-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I just received an email from my OpenID provider, "myOpenID", saying that they drop OpenID service next February. I wonder what other OpenID providers are used by other python-dev fellows.
What are you using?. bugs.python.org admins could share some data?
I agree than OpenID is (quite) dead, but I rather prefer OpenID to use user/pass. I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
PS: I use "http://www.jcea.es/" as my OpenID identity, and I delegate the actual service to "myOpenID". I can switch delegation trivially.
- -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
On Thu, Sep 05, 2013 at 07:31:59PM +0200, Jesus Cea jcea@jcea.es wrote:
I just received an email from my OpenID provider, "myOpenID", saying that they drop OpenID service next February. I wonder what other OpenID providers are used by other python-dev fellows.
What are you using?. bugs.python.org admins could share some data?
I agree than OpenID is (quite) dead, but I rather prefer OpenID to use user/pass. I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
PS: I use "http://www.jcea.es/" as my OpenID identity, and I delegate the actual service to "myOpenID". I can switch delegation trivially.
I used to use myOpenID and became my own provider using poit[1]. These days I seldom use OpenID -- there are too few sites that allow full-featured login with OpenID. The future lies in OAuth 2.0.
Oleg.
On Sep 5, 2013, at 2:12 PM, Oleg Broytman phd@phdru.name wrote:
On Thu, Sep 05, 2013 at 07:31:59PM +0200, Jesus Cea jcea@jcea.es wrote:
I just received an email from my OpenID provider, "myOpenID", saying that they drop OpenID service next February. I wonder what other OpenID providers are used by other python-dev fellows.
What are you using?. bugs.python.org admins could share some data?
I agree than OpenID is (quite) dead, but I rather prefer OpenID to use user/pass. I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
PS: I use "http://www.jcea.es/" as my OpenID identity, and I delegate the actual service to "myOpenID". I can switch delegation trivially.
I used to use myOpenID and became my own provider using poit[1]. These days I seldom use OpenID -- there are too few sites that allow full-featured login with OpenID. The future lies in OAuth 2.0.
The Auth in OAuth stands for Authorization not Authentication.
Oleg.
Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Thu, Sep 05, 2013 at 02:16:29PM -0400, Donald Stufft donald@stufft.io wrote:
On Sep 5, 2013, at 2:12 PM, Oleg Broytman phd@phdru.name wrote:
I used to use myOpenID and became my own provider using poit[1]. These days I seldom use OpenID -- there are too few sites that allow full-featured login with OpenID. The future lies in OAuth 2.0.
The Auth in OAuth stands for Authorization not Authentication.
There is no authorization without authentication, so OAuth certainly performs authentication: http://oauth.net/core/1.0a/#anchor9 , http://tools.ietf.org/html/rfc5849#section-3
Oleg.
On Thu, Sep 05, 2013 at 10:25:22PM +0400, Oleg Broytman wrote:
On Thu, Sep 05, 2013 at 02:16:29PM -0400, Donald Stufft donald@stufft.io wrote:
On Sep 5, 2013, at 2:12 PM, Oleg Broytman phd@phdru.name wrote:
I used to use myOpenID and became my own provider using poit[1]. These days I seldom use OpenID -- there are too few sites that allow full-featured login with OpenID. The future lies in OAuth 2.0.
The Auth in OAuth stands for Authorization not Authentication.
There is no authorization without authentication, so OAuth certainly performs authentication: http://oauth.net/core/1.0a/#anchor9 , http://tools.ietf.org/html/rfc5849#section-3
Sortof.... The way OAuth looks to me, it's designed to prove that a given client is authorized to perform an action. It's not designed to prove that the given client is a specific person. In some cases, you really want to know the latter and not merely the former. So I think in these situations Donald's separation of Authz and Authn makes sense.
-Toshio
On Sep 05, 2013, at 11:33 AM, Toshio Kuratomi wrote:
Sortof.... The way OAuth looks to me, it's designed to prove that a given client is authorized to perform an action. It's not designed to prove that the given client is a specific person. In some cases, you really want to know the latter and not merely the former. So I think in these situations Donald's separation of Authz and Authn makes sense.
This probably isn't the only application of these technologies, but I've always thought about OAuth as delegating authority to scripts and programs to act on your behalf. For example, you can write a script to interact with Launchpad's REST API, but before you can use the script, you have to interact with the web ui once (since your browser is trusted, presumably) to receive a token which the script can then use to prove that it's acting on your behalf. If at some point you stop trusting that script, you can revoke the token to disable its access, without having to reset your password.
To me, OpenID is about logging into web sites using single-sign on. For example, once I've logged into Launchpad, I can essentially go anywhere that accepts OpenID, type my OpenID and generally not have to log in again (things like two-factor auth and such may change that interaction pattern).
Or to summarize to a rough approximation: OpenID is for logins, OAuth is for scripts.
Persona seems to fit the OpenID use case. You'd still want OAuth for scripting.
-Barry
On Thu, Sep 05, 2013 at 02:53:43PM -0400, Barry Warsaw wrote:
This probably isn't the only application of these technologies, but I've always thought about OAuth as delegating authority to scripts and programs to act on your behalf. For example, you can write a script to interact with Launchpad's REST API, but before you can use the script, you have to interact with the web ui once (since your browser is trusted, presumably) to receive a token which the script can then use to prove that it's acting on your behalf. If at some point you stop trusting that script, you can revoke the token to disable its access, without having to reset your password.
To me, OpenID is about logging into web sites using single-sign on. For example, once I've logged into Launchpad, I can essentially go anywhere that accepts OpenID, type my OpenID and generally not have to log in again (things like two-factor auth and such may change that interaction pattern).
Or to summarize to a rough approximation: OpenID is for logins, OAuth is for scripts.
Persona seems to fit the OpenID use case. You'd still want OAuth for scripting.
<nod> However, in some cases, Persona/OpenID can make more sense for scripts. For instance, if you have a script that is primarily interactive in nature, it may be better to have the user login via that script than to have an OAuth token laying around on the filesystem all the time (Contrariwise, if the script is primarily run from cron or similar, it's better to have a token with limited permissions laying around on the filesystem than your OpenID password ;-)
It's probably also useful to point out that OAuth (because it was developed to let third party websites have limited permission to act on your behalf) is more paranoid than strictly required for many scripts where that "third-party" is a script that you've written running on a box that you control. If that's the main use case for your service, OAuth may not be a good fit for your authz needs.
