+1 (non-binding) On Fri, May 7, 2010 at 9:42 AM, David Jencks <david_jen...@yahoo.com> wrote:
> +1 (not yet binding?) > > thanks > david jencks > > On May 4, 2010, at 3:48 PM, Simone Gianni wrote: > > > I would like to present for a vote the following proposal to be sponsored > by > > the Shindig PMC for a new "Amber" podling. The goal is to build a > community > > around delivering a OAuth v1.0, v1.0a and upcoming v2.0 API and > > implementation > > > > The proposal is available on the wiki at and included below: > > > > http://wiki.apache.org/incubator/AmberProposal > > > > [] +1 to accept Amber into the Incubator > > [] 0 don't care > > [] -1 object and reason why. > > > > Thanks, > > Simone Gianni > > > > --- Proposal text from the wiki --- > > > > = Amber = > > == Abstract == > > The following proposal is about Apache Amber, a Java development > framework > > mainly aimed to build OAuth-aware applications. After a brief explanation > of > > the OAuth protocol, the following proposal describes how Apache Amber > solves > > issues related to the implementation of applications that adhere to such > > specification. > > > > == Proposal == > > Amber will have no or negligible dependencies and will provide both an > API > > specification for, and an unconditionally compliant implementation of, > the > > OAuth v1.0, v1.0a and v2.0 specifications. The API specification will be > > provided as a separate JAR file allowing re-use by other developers and > > permits configuration: > > > > * by XML > > * by the Java JAR Services "ServiceLoader" mechanism > > * programmatically > > > > The API component specifies that an implementation must provide default > > classes for Provider, Consumer and Token objects making Amber easy to > > integrate with existing infrastructure and OAuth client interactions > > possible with virtually no additional configuration. The API is flexible > > enough to allow programmatic customisation or replacement of much of the > > implementation, including the default HTTP transport. > > > > Amber will provide both client and server functionality, enabling > developers > > to deploy robust OAuth services with minimal effort. > > > > == Background == > > Roughly, OAuth is a mechanism that allows users to share their private > > resources, like photo, videos or contacts, stored on a site with another > > site avoiding giving their username and password credentials. Hence, from > > the user point-of-view, OAuth could be the way to improve their > experience > > across different applications with an enhanced privacy and security > control > > in a simple and standard method from desktop and web applications. The > > protocol was initially developed by the oauth.net community and now is > under > > IETF standardization process. > > > > The main idea behind OAuth is represented by the token concept. Each > token > > grants access to a site, for a specific resource (or a group of > resources), > > and for a precise time-interval. The user is only required to > authenticate > > with the Provider of their original account, after which that entity > > provides a re-usable to token to the Consumer who can use it to access > > resources at the Provider, on the users behalf. > > > > Moreover, the total transparency to the user, that is completely unaware > of > > using the protocol, represents one of the main valuable characteristics > of > > the specification. > > > > Apache Amber community aims not just to create a simple low-level > library, > > but rather to provide a complete OAuth framework easy to use with Java > code, > > on top of which users can build new-generation killer applications. > > > > There are currently three implementation efforts going on in ASF for > OAuth > > v1. A stable implementation of OAuth v1 is present in Apache Shindig, but > it > > is not actively developed and not shared with other projects. A Lab > having > > Simone Tripodi as its PI is working on an implementation for an OAuth > > library that could be used by other products. Zhihong Zhang wrote an > OAuth > > plugin for JMeter. > > > > At the same time, on the IETF OAuth v2 mailing list, other people > expressed > > interest for a Java API and implementation, among them two Apache > committers > > and one active contributor. > > > > Outside the ASF there are three known Java OAuth 1.0/1.0a libraries > > > > * The oauth.net reference implementation by John Kristian, Praveen > Alavilli > > and Dirk Balfanz. > > * OAuth SignPost - a simple OAuth message signing client for Java and > > Apache HttpComponents by Matthias Kaeppler. > > * OAuth Scribe - a simple OAuth client by Pablo Fernandez. > > * asmx-oauth (on google code) - a complete open source OAuth 1.0 Consumer > > and Service Provider implementation provided by Asemantics Srl (Simone > > Tripodi was involved). > > > > == Rationale == > > The key role played by the OAuth specification, within the overall Open > > Stack technologies, jointly with its high degree of adoption and > maturity, > > strongly suggest having an Apache leaded incubator for suitable reference > > implementation. Furthermore, the OAuth specification is currently gaining > > value due to its involvement in a standardization process within the > IETF, > > as the actual internet draft. Having the Apache Amber as an Apache > Incubator > > could be an opportunity to enforce the actual Apache projects that > already > > reference other IETF specifications. > > > > Moreover, other Apache Projects, such as Abdera, Shindig and Wink, are > > currently supporting the OAuth protocol, so having the OAuth Apache > > reference implementation should benefit not only the project and the > related > > commmunity itself, but also existing and active Apache projects. > Combining > > efforts from existing Apache projects is a logical step. > > > > Providing an Apache licensed library will make it easier for other Apache > > projects to integrate OAuth, like, for example: > > > > * It could be the foundation framework for Consumer developers; > > * It could be the foundation Framework for Service Provider developers; > > * It could be integrated into