CDATA Zone

After quite some time, version 1.2.2 has finally been released. It can be downloaded at: http://xmlseclibs.googlecode.com/files/xmlseclibs-1.2.2.tar.gz

Changes include:

Features:
- Add support XPath support when creating signature. Provides support for
working with EBXML documents.
- Add reference option to force creation of URI attribute. For use
when adding a DOM Document where by default no URI attribute is added.
- Add support for RSA-SHA256

Bug Fixes:
- fix bug #5: createDOMDocumentFragment() in decryptNode when data is node
content (patch by Francois Wang)

Please submit any bugs or feature requests into the Issue Tracker.

Slides have been posted for the latest version of my Digital Identity talk.

The contents is a bit less technical than in the past and is aimed at wider audience than just developers. Please contact me if there are any questions on the material or topics presented. Rob Richards.

You can also find the slides from my OAuth presentation.

June 30th is a day I will never forget. It was the day I witnessed my sister pass away from lung cancer. A woman who was a non-smoker and lived an extraordinary life, I always believed Tracy would beat the odds. It really pisses me off. She wasn't a smoker, had a family, including 3 beautiful kids, yet was cut down in the prime of her life. She was only 3 years older than I and I cry foul!. All I can think of is the poem "Do Not Go Gentle Into That Good Night". We must all live life to the fullest which means taking advantage of every opportunity that arises and having the courage to do what we are afraid of doing. We all must "Rage, rage against the dying of the light."

I have always been the black sheep in my family. Doing things against the grain and not considered the norm. Although they didn't always agree with my choices, my family always supported my decisions. I really want to thank them with all my heart for that. Mom, I bet you never thought I would be where I am today Without everyone's support, I know I would never have achieved everything I have nor be where I am today. I thank you all for that. Julie, you have alway been there for me. No matter what I have been feeliing, you have always been there for me. No matter what you have always looked out for us.

Life is too short to just play by the book. We all need to take chances, do what makes us happy. How many of us regret not having had the courage to kiss the girl or say what we really want to say because we are scared of what other people think? My life hasn't been easy and I experienced all of this, so don't think its not normal. It wasn't until I realized that I don't really care what other people think as long as I am happy and I know what I am doing is right that I could truly live a life worth living. For that matter had I not been, I doubt that Julie and I would ever have gotten together, gotten married and eventually have our beautiful son Dean.

I ramble on..... I think the essence of what I am trying to say is that life is too short for fear, doubt, hate... We have to do what makes us happy. We need to experience everything that life has to give us. Being from farm country in Maine, I just have to quote Tim McGraw when he sings "Live Like You Were Dying". I really cannot sum it up better than his song.

Tracy, We love you.

Another php|tek has come and gone. Although a bit behind, I finally got my slides online for my Streaming XML talk. I lingered a little too long on a few topics so the XMLWriter portion was a bit rushed. If anyone has questions on any of the topics, feel free to drop me a line. I did promise a few people I would write a bit about XMLReader and XMLWriter, but it's slow going as I try to find the time. Hopefully in the not to distant future I can get to this. This Dad thing is really time consuming

I can remember back to last years php|tek. The morning of my web services workshop I found out that I was going to be a Dad. Needless to say that is one presentation I will never forget. It has been a long 9 months, but I am happy to say that I am now officially a father. My son Dean was born at 1:03 am on Jan 27th. Both Julie and Dean are doing well, though Dean gets to sleep much more than we do. Life sure is going to change dramatically, but none of us would have it any other way. Dean, if you happen to be reading this years from now, pulled from the archives of some search engine, I just have to say that you are the most precious thing to your mother and I (seeing you don't have any siblings....yet).

As many people have found out, entity handling in ext/xml is broken when used with libxml2 2.7.0-2.7.2. The problem lies with the way pre-defined entities are handled; or rather not handled when used with one of the newer libxml2 versions. The entities, &, < , >, ' and " never get passed to the user's callbacks, causing a big problem in quite a number of applications out there. Needless to say, I've received a good amount of hate mail over this problem. Got to love people. You never hear how grateful anyone ever is, but sure as hell once there is a problem they are all over you. Anyways, I digress.

Although I have been telling people for a few years now that they should use XMLReader rather than ext/xml, this breakage was not intentional; no matter what anyone says – Yes, I've had a few throw that out there. The good news is that the problem has finally been fixed, but will require both an updated PHP (5.2.9+) and libxml2-2.7.3, although none of them have yet been released. Until things are available, the available options are to either compile your own builds using the code from the libxml2 and PHP repositories, don't upgrade to libxml2 2.7.x yet if you haven't yet done so, build ext/xml with expat rather than libxml2, or lastly, convert your PHP code to use XMLReader.