-Toshio
On Sep 5, 2013, at 2:25 PM, Oleg Broytman phd@phdru.name wrote:
On Thu, Sep 05, 2013 at 02:16:29PM -0400, Donald Stufft donald@stufft.io wrote:
On Sep 5, 2013, at 2:12 PM, Oleg Broytman phd@phdru.name wrote:
I used to use myOpenID and became my own provider using poit[1]. These days I seldom use OpenID -- there are too few sites that allow full-featured login with OpenID. The future lies in OAuth 2.0.
The Auth in OAuth stands for Authorization not Authentication.
There is no authorization without authentication, so OAuth certainly performs authentication: http://oauth.net/core/1.0a/#anchor9 , http://tools.ietf.org/html/rfc5849#section-3
They are separate topics and authorization does not need to imply authentication, it so happens that in many particular instances of OAuth you can estimate authentication.
https://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_O...
Persona is the logical successor to OpenID.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Thu, Sep 05, 2013 at 02:35:16PM -0400, Donald Stufft donald@stufft.io wrote:
Persona is the logical successor to OpenID.
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
Oleg.
On Sep 5, 2013, at 2:43 PM, Oleg Broytman phd@phdru.name wrote:
On Thu, Sep 05, 2013 at 02:35:16PM -0400, Donald Stufft donald@stufft.io wrote:
Persona is the logical successor to OpenID.
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
I don't think there's much evidence to support this. I'm seeing more sites support Persona not less. It solves some of the major problems with OpenID.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Thu, Sep 05, 2013 at 02:35:16PM -0400, Donald Stufft donald@stufft.io wrote:
Persona is the logical successor to OpenID.
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
I don't think there's much evidence to support this. I'm seeing more sites support Persona not less. It solves some of the major problems with OpenID.
I was completely unaware of OpenID's demise. Can someone point me to/provide an explanation? I much prefer using OpenID to login to a site than having to either come up with yet another username/password which I will just forget, or using Facebook or similar (I don't really trust them with my info).
Thx,
Skip
Skip Montanaro skip@pobox.com writes:
On Thu, Sep 05, 2013 at 02:35:16PM -0400, Donald Stufft donald@stufft.io wrote:
Persona is the logical successor to OpenID.
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
I don't think there's much evidence to support this. I'm seeing more sites support Persona not less. It solves some of the major problems with OpenID.
I was completely unaware of OpenID's demise.
It has failed at its stated purpose, which was to obviate the need for services to provide their own ad hoc systems and allow users to consolidate their digital identities.
This is evident by lookig at how few sites have added OpenID login in the past several years, and how many that once had it have dropped it.
If you're unaware of that, I can only surmise you haven't been trying to log in with an OpenID to anything newer than about 2009.
Can someone point me to/provide an explanation?
An explanation in terms of what? I can point you to punditry URL:http://www.25hoursaday.com/weblog/2011/01/30/LearningFromOurMistakesTheFailureOfOpenIDAtomPubAndXMLOnTheWeb.aspx and hand-wringing URL:http://geekyschmidt.com/2011/01/31/openid-death-greatly-exaggerated.
My own take is that most people choose convenience and expedience over security and freedom, hence Facebook and Twitter and Google have taken over the online identity game instead of a federated identity system.
I much prefer using OpenID to login to a site than having to either come up with yet another username/password which I will just forget, or using Facebook or similar (I don't really trust them with my info).
Agreed. Our preferences are not enough though.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/09/13 21:53, Ben Finney wrote:
My own take is that most people choose convenience and expedience over security and freedom, hence Facebook and Twitter and Google have taken over the online identity game instead of a federated identity system.
That is one of the Persona improvements: If your email provider is not supporting it, you can still use your email with "persona" (thru Mozilla servers). If you provider support OAUTH authentication (let say, Facebook, twitter, Google), You can use that identity to prove your identity to Mozilla, and Mozilla to prove your email ID to any Persona consumer. In the process, you get privacy (facebook doesn't know where are you using authentication, beside Mozilla).
Being a Persona provider is easy, being a verifier is trivial.
An interesting property of Persona is that if its popularity grows, it becomes decentralized "automágically".
Anyway, I was asking for alternative OpenID providers, not to open a debate about single sign on methods :).
- -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
On Thu, Sep 05, 2013 at 02:07:11PM -0500, Skip Montanaro skip@pobox.com wrote:
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
I was completely unaware of OpenID's demise.
There was no demise. Because there was no take-off. OpenID was never popular. I can remember a very limited set of major sites that allow login using OpenID: SourceForge, LiveJournal, BitBucket. The first two in the list allow limited login. BitBucket doesn't allow even that. They only allow full-featured login if you have already created an account and linked your OpenID URL with that account. You cannot login using OpenID to most interesting popular sites. GMail? No. Twitter? No. Facebook? FriendFeed? identi.ca? No, no, no. Small uninteresting blogs? Yes, but who cares?
Oleg.
On Sep 06, 2013, at 12:36 AM, Oleg Broytman wrote:
You cannot login using OpenID to most interesting popular sites. GMail? No. Twitter? No. Facebook? FriendFeed? identi.ca? No, no, no.
I'd be surprised if you ever saw the big social networking sites support OpenID or Persona. They want to own that space themselves, so probably have no business incentive to support 3rd party systems.
We're open source, and I think it benefits our mission to support open, decentralized, and free systems like OpenID and Persona.
-Barry
On Sep 5, 2013, at 4:53 PM, Barry Warsaw barry@python.org wrote:
On Sep 06, 2013, at 12:36 AM, Oleg Broytman wrote:
You cannot login using OpenID to most interesting popular sites. GMail? No. Twitter? No. Facebook? FriendFeed? identi.ca? No, no, no.
I'd be surprised if you ever saw the big social networking sites support OpenID or Persona. They want to own that space themselves, so probably have no business incentive to support 3rd party systems.
Not that it changes this statement at all but you wouldn't expect to see a Persona login for gmail as persona solves the problem that people don't think of urls as personal identifiers by replacing it with emails. So Gmail would be the Persona IdP
We're open source, and I think it benefits our mission to support open, decentralized, and free systems like OpenID and Persona.
