Hey, community. As a part of zope.app.security refactoring process, a new package has been created - "zope.authentication". It basically contains IAuthentication and other auth-related interfaces, as well as PrincipalSource. So it's intended to define a basic concepts and contracts of principal authentication for the zope framework to be implemented by other packages. There are three implementations that I know of currently: the "global principal registry" from zope.app.security (it will be moved into new package, called "zope.principalregistry"), the zope.app.authentication and z3c.authenticator. It's quite request type independent so it can be used with non-zope.publisher requests, like WebOb or something, but here the problem appears: The zope.app.security defines the ILoginPassword (getLogin,getPassword,needLogin) adapters for zope.publisher's HTTP and FTP requests. I wonder where should they go, because the "zope.authentication" package doesn't want to depend on zope.publisher, as (like i said before) it is intended to be tiny and independent on any request implemenation. I'd move those adapters into zope.publisher itself, but this will require adding the "zope.authentication" dependency for zope.publisher, which I think is okay, because zope.authentication is very small and will probably be used together with zope.publisher anyway. Another solution which I like much less is to move those adapters to "zope.authentication" and define an extra dependency (sigh) on zope.publisher, but then the package won't be so nice, clean and generic as it could be. :-) Opinions? -- WBR, Dan Korostelev