My parting thought on this to everyone is just switch to the XMLReader extension. It's faster, easier to use and much more powerful.

While working on OAuth implementations for our clients at Mashery, one of the biggest issues I see developers running into is how to debug and fix invalid signature errors. There are numerous OAuth libraries out there, in fact we even have our own, so how do you determine which side is really generating the correct signature and which has a flaw in the logic? I find that using a third party library is a great way to quickly zero in on which side is at the root of the issue. The problem, however, is there are no readily available tools to do this. I have found a number of test applications, but they pretty much are for testing wether a consumer library/app is working correctly against them.

We mostly deal with providing the service provider side of OAuth, meaning numerous different endpoints, so these tools were of little help. I ended up writing a down and dirty signature generation app using the C# OAuth library (so Windows only folks). It will generate a signature based on the different OAuth parameters you enter. You can use this to compare the signature it generates to that from your consumer app or service provider. Full source code and more detailed information can be found on the Mashery Customer Solutions site. Time permitting, I may continue to add features to this tool. Hopefully others find this useful as well.

Source and Binaries: OAuth Signature Validation Tool

Slides have been posted for the latest version of my Digital Identity talk.

This talk has evolved since I first starting giving it, but the latest version simple needed more time to present. I was asked to combine all the topics (OAuth was to be its own presentation) into one, which I probably won't do again. Even just only covering the absolute basics, I found that there just isn't enough time to cover them all in the short amount of time, so some material was skimmed over. If anyone has any questions on any of the material, please feel free to contact me.

I've been getting a number of emails asking if I'm still alive and kicking. The answer is yes, just have had a lot of things going on lately. Those of you who were at php|tek in Chicago this year know that my wife and I are having our first baby. We've been busy doing the doctor's visits, shopping, getting nursery ready, shopping, wondering if we have everything we need, and did I mention shopping. Never realized how expensive babies are and he's not even here yet (Yes, I said "he", we are having a boy).

On the flip side, work has been very hectic. Things are going well and we are very busy. For the past 5-6 months, on top of my regular work on our proxy, I have been living and breathing OAuth. Unlike OpenID, which is really only found in the social networking/blogging areas, and Information Cards which is still new and has some ways to go for more widespread adoption, companies have started actively adopting and implementing OAuth for use with their APIs. Things should start getting interesting once they start rolling these out to the general public.

I'm still involved with my xmlseclibs project, PHP and libxml2/libxslt. I just haven't had as much time over the past few months. I try to fix what I can when I get a chance, but my participation really has been slacking. With fall having started and winter on the way, I'll have more free time to work on these things. Hope to hit some of the feature requests I've gotten in the XML/PHP areas, as well as soon add some additional functionality to xmlseclibs to work with WS-BPEL (just needs some additional testing). If there are any additional feature requests or bugs I haven't looked at yet (I got a number via email that aren't in any of the bug systems - so may have forgotten about them), let me know and I'll make sure they make my TODO list.

My buddies over at AITCOM did it again. On July 10th, around 5:45 pm EST my server went mia. Being a Friday and occasionally experiencing the minor outages (< 5 minutes), I didn't give it much thought and left it for the night. The outage wasn't as minor as I had thought, the next morning I go to check email and nothing... The server was dead in the water. Calls to AIT pretty much fell on deaf ears. They performed a reboot and called it fixed. Of course they test things really well. After my forever long wait on hold back on the phone with them and once again my outage report falls on deaf ears. They tell me that they went ahead and found no hardware failure, so this must be my fault and I have to pay them to look into it. Their admins much be morons, after a couple of minutes, without any access to their network, I was able to determine that my IP addresses had been re-assigned elsewhere. Would you believe that even after telling them this, they said there is no hardware problem and that I had to pay them to get this issue resolved. WTF?!?!?!

After a few deep breaths, I said fine as long as once they found out that the problem was theirs that I wasn't going to be charged. Day after day, no progress. I spent many hours on the phone ripping their customer service people new ones. I hate dealing with customer service people. Their roll is simply to be cannon fodder for the times serious issues arise. All they can say is that they are sorry, someone is working on it and no one else there can help, so I have to be patient. Between that and their incompetent engineers, I am surprised they are still in business. Finally after 5 days, they come back and tell me things are fixed and I wont be charged because it was due to a hardware failure on their end. It took 5 frickin days to figure out there was a hardware failure somewhere (that only was affecting my server of course) and they even knew where to start looking from? Things didn't sound right to me. At least I was able to get my mail back online along with my blog. The problem is that I still don't have 6 of my IP addresses. I am now on day 7 of this and my server is only limping along. The only saving grace here is that the server isn't running anything critical. Imagine being a business customer and having a complete outage for 5 days and after 7 days you still are only partially online. I think it might be time to look for a new provider :/