-Barry _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Thu, Sep 5, 2013 at 10:57 PM, Donald Stufft donald@stufft.io wrote:
Not that it changes this statement at all but you wouldn't expect to see a Persona login for gmail as persona solves the problem that people don't think of urls as personal identifiers by replacing it with emails. So Gmail would be the Persona IdP
And actually you can already trivially login with your GMail account on any Persona-based Relying Party (that is, a site that uses Persona to authenticate you). This is because one of the nice parts of the current implementation of Persona is that Mozilla has implemented bridges that allow GMail and Yahoo addresses to be authenticated via their respective OAuth implementations, such that you don't need to setup an account at Mozilla's fallback IdP (which acts as an Identity Provider for email addresses that don't currently have an IdP available to them).
Cheers,
Dirkjan
On Thu, Sep 05, 2013 at 04:53:18PM -0400, Barry Warsaw barry@python.org wrote:
On Sep 06, 2013, at 12:36 AM, Oleg Broytman wrote:
You cannot login using OpenID to most interesting popular sites. GMail? No. Twitter? No. Facebook? FriendFeed? identi.ca? No, no, no.
I'd be surprised if you ever saw the big social networking sites support OpenID or Persona. They want to own that space themselves, so probably have no business incentive to support 3rd party systems.
But of course! And that IMO spells the end of the feature. Things that aren't available for millions seldom are available for a few, and if they are -- they are available for big price.
We're open source, and I think it benefits our mission to support open, decentralized, and free systems like OpenID and Persona.
But they also have disadvantages. Implementing such a major feature is a significant burden to sysadmins and is an additional vein for security breaches. That said, I don't mind if pydotorg would get such features. If FSF pays salaries and admins are willing to work -- no objections from me. But I am not going to use it. What gain if I can login to one site? I will change my mind when Google and GitHub start using them.
Oleg.
On Sep 06, 2013, at 01:09 AM, Oleg Broytman wrote:
I will change my mind when Google and GitHub start using them.
Neither Google nor GitHub are free or open. Bitbucket and Facebook aren't either. I'm not saying they're bad services because of that of course, but I don't want to have to rely on any of them to access python.org resources, and I don't want my choice to be log into Facebook or manage a slew of passwords.
But I'm not volunteering to do the work, so I don't get to decide. I'm just stating that I think our principle should be that you *can* (not *must*) use free and open services to access our resources.
-Barry
On Thu, Sep 05, 2013 at 05:29:07PM -0400, Barry Warsaw barry@python.org wrote:
I don't want my choice to be log into Facebook or manage a slew of passwords.
The last part is unavoidable. I regularly login to LiveJournal, Twitter, SourceForge, BitBucket, Gitorious, GitHub and to hundreds of other sites -- blogs, torrents, web shops. I already manage hundreds of passwords. OpenID promised to save me from that and failed. Do you think Persona would succeed in this regard (saved me from managing all those passwords)? And if not -- what are the benefits? I already manage hundreds of passwords -- two or three additional passwords for bugs.python.org, wiki.python.org and so on don't make the situation worse. IMO the very idea of single sign-on in the open web is meaningless.
But I'm not volunteering to do the work, so I don't get to decide. I'm just stating that I think our principle should be that you *can* (not *must*) use free and open services to access our resources.
Well, I can only use services that are available, not those that are promised. If python.org grows support for Persona -- who will be my provider and for what price? I am not going to install and manage additional software on my servers -- I don't want to be my own provider, I have enough job already.
Oleg.
On Sep 5, 2013, at 5:56 PM, Oleg Broytman phd@phdru.name wrote:
On Thu, Sep 05, 2013 at 05:29:07PM -0400, Barry Warsaw barry@python.org wrote:
I don't want my choice to be log into Facebook or manage a slew of passwords.
The last part is unavoidable. I regularly login to LiveJournal, Twitter, SourceForge, BitBucket, Gitorious, GitHub and to hundreds of other sites -- blogs, torrents, web shops. I already manage hundreds of passwords. OpenID promised to save me from that and failed. Do you think Persona would succeed in this regard (saved me from managing all those passwords)? And if not -- what are the benefits? I already manage hundreds of passwords -- two or three additional passwords for bugs.python.org, wiki.python.org and so on don't make the situation worse. IMO the very idea of single sign-on in the open web is meaningless.
But I'm not volunteering to do the work, so I don't get to decide. I'm just stating that I think our principle should be that you *can* (not *must*) use free and open services to access our resources.
Well, I can only use services that are available, not those that are promised. If python.org grows support for Persona -- who will be my provider and for what price? I am not going to install and manage additional software on my servers -- I don't want to be my own provider, I have enough job already.
Theoretically whoever runs the domain for your email address (since Persona uses email as your identifier). In order to make it work as a stop gap they also have more openid like idP's which they run a major one (that also offers a "bridge" to make things like Gmail work on Persona without needing to register for anything else).
Oleg.
Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/09/13 23:56, Oleg Broytman wrote:
Well, I can only use services that are available, not those that are promised. If python.org grows support for Persona -- who will be my provider and for what price? I am not going to install and manage additional software on my servers -- I don't want to be my own provider, I have enough job already.
If your email provider is not supporting Persona, the automatic fallback is Mozilla, a non-profit, free web, I care about your privacy, organization.
- -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
Barry Warsaw writes:
On Sep 06, 2013, at 12:36 AM, Oleg Broytman wrote:
You cannot login using OpenID to most interesting popular sites. GMail? No. Twitter? No. Facebook? FriendFeed? identi.ca? No, no, no.
I'd be surprised if you ever saw the big social networking sites support OpenID or Persona. They want to own that space themselves, so probably have no business incentive to support 3rd party systems.
Quite the reverse, unfortunately. That's why *those* sites *all* appear on most sites that support OpenID. They're not going to delegate to each other until they are forced to.
We're open source, and I think it benefits our mission to support open, decentralized, and free systems like OpenID and Persona.
Thus speaks an employee of yet another Provider-That-Won't-Accept-My- Third-Party-Credentials. Sorry, Barry, but you see the problem: Unfortunately, we can't do it alone. What needs to happen is there needs to be a large network of sites that support login via O-D-F systems like OpenID and Persona. Too many of the sites I use (news sources, GMail, etc) don't support them and my browser manages my logins to most of them, so why bother learning OpenID, and then setting it up site by site?
I'm not against it, but it's quixotic (and therefore valuable).
