Zend Framework Community › Zend Framework

Zend_Crypt_Rsa Proposed: Community comment welcome

Classic

List

Threaded

5 messages Options

padraicb

Zend_Crypt_Rsa Proposed: Community comment welcome

I have finished my proposal for a Zend_Crypt_Rsa component, which will come in handy for a few uses, not least of which OAuth.

http://framework.zend.com/wiki/pages/viewpage.action?pageId=3866770

Comments from the community is more than welcome. As it stands the component is quite a neat OO wrapper around existing ext/openssl functionality.

Best regards,
Paddy

Pádraic Brady

http://blog.astrumfutura.com
http://www.patternsforphp.com
OpenID Europe Foundation

Michael B Allen

Re: Zend_Crypt_Rsa Proposed: Community comment welcome

On 6/12/08, Pádraic Brady <[hidden email]> wrote:
>
> I have finished my proposal for a Zend_Crypt_Rsa component, which will come
> in handy for a few uses, not least of which OAuth.
>
> http://framework.zend.com/wiki/pages/viewpage.action?pageId=3866770
>
> Comments from the community is more than welcome. As it stands the component
> is quite a neat OO wrapper around existing ext/openssl functionality.

The naming of this component is wrong. It should be
Zend_Pki_Certificate or Zend_Pki_Key or some such. The word "Crypt"
should be reserved for a generic crypto class and "Rsa" is just one
implementation of a symmetric algorithm.

Also as long as I'm on a rampage, I will say I'm not a big fan of OO
wrappers for the sake of OOP as if it is somehow inherently superior
to just using an existing set of functions. What functional benefit
does this API have over the builtin openssl API?

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

padraicb

Re: Zend_Crypt_Rsa Proposed: Community comment welcome

In reply to this post by padraicb

Hi Michael,

>The naming of this component is wrong. It should be
>Zend_Pki_Certificate or Zend_Pki_Key or some such. The word "Crypt"
>should be reserved for a generic crypto class and "Rsa" is just one
>implementation of a symmetric algorithm.

The naming is more categorical than specific - crypt/cryptography. Sorry if that's unclear - I go with short/existing namespaces where possible. One could argue against PKI as a namespace even, since the issue of trust is optional - there's no absolute requirement for a certification authority since you can issue your own uncertified keys in RSA.

>Also as long as I'm on a rampage, I will say I'm not a big fan of OO
>wrappers for the sake of OOP as if it is somehow inherently superior
>to just using an existing set of functions. What functional benefit
>does this API have over the builtin openssl API?

The major benefit as noted for future implementation in the proposal, is making openssl an optional dependency. Same applies to Zend_Crypt_DiffieHellman. Secondly it also simplifies using these algorithms since a little abstraction goes a vast distance in cryptography making things accessible. Even over and above openssl only. Thirdly as an OO component mocking and testing is vastly simplified for other dependent source code. Fourthly openssl has crappy documentation that is plain wrong in obvious places. Fifthly (is fifthly a real word ;)), it distills one specific openssl usage in one specific API. Sixthly the proposal is for base functionality, but you can push some useful extras on top or extend for specific needs. Seventhly, I'm probably overlapping reasons a little I realise.

I know what your point is, but my point is largely that OO does add concrete benefits. They may not be huge benefits to everybody, but they are real nonetheless. Whether they are sufficient to warrant inclusion in the ZF is of course entirely the decision of a Zend review so get your comments and observations in on the proposal page itself.

Best regards,
Paddy

Pádraic Brady

http://blog.astrumfutura.com
http://www.patternsforphp.com
OpenID Europe Foundation

----- Original Message ----
From: Michael B Allen <[hidden email]>
To: Pádraic Brady <[hidden email]>
Cc: Zend Framework General <[hidden email]>
Sent: Thursday, June 12, 2008 10:15:12 PM
Subject: Re: [fw-general] Zend_Crypt_Rsa Proposed: Community comment welcome

On 6/12/08, Pádraic Brady <[hidden email]> wrote:
>
> I have finished my proposal for a Zend_Crypt_Rsa component, which will come
> in handy for a few uses, not least of which OAuth.
>
> http://framework.zend.com/wiki/pages/viewpage.action?pageId=3866770
>
> Comments from the community is more than welcome. As it stands the component
> is quite a neat OO wrapper around existing ext/openssl functionality.

The naming of this component is wrong. It should be
Zend_Pki_Certificate or Zend_Pki_Key or some such. The word "Crypt"
should be reserved for a generic crypto class and "Rsa" is just one
implementation of a symmetric algorithm.

Also as long as I'm on a rampage, I will say I'm not a big fan of OO
wrappers for the sake of OOP as if it is somehow inherently superior
to just using an existing set of functions. What functional benefit
does this API have over the builtin openssl API?

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Michael B Allen

Re: Zend_Crypt_Rsa Proposed: Community comment welcome

On 6/12/08, Pádraic Brady <[hidden email]> wrote:

>
> Hi Michael,
>
> >The naming of this component is wrong. It should be
> >Zend_Pki_Certificate or Zend_Pki_Key or some such. The word "Crypt"
> >should be reserved for a generic crypto class and "Rsa" is just one
> >implementation of a symmetric algorithm.
>
> The naming is more categorical than specific - crypt/cryptography. Sorry if
> that's unclear - I go with short/existing namespaces where possible. One
> could argue against PKI as a namespace even, since the issue of trust is
> optional - there's no absolute requirement for a certification authority
> since you can issue your own uncertified keys in RSA.

Zend_Crypt_Rsa makes sense if it just deals with the numeric details
of the algorithm but when you start reading PEM files or just juggling
public / private key pairs I think that should probably be part of
some "Pki" classes.

> I know what your point is, but my point is largely that OO does add concrete
> benefits.

By itself I don't think it really does ultimately. I think that the
real benefits of OOP only kick in when you actually use polymorphism.
And I've been a little concerned that some of the components in ZF
aren't reaping those benefits as well as they could.

If you created interfaces for block ciphers vs. hashing algorithms vs.
certificate stuff ... etc then you might be able to really put OOP to
work. You could change one line of code and get use a completely
different crypto system. But I don't really get the feeling from your
API that you're thinking about such things. By doing
$rsa->encrypt($data, $rsa->getPublicKey()) you've committed yourself
to making Zend_Crypt_Rsa implement a key pair generating interface.

Unless you're putting OOP to work by getting polymorphic behavior from
it, I don't think an OO wrapper by itself is much better than using
the openssl and mcrypt functions directly. The wrapper just adds
another layer that has different semantics which makes it harder to
get started, to find answers, to do advanced things, to debug, ...
etc.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Michael B Allen

Re: Zend_Crypt_Rsa Proposed: Community comment welcome

In reply to this post by Michael B Allen

On 6/12/08, Michael B Allen <[hidden email]> wrote:
> "Rsa" is just one implementation of a symmetric algorithm.

Correction: RSA a an asymmetric algorithm.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/