[OpenID] avoiding NIH

Troy Benjegerdes hozer at hozed.org
Mon Feb 26 23:58:13 UTC 2007

On Mon, Feb 26, 2007 at 03:39:39PM -0800, Kevin Turner wrote:
> On Mon, 2007-02-26 at 14:17 -0800, P??draic Brady wrote:
> > As for a *second* PHP library - I completely agree its blatant NIH
> > (Not Invented Here) practice but that's what is required in order for
> > OpenID support to be integrated directly into the Zend Framework under
> > a New BSD License and the clean IP policy, as well its PHP5-only
> > rules.
> Sounds like you've already figured out what you need to do for Zend, but
> I think there might be others going through a similar process now or in
> the future, and I want them to know that these things are often
> negotiable.  If you need a different license, ask us about it.  If you
> have any other concerns about IP issues, talk to us.  We didn't write
> this code just for the heck of it, we wrote it because we think it's
> important for everyone to have stable, secure, full-featured code
> available to support OpenID.  We want you to take advantage of that
> code, and if there's anything stopping you from doing so, we want to
> know about it.
> It's great to see more developers involved in this space.  And,
> theoretically speaking, it might be better for the ecology if we don't
> have a monoculture in OpenID implementations.  But it's also a shame to
> duplicate work that's already been done when there's so much work left
> to do to build on what everyone here has started.

I cringe when I hear someone say "Let's avoid NIH with OpenID" since I
often feel like OpenID reinvents Kerberos cross-realm authentication, or
other web-based single sign-on systems like shibboleth, weblogin, etc.

OpenID is very new, and there are going to be nasty security bugs in
various implementations. It's going to take time, and lots of different
codebases to work them all out... Let's not discourage anyone from
writing new code.

More information about the general mailing list