One reason that OpenID and Persona fail to achieve penetration is that they overstate their mission. A protocol that any email provider can support is a protocol that provides authentication without identification (imagine what havoc Dogbert could wreak with his own Persona provider), and therefore cannot be used in authorization (except trivially). Think ident (port tcp/113). And most general- audience sites that want to provide high-quality "Web 2.0" service are going to start by asking for your demographics. It's probably at least as effective as CAPTCHA for classifying mammals and 'bots, too!
The reason that the "big" providers can take advantage of these protocols as providers without reciprocating as clients is that identities on these sites are very valuable to at least 95% of people who use them (that may or may not correspond to as much as 50% of the accounts). Losing your Facebook site for abuse of TOS is very costly: you can't even contact your "circle" easily. Nor do you want multiple logins on one of these sites, because that will double the amount of spam they send you.
Bottom line: A login via Facebook-provided OpenID means that the login is unlikely to perform random mischief.
Of course, those issues are easy to deal with if you have even a bit of Internet savvy. So sites still have to worry about a deliberate attack from a Facebook user, but a serious intruder has many ways to get in the front door, so you need to lock up your Waterford crystal and Noritake china anyway whether you support global ID logins or not.
On Thu, Sep 5, 2013 at 6:09 PM, Stephen J. Turnbull stephen@xemacs.org wrote:
Barry Warsaw writes:
We're open source, and I think it benefits our mission to support open, decentralized, and free systems like OpenID and Persona.
Thus speaks an employee of yet another Provider-That-Won't-Accept-My- Third-Party-Credentials. Sorry, Barry, but you see the problem: Unfortunately, we can't do it alone. What needs to happen is there needs to be a large network of sites that support login via O-D-F systems like OpenID and Persona. Too many of the sites I use (news sources, GMail, etc) don't support them and my browser manages my logins to most of them, so why bother learning OpenID, and then setting it up site by site?
[snipped lots of observations that I generally agree with]
There's been a lot of negativity towards OpenID in this thread -- I'd like to say that in Fedora Infrastructure we've found OpenID to be very very good -- but not at addressing the problem that most people are after here. As you've observed being an OpenID provider is a relatively easy to swallow proposition; accepting OpenID from third parties is another thing entirely. As you've also observed, this has to do with trust. A site can trust their own account system and practices and issue OpenID based on those. It is much riskier for the site to trust someone else's account system and practices when deciding whether a user is actually the owner of the account that they claim.
So OpenID fails as a truly generic SSO method across sites on the internet... what have we found it good for then? SSO within our site. More and more apps support OpenID out of the box. Many web frameworks have modules for the code you write to authenticate against an OpenID server. A site configures these apps and modules to only trust the site's OpenID service and then deploys them with less custom code. Sites also get a choice about how much risk they consider compromised accounts to a particular application. If they run a web forum and a build system for instance, they might constrain the build system to only their OpenID service but allow the forum to allow OpenID from other providers. And finally, having an openid service lets their users sign into more trusting sites like python.org properties (unlike say, LDAP) :-)
-Toshio
On Mon, Sep 09, 2013 at 10:39:11AM -0700, Toshio Kuratomi a.badger@gmail.com wrote:
So OpenID fails as a truly generic SSO method across sites on the internet... what have we found it good for then? SSO within our site.
I.e., OpenID could be good for core developers (using @python.org email adresses as IDs) but not for general public to login to pydotorg sites, right?
Oleg.
On Mon, Sep 09, 2013 at 09:46:58PM +0400, Oleg Broytman phd@phdru.name wrote:
On Mon, Sep 09, 2013 at 10:39:11AM -0700, Toshio Kuratomi a.badger@gmail.com wrote:
So OpenID fails as a truly generic SSO method across sites on the internet... what have we found it good for then? SSO within our site.
I.e., OpenID could be good for core developers (using @python.org email adresses as IDs) but not for general public to login to pydotorg sites, right?
Oops, completely messed OpenID URLs and Persona emails.
Oleg.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/09/13 22:36, Oleg Broytman wrote:
There was no demise. Because there was no take-off. OpenID was never popular. I can remember a very limited set of major sites that allow login using OpenID: SourceForge, LiveJournal, BitBucket. The first two
I remember a day where OpenID was the ONLY authentication method in StackOverflow.
- -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
On Thu, 5 Sep 2013 14:50:44 -0400 Donald Stufft donald@stufft.io wrote:
On Sep 5, 2013, at 2:43 PM, Oleg Broytman phd@phdru.name wrote:
On Thu, Sep 05, 2013 at 02:35:16PM -0400, Donald Stufft donald@stufft.io wrote:
Persona is the logical successor to OpenID.
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
I don't think there's much evidence to support this. I'm seeing more sites support Persona not less.
Which sites exactly? I can login to BitBucket and *.python.org using OpenID, not Persona.
I think Persona is just too new to see it around much yet. Or maybe Mozilla needs better PR.
The Persona site touts: "Signing in using Persona requires only a valid email address; allowing you to provide personal information on as-needed basis, when and where you think it’s appropriate."
They clearly need a better example site. They chose something called Voost. Sure enough, all I needed to enter was my Gmail address. That got me signed in, but then Voost asked me for a bunch of other personal information (name, gender, birthdate, etc), and wouldn't let me go any farther without that. :-/
Skip
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/05/2013 03:52 PM, Skip Montanaro wrote:
I think Persona is just too new to see it around much yet. Or maybe Mozilla needs better PR.
The Persona site touts: "Signing in using Persona requires only a valid email address; allowing you to provide personal information on as-needed basis, when and where you think it’s appropriate."
They clearly need a better example site. They chose something called Voost. Sure enough, all I needed to enter was my Gmail address. That got me signed in, but then Voost asked me for a bunch of other personal information (name, gender, birthdate, etc), and wouldn't let me go any farther without that. :-/
As sith OpenID, the key element to Persona is SSO: you can authenticate without needing to create / remember passwords for every site you visit. Whether a given site chooses to authroize an authenticated-but-otherwise-unknown user to do anything meaningful is logically distinct.
+1 for supporting Persona as an alternative to OpenID on all *.python.org servers.
Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com
There's some sample Python code here: https://developer.mozilla.org/en-US/docs/Mozilla/Persona/Quick_Setup
The API is so simple something generic like requests suffices.
2013/9/5 Glenn Linderman v+python@g.nevcal.com:
On 9/5/2013 1:30 PM, Tres Seaver wrote:
+1 for supporting Persona as an alternative to OpenID on all *.python.org servers.