Apache Shindig; > > * It could be integrated into Apache Abdera; > > * It could be integrated into Apache Wink; > > * It could be integrated into Spring Security; > > * It could be integrated with JAAS (and be deployed in Tomcat-based > Servlet > > Containers); > > * It could be integrated into Jakarta JMeter; > > * Apache Wookie (incubating) expressed interest in an OAuth > implementation; > > * Most importantly, it could be a backend for dozens of useful new > > innovative projects that no-one has envisioned yet. > > > > = Current Status = > > Code in the [[http://svn.apache.org/viewvc/labs/amber|Amber Lab]] and in > > Apache Shindig is already licensed to the ASF. More contributions of code > > and ideas are expected from initial committers, so an implementation of > > OAuth v1 should be reached quickly, and act as a base for an OAuth v2 API > > and implementation. > > > > == Meritocracy == > > As a majority of the initial project members are existing ASF committers, > we > > recognize the desirability of running the project as a meritocracy. We > are > > eager to engage other members of the community and operate to the > standard > > of meritocracy that Apache emphasizes; we believe this is the most > effective > > method of growing our community and enabling widespread adoption. > > > > == Community == > > The amount of interest in the OAuth protocol from enterprises, social > > networks and individual developers suggests a strong community will > develop > > once the framework to support one is laid. > > > > == Core Developers == > > * Simone Gianni <simoneg at apache dot org> (Semeru) > > * Simone Tripodi <simonetripodi at apache dot org> (Sourcesense) > > * Stuart "Pid" Williams <pid at pidster dot com> (Clubtickets.com) > > * David Recordon <recordond at apache dot org> (Facebook) > > * Tommaso Teofili <tommaso at apache dot org> (Sourcesense) > > > > == Alignment == > > The purpose of the project is to develop an implementation of OAuth v1 > and > > OAuth v2 that can be used by other Apache projects. > > > > = Known Risks = > > == Orphaned Products == > > Being OAuth a standard receiving a lot of interest, and being v2 an > ongoing > > work in IETF, we believe there is minimal risks of this work becoming > > non-strategic and the contributors are confident that a larger community > > will form within the project in a relatively short space of time. > > > > == Inexperience with Open Source == > > All of the committers have experience working in one or more open source > > projects inside and outside ASF. > > > > == Homogeneous Developers == > > The list of initial committers are geographically distributed across the > > U.S. and Europe with no one company being associated with a majority of > the > > developers. Many of these initial developers are experienced Apache > > committers already and all are experienced with working in distributed > > development communities. > > > > == Reliance on Salaried Developers == > > To the best of our knowledge, none of the initial committers are being > paid > > to develop code for this project. > > > > == Relationships with Other Apache Products == > > A number of existing ASF projects could benefit from an OAuth > > implementation, including Apache Shindig, Apache Abdera, Apache Wink, > Jmeter > > which are already using partial and non standardized OAuth > implementations. > > Basically any other server-side framework or application could benefit by > > using Amber. It is hoped that members of those projects will be > interested > > in contributing to and adopting this implementation. > > > > == A Excessive Fascination with the Apache Brand == > > Amber fits naturally in the ASF because : > > > > * It is an implementation of an open standard > > * It is a server component on which many other projects can depend on > > > > = Documentation = > > [1] More information about OAuth can be found here:<<BR>> > > http://www.oauth.net/ > > > > [2] The IETF discussion about the emerging OAuth v2.0 specification is > > occuring on this mailing list<<BR>> oa...@ietf.org > > > > = Initial Source = > > The intial source comprises code developed inside Apache Labs, other > Apache > > projects and contributed under the CLA. > > > > = Source and Intellectual Property Submission Plan = > > Source code will be moved from SVN space of Apache Labs, Apache Shindig > and > > other appropriately licensed sources inside the SVN space of the podling. > > > > = External Dependencies = > > None known > > > > = Cryptography = > > The project will use cryptographic utilities available as standard in > Java > > 6. > > > > = Required Resources = > > * Mailing lists > > * amber-private (with moderated subscriptions) > > * amber-dev > > * amber-user > > * amber-commits > > * Subversion directory > > * https://svn.apache.org/repos/asf/incubator/amber > > * Website > > * Confluence (AMBER) > > * Issue Tracking > > * JIRA (AMBER) > > > > = Initial Committers = > > Names of initial committers with affiliation and current ASF status: > > > > * Simone Gianni <simoneg at apache dot org> (Semeru) > > * Simone Tripodi <simonetripodi at apache dot org> (Sourcesense) > > * Stuart "Pid" Williams <pid at pidster dot com> (Clubtickets.com) (CLA > > filed) > > * David Recordon <recordond at apache dot org> (Facebook) > > * Tommaso Teofili <tommaso at apache dot org> (Sourcesense) > > * Paul Lindner <lindner at inuus dot com> (LinkedIn) > > * Pablo Fernandez <fernandezpablo85 at gmail dot com> (LinkedIn) > > > > = Sponsors = > > == Champion == > > * Brian McCallister <brianm at apache dot org> > > > > == Nominated Mentors == > > * Henning Schmiedehausen <henning at apache dot org> > > * Jean-Frederic Clere <jfclere at gmail dot com> > > * Gianugo Rabellino <gianugo at apache dot org> > > * David Jencks <djencks at apache dot org> (Waiting on IPMC) > > > > == Sponsoring Entity == > > * Shindig PMC - Confirmed Apr 29, 2010 > > > > = Other interested people = > > * Saleem Shafi <mshafi at paypal dot com> > > * Chirag Shah (Apache Shindig Committer) > > * Greg Brail <gbrail at sonoasystems dot com> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
