Identity/Authentication and PHP OpenSSL updates in the pipeline

I've been idly daydreaming about improving my blog. This is something (the daydreaming) I've been doing for some time with George and more recently with Chris. There are a number of things that I want to change (that aren't really worth talking about right now), but one of the main things is adding support for emerging authentication technologies.

I've had support for external authenticators on this blog for a couple of years now--you can login using your php.net cvs username and password if you wish. Why do I have an external authentication mechanism? I don't want to maintain a user database just for my blog. It's more moving parts and requires things like sending email pings to random email addresses (which could be abused by malicious folks) and mechanisms for resetting or retrieving a forgotten password. Not to mention that it's yet another username/password to be remembered by the person doing the commenting.

More and more people are beginning to think the same way that I did back in the spring of 2004 and so we have technologies such as TypeKey and OpenID emerging to make life simpler. TypeKey is a service provided by SixApart to allow third parties to assert that someone is a verified user of their services. OpenID is an open protocol that allows anyone to authenticate a user against an OpenID server. OpenID is a decentralized protocol; there is no central managing body and anyone can run an OpenID server.

There are a couple of OpenID services out there; I'm using the VeriSign OpenID server for my online identity because it very clearly puts me in control over what profile information is released to the site requesting authentication.

I found TypeKey easier to implement than OpenID, but I like OpenID more because I can use my own URL for my identity, and I'm not forced to register with a single authentication provider. TypeKey also exposes its authentication scheme via OpenID, so if you only implement OpenID, you can still authenticate TypeKey users.

At the time of writing, TypeKey doesn't support the simple registration extension for OpenID so you have to prompt the user for their name/email. If you use native TypeKey authentication you get the name/email automatically.

These are browser-based authentication technologies, similar to the Yahoo! browser-based auth scheme, but have the advantage that you get identity information in addition to the authentication result. That means that, using yahoo bbauth, while you get an opaque token on successful auth, you still don't know the name or the user, their email address or even a web page URL. That's part of the design of bbauth, protecting the privacy of yahoo users, but at the same time limiting the utility of the scheme for lazy programmers like me. My goal is to display the users nickname and blog url in the comments section of my blog without building the machinery for sending out email verification. Yahoo bbauth doesn't currently support that, but I've heard that Y! are looking into expanding that in the future.

I've been looking at the PHP implementations of consumers of each of those technologies and, at least to my eyes, they're screaming for some better support from PHP. I've been working on a patch for the openssl extension that provides functions for verifying DSA signatures and performing the steps of the Diffie-Hellman key exchange algorithm which are used in TypeKey and OpenID respectively. Once this patch is mainstream it will eliminate the need for performing big number math in PHP script.

I have plans to release the patched openssl extension via PECL in the near future, so you won't have to wait for PHP 5.2.1 to use it.