Is there a Python implementation of Persona I can install on my web server?
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/benjamin%40python.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/05/2013 04:33 PM, Glenn Linderman wrote:
On 9/5/2013 1:30 PM, Tres Seaver wrote:
+1 for supporting Persona as an alternative to OpenID on all *.python.org servers.
Is there a Python implementation of Persona I can install on my web server?
- - https://readthedocs.org/projects/django-browserid/
- - https://pyramid_persona.readthedocs.org/en/latest/
Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com
On Thu, Sep 5, 2013 at 10:33 PM, Glenn Linderman v+python@g.nevcal.com wrote:
Is there a Python implementation of Persona I can install on my web server?
If you mean to use your web server as an Identity Provider, try this:
https://bitbucket.org/djc/persona-totp
It currently only implements TOTP-based authentication (i.e. no passwords), but it should be easy to add a password or 2FA-mode if you'd prefer that.
Cheers,
Dirkjan
Whether a given site chooses to authroize an authenticated-but-otherwise-unknown user to do anything meaningful is logically distinct.
But the least they could have done was pick a demo site that didn't do exactly what they contend you shouldn't need to do: cough up all sorts of personal information to use their site.
Skip
On Thu, Sep 5, 2013 at 10:30 PM, Tres Seaver tseaver@palladion.com wrote:
+1 for supporting Persona as an alternative to OpenID on all *.python.org servers.
BTW, I'd be happy to assist with any Persona RP implementations for python.org services. The MDN docs are pretty good, I got my first RP going in just a few hours of looking at code (and you can probably do better if you're more into frontend webdev stuff).
There's also ongoing work that will replace ReadTheDocs accounts with Persona support.
Cheers,
Dirkjan
On Thu, 5 Sep 2013 15:40:44 -0400 Barry Warsaw barry@python.org wrote:
On Sep 05, 2013, at 09:07 PM, Antoine Pitrou wrote:
Which sites exactly? I can login to BitBucket and *.python.org using OpenID, not Persona.
I think Persona is just too new to see it around much yet. Or maybe Mozilla needs better PR.
Well, OpenID at least got some publicity since it appeared. Persona is almost unknown at this point (though it was publicly launched two years ago, according to Wikipedia).
Comparing the size of the respective Wikipedia pages actually tells quite a bit: http://en.wikipedia.org/wiki/OpenID http://en.wikipedia.org/wiki/Mozilla_Persona
Regards
Antoine.
On Thu, Sep 05, 2013 at 02:50:44PM -0400, Donald Stufft donald@stufft.io wrote:
On Sep 5, 2013, at 2:43 PM, Oleg Broytman phd@phdru.name wrote:
On Thu, Sep 05, 2013 at 02:35:16PM -0400, Donald Stufft donald@stufft.io wrote:
Persona is the logical successor to OpenID.
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
I don't think there's much evidence to support this. I'm seeing more sites support Persona not less. It solves some of the major problems with OpenID.
I have seen exactly 0 (zero) sites that support Persona. Can you point me?
Oleg.
On Thu, Sep 5, 2013 at 4:29 PM, Oleg Broytman phd@phdru.name wrote:
I have seen exactly 0 (zero) sites that support Persona. Can you point me?
We have an internal app that uses Persona, but we did that mostly to play with it.
I've not run across any sites that use Persona in the wild, either.
-Fred
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/05/2013 04:29 PM, Oleg Broytman wrote:
On Thu, Sep 05, 2013 at 02:50:44PM -0400, Donald Stufft donald@stufft.io wrote:
On Sep 5, 2013, at 2:43 PM, Oleg Broytman phd@phdru.name wrote:
On Thu, Sep 05, 2013 at 02:35:16PM -0400, Donald Stufft donald@stufft.io wrote:
Persona is the logical successor to OpenID.
OpenID lived a short life and died a quiet death. I'm afraid Persona wouldn't live even that much. Dead-born idea, in my so humble opinion.
I don't think there's much evidence to support this. I'm seeing more sites support Persona not less. It solves some of the major problems with OpenID.
I have seen exactly 0 (zero) sites that support Persona. Can you point me?
- From the "Mozilla Identity" blog:
- - http://bornthiswayfoundation.org/
- - http://ting.com/
- - http://www.gnu.org/software/mailman/
Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com
On Thu, Sep 05, 2013 at 04:58:19PM -0400, Tres Seaver tseaver@palladion.com wrote:
On 09/05/2013 04:29 PM, Oleg Broytman wrote:
I have seen exactly 0 (zero) sites that support Persona. Can you point me?
Thank you! Never heard of these sites. Well, I saw WebMaker once, but it's a Mozilla site, no wonder it supports Persona.
Oleg.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/09/13 22:29, Oleg Broytman wrote:
I have seen exactly 0 (zero) sites that support Persona. Can you point me?
"Python España" (Python Spain) association is going to provide Persona Only login. Deployment in four weeks.
- -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On Sep 05, 2013, at 07:31 PM, Jesus Cea wrote:
I just received an email from my OpenID provider, "myOpenID", saying that they drop OpenID service next February. I wonder what other OpenID providers are used by other python-dev fellows.
What are you using?. bugs.python.org admins could share some data?
Launchpad. It's not going anywhere.
I agree than OpenID is (quite) dead, but I rather prefer OpenID to use user/pass. I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
We at the Mailman project like Persona a lot. It'll be the primary way people can log into Postorius (the new web ui).
- -Barry
On Thu, Sep 5, 2013 at 10:31 AM, Jesus Cea jcea@jcea.es wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I just received an email from my OpenID provider, "myOpenID", saying that they drop OpenID service next February. I wonder what other OpenID providers are used by other python-dev fellows.
What are you using?. bugs.python.org admins could share some data?
I agree than OpenID is (quite) dead, but I rather prefer OpenID to use user/pass. I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
PS: I use "http://www.jcea.es/" as my OpenID identity, and I delegate the actual service to "myOpenID". I can switch delegation trivially.
http://bugs.python.org/?@action=openid_login&provider=Google
Eli
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/09/13 20:45, Eli Bendersky wrote:
PS: I use "http://www.jcea.es/" as my OpenID identity, and I delegate the actual service to "myOpenID". I can switch delegation trivially.
http://bugs.python.org/?@action=openid_login&provider=Google
Sorry, Google, Facebook, Twitter, etc., are not acceptable OpenID providers for me. I should have made that point in my original email. My excuses.
