On Thu, 11 Oct 2001, Michal Rokos wrote:

> Hello!
>
Hi,

> 	I'd like to ask if anybody had seen my Ruby-OpenSSL project (OSSL)?
> 
Just did. I'm not very familiar with SSL but been looking for a good
crypto library for Ruby. Your's might be it...

Since I haven't checked it out yet its hard to be specific, but I can give
you the goal I *strive* for when doing a wrap or extension (collectively
called a 'gem' below) for Ruby (BUT your milage may vary):

 SimpleAndNaturalDesign
  Get the design as simple, natural and Ruby-esque as possible (in
  that order). The gem should embody the best human knowledge on the
  subject and package it so that it can be used with as little additional
  knowledge as possible. Users should, ideally, be able to guess the
  interface without reading docs.

For me, this is what sets Ruby apart from the other languages out
there. IMHO, Matz has been amazingly successful in this regard.

This leads to:
Abstract away from implementation. If I want to use a Blowfish cipher I
  shouldn't need to think about OpenSSL or any of its specifics. Conformance 
  to existing software might be needed sometimes (maybe people out there
  are so used to SSL that their concepts about cryptography is tied to
  the SSL nomenclature) but then why not give convenience classes that
  wraps up the specifics in the most natural way.

I guess it all boils down to adhering to PoLS ("Principle of Least
Surprise") and/or PlatonicUniverseTM ("Things working as they should/would
in an ideal (parallel) universe").

Note that I don't claim I generally succeed in doing this; quite the
opposite! But its a goal... ;-)

> 	Does anybody has some ideas? (I don't want to write code and then rewrite all again)
> 
> 	Right now the structure is quite plain: everything is under OSSL module, I was thinking about
> 		OSSL:: module (or other name - I'd like to KNOW!!!)
> 			Digest:: module - SHA1, MD5, MD4, ... classes there
> 			X509:: module
> 				- Cert, CRL, Name,... there
> 	
> 	What do you think about?
> 
In line with above, it would be great if you pack the crypto-related stuff
into a module Cryptography. They are important independently of SSL. I
would put that module at top level (ie. not within OpenSSL or whatever you
call your top-level module/namespace) since, when I need a cipher I don't
want to think about whether it is in OpenSSL or not. But I guess
OpenSSL::Cryptography might be ok as not to clash with other potential
crypto libs. 

(and i'd still have to know where the files are located
within OSSL... Maybe this can be solved in Raa.succ/RubyGems or what it'll
be named by having the gems put stuff in a database at install time so
that I can do a "logical" require:

  lrequire 'Cryptography/Cipher/Blowfish'

or even

  lrequire /Blowfish/i

which would raise an error if I don't have any Blowfish implementation and
prompt me to get one from Raa.succ or raise an error showing multiple 
implementations. Na, probably will be difficult until we have contracts in
there and an algorithm ontology. Would be really cool to set such an
ontology up though...)

BTW, I don't really fancy acronyms unless they are "standard". To mee
OpenSSL would be ok but not OSSL (since there is for example the
"Operating System Simulation Language"), even though I'd probably
opt for SecureSocketsLayer since that is what it is (NOT how it is
implemented: via OpenSSL). But again, these namespace issues are not easy.

Could you enlighten me on how the crypto lib in OpenSSL/SSL compares
to other OO crypto libraries like mxCrypto (Python) or Java Cryptography
Architecture? (Design-wise and breadth-wise)

> 	Also - do you want instance variables to classes or getter, setter aproach is OK???
> 
I'd like ruby-style, ie. attr_accessor, because its simpler and more
natural.

Regards and keep up the good work,

/Robert Feldt