hi Padraic, I didn't realize you have been working on this (I must have missed the post). We have already made very good progress in implementing both OpenId 2.0 compliant client and server. This includes patches to ext/openssl (for future inclusion in PHP) and for those who don't get the updated version both GMP and BCMath support (you are right the latter is awefully slow). Dmitry (cc'ed) has been spearheading this and is just working on posting a proposal on the Wiki. It'd be great if you can review both the proposal and give us feedback and also look at the code and see if you think there's anything we should improve. I appreciate your efforts and am looking forward to having you in the feedback loop! Best, Andi From: P??draic Brady [mailto:[EMAIL PROTECTED] Sent: Friday, June 15, 2007 3:45 PM To: Zend Framework General Subject: [fw-general] The road to Zend_Service/Auth_Openid Hi all, As posted a few months back, I had started working on a PHP5 OpenID library that I wished to port to the framework since it seemed a reasonable addition given our web app focus. Given the complexity of OpenID as a distributed authentication service there are numerous components. Each by itself is actually not that hard, most of the problem is putting them together with a solid set of integration tests. These include wrappers for large integer (> 32 bits) libraries since bcmath alone is awfully slow for this compared to gmp, cryptographic algorithms, and even a separate extensible web service (already proposed on the wiki). The list of possible sub-components that could feasibly get started with include: Zend_Service_Yadis Zend_Crypt_DiffieHellman Zend_Crypt_Rsa Zend_Crypt_Hmac Zend_Crypt_Xtea Zend_Math_BigInteger An actual Zend_Service_Openid would need all of the above as well as general file parsers. I was looking for an opinion as to whether these are acceptable as individual proposals. It seems to make sense rendering OpenID into it's reusable constituent parts rather lumping everything (and inevitably burying/hiding it) into the Openid namespace. I don't want to go spamming the wiki with 6+ proposals until I get a little feedback either :). Any thoughts/comments on this, or OpenID in the ZF in general, are appreciated. :) The primary goal is to implement OpenID 1.1 and 2.0 to the extent necessary to authenticate. The basis of an OpenID server can be considered after. Paddy P??draic Brady http://blog.astrumfutura.com http://www.patternsforphp.com Food fight? Enjoy some healthy debate in the Yahoo! Answers Food & Drink Q&A. Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. ____________________________________________________________________________________ Bored stiff? Loosen up... Download and play hundreds of games for free on Yahoo! Games. http://games.yahoo.com/games/front