Any other suggestion?
- -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
On Fri, Sep 6, 2013 at 8:56 AM, Jesus Cea jcea@jcea.es wrote:
Sorry, Google, Facebook, Twitter, etc., are not acceptable OpenID providers for me. I should have made that point in my original email. My excuses.
Any other suggestion?
As Barry mentioned earlier, launchpad.net. Look for the 'lp' icon on pypi, bugs.python.org etc.
On Thu, 05 Sep 2013 19:31:59 +0200 Jesus Cea jcea@jcea.es wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I just received an email from my OpenID provider, "myOpenID", saying that they drop OpenID service next February. I wonder what other OpenID providers are used by other python-dev fellows.
I use a self-hosted SimpleID instance:
What are you using?. bugs.python.org admins could share some data?
I agree than OpenID is (quite) dead, but I rather prefer OpenID to use user/pass. I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
PS: I use "http://www.jcea.es/" as my OpenID identity, and I delegate the actual service to "myOpenID". I can switch delegation trivially.
Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQCVAwUBUijAD5lgi5GaxT1NAQLH0wQAkKDORrAtfJFzzIHl3lHRp7GfxOzdqdNP uiuW65l/pas+p9+B0G6qR6EE2AAL7YPozcNF5AkmuGmxkpyn/JyUYKJcUWmUotpj V9Buz9jz3qpPuv7AlTnMbjBBQK4YTYenbdk2HgI41SVQHZHkU/+y4CL3Y1hWyJNo C8CCWfR0VlA= =YXIq -----END PGP SIGNATURE-----
On Thu, 05 Sep 2013 19:31:59 +0200 Jesus Cea jcea@jcea.es wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I just received an email from my OpenID provider, "myOpenID", saying that they drop OpenID service next February. I wonder what other OpenID providers are used by other python-dev fellows.
What are you using?. bugs.python.org admins could share some data?
I use a self-hosted SimpleID instance: http://simpleid.koinic.net/
It works fine with python.org, except recent problems with PyPI for which I haven't had an answer yet: https://mail.python.org/pipermail/distutils-sig/2013-September/022583.html
(sorry for the previous message, keyboard mishap)
Regards
Antoine.
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
We can tackle that from two angles:
1. Dirkjan and I are willing to do the work to make this happen if someone from python-devel is willing to guide us through the contributor process for these systems.
2. There's a seamless migration path away from Persona if we fail: fall back to the pre-existing traditional email/password system using the same email addresses that Persona had previously been in charge of verifying.
So let's do this. The open web deserves better than just Google+, Facebook, or Passwords, and visible support from the Python community would be a huge step toward answering the chicken-and-egg objections raised in this thread.
At your service, -Callahad
PS: Freeform OpenID has utterly failed as a user-empowering authentication system, and the protocol itself is rapidly being supplanted by vendor-specific OAuth[1] systems. If we want to ensure that "you *can* (not *must*) use free and open services to access our resources," then we must provide an option to use something akin to Persona.
[0]: http://pyvideo.org/video/1764
[1]: "Google's OpenID service is being replaced by Login with OAuth 2.0." https://developers.google.com/accounts/docs/GettingStarted
On Sep 6, 2013, at 1:22 PM, Dan Callahan dcallahan@mozilla.com wrote:
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
We can tackle that from two angles:
- Dirkjan and I are willing to do the work to make this happen if someone from python-devel is willing to guide us through the contributor process for these systems.
FWIW I'm a maintainer of PyPI and I do plan on enabling Persona there. Mostly blocked because I want to focus my PyPI efforts on the "next gen" code base instead.
- There's a seamless migration path away from Persona if we fail: fall back to the pre-existing traditional email/password system using the same email addresses that Persona had previously been in charge of verifying.
So let's do this. The open web deserves better than just Google+, Facebook, or Passwords, and visible support from the Python community would be a huge step toward answering the chicken-and-egg objections raised in this thread.
At your service, -Callahad
PS: Freeform OpenID has utterly failed as a user-empowering authentication system, and the protocol itself is rapidly being supplanted by vendor-specific OAuth[1] systems. If we want to ensure that "you *can* (not *must*) use free and open services to access our resources," then we must provide an option to use something akin to Persona.
[1]: "Google's OpenID service is being replaced by Login with OAuth 2.0." https://developers.google.com/accounts/docs/GettingStarted
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Fri, 06 Sep 2013 14:53:00 -0400, Donald Stufft donald@stufft.io wrote:
On Sep 6, 2013, at 1:22 PM, Dan Callahan dcallahan@mozilla.com wrote:
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
We can tackle that from two angles:
- Dirkjan and I are willing to do the work to make this happen if
someone from python-devel is willing to guide us through the contributor process for these systems.
Thanks.
I'm one of the people with admin access to the bug tracker (I haven't done much maint lately, though, Ezio has done the most). There is information on setting up a replica of our production system here:
https://wiki.python.org/moin/TrackerDevelopment
If you want to start hacking on a solution, the first step would be to spin up a test setup.
If you propose a patch, either I or Ezio should be able to find the time to review and apply it, if you also commit to maintaining it ;)
Tracker specific discussion happens on the tracker-discuss mailing list, by the way (very low traffic).
- There's a seamless migration path away from Persona if we fail:
fall back to the pre-existing traditional email/password system using the same email addresses that Persona had previously been in charge of verifying.
Roundup uses database-derived numeric IDs. An email is associated with each account, but does not participate in authentication or authorization after initial signup. (Except for the email interface...but that is a separate story and you shouldn't need to address that).
So let's do this. The open web deserves better than just Google+, Facebook, or Passwords, and visible support from the Python community would be a huge step toward answering the chicken-and-egg objections raised in this thread.
At your service, -Callahad
PS: Freeform OpenID has utterly failed as a user-empowering authentication system, and the protocol itself is rapidly being supplanted by vendor-specific OAuth[1] systems. If we want to ensure that "you *can* (not *must*) use free and open services to access our resources," then we must provide an option to use something akin to Persona.
