Jacques Marneweck's Blog

Hi Jacques, there's another PHP/PEAR library for TypeKey coming soon, that I'll be linking to on our upcoming Professional Network site, so if you haven't pre-registered, you'll want to sign up at sixapart.com/network and I'll let everyone know as soon as we've posted news on it.

Hi Anil

I started hacking up some code for Auth_Typekey and found my one big problem is that there is no Crypt_DSA in PEAR, which would have made the job a bit easier for making some bits and pieces work for some other proof of concept guestbook application stuff I'm working on.

Also what might be useful is some sort of API document explaining how the Typekey API works, which should be easy enough to write in a document explaining how the bits and pieces works. I'll write something based on my experiments into the Typekey API.

I found another implementation of TypeKey on PHP that I think Anil pointed me to. Then I read this document:
http://www.movabletype.org/docs/tk-apps.html
to get a better idea about what was going on.

I spent some time over the weekend hacking away at a typepad PECL module, which needs a lot of work still to get it to deal with the message array and figuring out how to validate a signature.

The TK 0.1 is quite useful where you want Movable Type to authenticate against your own 'TypeKey' style interface, but they don't provide any verification of the stuff back from TypeKey making it trivial to exploit in their code, but using curl and faking to have been refered by TypeKey etc. etc.

What I would like to see however is someone who has experience coding c and PHP extensions to give some pointers on how to get PHP to parse an array of variables being used for the verification and (b) TypeKey to use md5 verification of the data we are sending to TypeKey similar to World Pay, which is useful for checking that someone is not fiddling in the process.