IMO, single signon is overrated. Especially if one prefers not to make it easy for various accounts to be automatically associated with one another by various entities who shall remain nameless but have been in the news a lot lately :)
--David
On Sep 6, 2013, at 3:11 PM, "R. David Murray" rdmurray@bitdance.com wrote:
IMO, single signon is overrated. Especially if one prefers not to make it easy for various accounts to be automatically associated with one another by various entities who shall remain nameless but have been in the news a lot lately :)
If I recall Persona doesn't leak this data like OpenID does, but perhaps Dan can speak to that better than I can.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Fri, 06 Sep 2013 15:17:12 -0400, Donald Stufft donald@stufft.io wrote:
On Sep 6, 2013, at 3:11 PM, "R. David Murray" rdmurray@bitdance.com wrote:
IMO, single signon is overrated. Especially if one prefers not to make it easy for various accounts to be automatically associated with one another by various entities who shall remain nameless but have been in the news a lot lately :)
If I recall Persona doesn't leak this data like OpenID does, but perhaps Dan can speak to that better than I can.
Note that I said that single signon *itself* was overrated. If you use the same token to authenticate to multiple sites (and here the 'token' is the email address) then your identities on those sites are ipso facto associated with each other. *If* that email address is also never leaked (never displayed, even to other signed on users, all communication with the site encrypted), then you only have to worry if the sites exchange information about their accounts, or if the government comes knocking on their doors....
Yes, I'm paranoid. That doesn't mean they aren't listening.
That said, sometimes you *want* identities to be associated, so I'm not saying Persona is a bad thing. Just that single signon is overrated.
--David
On Sep 6, 2013, at 3:34 PM, "R. David Murray" rdmurray@bitdance.com wrote:
On Fri, 06 Sep 2013 15:17:12 -0400, Donald Stufft donald@stufft.io wrote:
On Sep 6, 2013, at 3:11 PM, "R. David Murray" rdmurray@bitdance.com wrote:
IMO, single signon is overrated. Especially if one prefers not to make it easy for various accounts to be automatically associated with one another by various entities who shall remain nameless but have been in the news a lot lately :)
If I recall Persona doesn't leak this data like OpenID does, but perhaps Dan can speak to that better than I can.
Note that I said that single signon *itself* was overrated. If you use the same token to authenticate to multiple sites (and here the 'token' is the email address) then your identities on those sites are ipso facto associated with each other. *If* that email address is also never leaked (never displayed, even to other signed on users, all communication with the site encrypted), then you only have to worry if the sites exchange information about their accounts, or if the government comes knocking on their doors....
Yes, I'm paranoid. That doesn't mean they aren't listening.
That said, sometimes you *want* identities to be associated, so I'm not saying Persona is a bad thing. Just that single signon is overrated.
Well that's fine to have that opinion but I think you're under estimating just how easy it is to link two disparate accounts especially if you have the cooperation (willing or otherwise) of the site operators. I've personally seen Google do some particularly amazing connections between accounts that I don't believe using the same authentication token is going to make that any easier or harder for them.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/09/13 21:34, R. David Murray wrote:
Note that I said that single signon *itself* was overrated. If you use the same token to authenticate to multiple sites (and here the 'token' is the email address) then your identities on those sites are ipso facto associated with each other. *If* that email address is also never leaked (never displayed, even to other signed on users, all communication with the site encrypted), then you only have to worry if the sites exchange information about their accounts, or if the government comes knocking on their doors....
Yes, I'm paranoid. That doesn't mean they aren't listening.
Being paranoid is good. Fix for this is actually trivial: Use different emails for different "personalities".
If you are doing things you really NEED to hide, virtual machines and TOR is the way to go.
- -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
On Mon, 09 Sep 2013 17:11:21 +0200, Jesus Cea jcea@jcea.es wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/09/13 21:34, R. David Murray wrote:
Note that I said that single signon *itself* was overrated. If you use the same token to authenticate to multiple sites (and here the 'token' is the email address) then your identities on those sites are ipso facto associated with each other. *If* that email address is also never leaked (never displayed, even to other signed on users, all communication with the site encrypted), then you only have to worry if the sites exchange information about their accounts, or if the government comes knocking on their doors....
Yes, I'm paranoid. That doesn't mean they aren't listening.
Being paranoid is good. Fix for this is actually trivial: Use different emails for different "personalities".
Yes, that's exactly my point.
If you are doing things you really NEED to hide, virtual machines and TOR is the way to go.
Well, it would helpful if a lot more people started routing traffic through TOR even when they didn't NEED to. I plan to start doing so soon.
--David
On 9/6/2013 10:22 AM, Dan Callahan wrote:
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
OK, let's pull this discussion down a level: testing it out.
So I tried to login to the crossword.thetimes.co.uk -- I used an email address persona had never seen, it asked me for a password, and sent me a confirmation message, containing a link that I clicked on.
However, as I was reading clues and filling in blanks, I got a popup that said "login failure [object Object]". And crossword told me it was saving locally, and to login to save to the server. And the Log in button stayed displayed, rather than a Log out button, which I assume it might get replaced with if I ever get successfully logged in.
Firefox 23.0.1, Windows 7 64-bit with autoupdates. Need any other info? Write me privately if you want the email address I used (not the one I use here), or the password. I used new ones, so I can share for testing, and then discard them and use different ones "for real". If the system actually works. Hey, the video demos looked great...
Glenn
Ok, can this discussion go off python-dev, please? This has been terribly off-topic for a long time (arguably from the beginning, actually).
Thank you
Antoine.
Le Tue, 10 Sep 2013 00:21:28 -0700, Glenn Linderman v+python@g.nevcal.com a écrit :
On 9/6/2013 10:22 AM, Dan Callahan wrote:
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
OK, let's pull this discussion down a level: testing it out.
So I tried to login to the crossword.thetimes.co.uk -- I used an email address persona had never seen, it asked me for a password, and sent me a confirmation message, containing a link that I clicked on.
However, as I was reading clues and filling in blanks, I got a popup that said "login failure [object Object]". And crossword told me it was saving locally, and to login to save to the server. And the Log in button stayed displayed, rather than a Log out button, which I assume it might get replaced with if I ever get successfully logged in.
Firefox 23.0.1, Windows 7 64-bit with autoupdates. Need any other info? Write me privately if you want the email address I used (not the one I use here), or the password. I used new ones, so I can share for testing, and then discard them and use different ones "for real". If the system actually works. Hey, the video demos looked great...
Glenn
Why do several posts in this thread have an Unsubscribe link that tries to unsubscribe me from the list? (I saw one by Glen, and another one by Donald Stufft.)
(Come to think of it, what's the point of having an Unbub link in ever message that goes out?)
On Tue, Sep 10, 2013 at 12:21 AM, Glenn Linderman v+python@g.nevcal.comwrote:
On 9/6/2013 10:22 AM, Dan Callahan wrote:
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
OK, let's pull this discussion down a level: testing it out.
So I tried to login to the crossword.thetimes.co.uk -- I used an email address persona had never seen, it asked me for a password, and sent me a confirmation message, containing a link that I clicked on.
However, as I was reading clues and filling in blanks, I got a popup that said "login failure [object Object]". And crossword told me it was saving locally, and to login to save to the server. And the Log in button stayed displayed, rather than a Log out button, which I assume it might get replaced with if I ever get successfully logged in.
Firefox 23.0.1, Windows 7 64-bit with autoupdates. Need any other info? Write me privately if you want the email address I used (not the one I use here), or the password. I used new ones, so I can share for testing, and then discard them and use different ones "for real". If the system actually works. Hey, the video demos looked great...
Glenn
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/guido%40python.org
On Sep 10, 2013, at 11:08 AM, Guido van Rossum guido@python.org wrote:
Why do several posts in this thread have an Unsubscribe link that tries to unsubscribe me from the list? (I saw one by Glen, and another one by Donald Stufft.)
(Come to think of it, what's the point of having an Unbub link in ever message that goes out?)
All posts should have that. It's possible your mail client is collapsing it in some cases though because it looks like quoted text.
On Tue, Sep 10, 2013 at 12:21 AM, Glenn Linderman v+python@g.nevcal.com wrote: On 9/6/2013 10:22 AM, Dan Callahan wrote:
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
OK, let's pull this discussion down a level: testing it out.
So I tried to login to the crossword.thetimes.co.uk -- I used an email address persona had never seen, it asked me for a password, and sent me a confirmation message, containing a link that I clicked on.
However, as I was reading clues and filling in blanks, I got a popup that said "login failure [object Object]". And crossword told me it was saving locally, and to login to save to the server. And the Log in button stayed displayed, rather than a Log out button, which I assume it might get replaced with if I ever get successfully logged in.
Firefox 23.0.1, Windows 7 64-bit with autoupdates. Need any other info? Write me privately if you want the email address I used (not the one I use here), or the password. I used new ones, so I can share for testing, and then discard them and use different ones "for real". If the system actually works. Hey, the video demos looked great...
Glenn
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/guido%40python.org
-- --Guido van Rossum (python.org/~guido)
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Tue, Sep 10, 2013 at 11:28:25AM -0400, Donald Stufft donald.stufft@gmail.com wrote:
On Sep 10, 2013, at 11:08 AM, Guido van Rossum guido@python.org wrote:
Why do several posts in this thread have an Unsubscribe link that tries to unsubscribe me from the list? (I saw one by Glen, and another one by Donald Stufft.)
(Come to think of it, what's the point of having an Unbub link in ever message that goes out?)
All posts should have that. It's possible your mail client is collapsing it in some cases though because it looks like quoted text.
When a mail message is all plain/text Mailman simply inline the stance into the text. When a message is a complex tree of MIME parts (like the message I'm replying to) Mailman append the stance to the end of the message as another MIME part. Some MUAs could ignore that part -- they neither show the part nor include it in replies. Mine (mutt) shows it and includes in replies anyway, I always trim it myself.
Oleg.
On 9/10/2013 8:08 AM, Guido van Rossum wrote:
Why do several posts in this thread have an Unsubscribe link that tries to unsubscribe me from the list? (I saw one by Glen, and another one by Donald Stufft.)
Seems to be in all of them. Probably added by the mailing list software.
Why don't you always see it?
Possibly a combination of being directly listed as a recipient, so that you get a copy not sent through the mailing list, together with an email client that suppresses the duplicates (if the mailing list software doesn't change the Message-Id:). But since heretofore you haven't participated in this thread, if you don't see the Unsub link in all of this thread, I doubt this is the explanation. You message to which I'm replying is the first in this thread that came directly to me and which doesn't have the link, because you addressed me directly. Use Reply-List rather than Reply-All if your MUA supports that.
(Come to think of it, what's the point of having an Unbub link in ever message that goes out?)
To avoid people that accidentally subscribe from asking how to unsubscribe, perhaps.
On Sep 10, 2013, at 08:08 AM, Guido van Rossum wrote:
Why do several posts in this thread have an Unsubscribe link that tries to unsubscribe me from the list? (I saw one by Glen, and another one by Donald Stufft.)
This is way off topic, but I suspect your original response didn't trim your little unsub footer and they didn't trim it from their responses.
Looking at my list copy of *this* message, I see my own unsub footer, but my MUA automatically trims it in my response buffer. OTOH, I always try to trim my responses anyway, which I think is good netiquette, and which is easy for me with Emacs as my edit/composer of messages.
(Come to think of it, what's the point of having an Unbub link in ever message that goes out?)
As a general Mailman feature, it decreases the likelihood that laypeople who want off a mailing list will do bad things to unsub because they can't figure out how to do it, like complain back to the list or the admins, spam block, or worse, report the list as spam. All of which and more we've seen in the wild. Adding the footer with the unsub block doesn't eliminate this, because some people are lazy, stressed, mean, or frustrated, but it does reduce the incidences.
Now, whether it's appropriate for a highly technical list like python-dev is up for discussion (but maybe not here?). While messages are personalized on this list (meaning, you get a unique copy of it for bounce tracking, and yes unsub personalization), those unsub stanzas cannot currently be disabled on a per-user basis.
-Barry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 05.09.13 19:31, schrieb Jesus Cea:
What are you using?. bugs.python.org admins could share some data?
Most users use one of the large services:
https://www.google.com 3326 https://login.launchpad.net 335 https://*.myopenid.com 253 https://launchpad.net 23 https://*.id.fedoraproject.org 11
The remaining ones are mostly private URLs. Of those, a majority again delegates to providers, namely (ignoring providers with less than 3 users)
www.startssl.com 3 www.clavid.com 3 openid.stackexchange.com 4 openid.claimid.com 4 login.launchpad.net 7 openid.yandex.ru 8 www.google.com 14 pip.verisignlabs.com 20 www.myopenid.com 41
Regards, Martin