[Catalog-sig] OpenID login to PyPI
"Martin v. Löwis"
martin at v.loewis.de
Mon Nov 16 07:51:17 CET 2009
> Martin van Löwis writes:
>> But then, users can easily create as many fake accounts as they want
>> to.
>
> What is a “fake account”?
It's one setup with malicious intent, such as spamming.
> I have three OpenIDs that I use for different
> purposes. On some sites, I will associate them together; on others, I
> only use one. Are any of those “fake accounts”?
No - since you don't have any malicious intent (I presume).
> If on the other hand you mean “fake PyPI account”, there's nothing about
> OpenID that circumvents a proper registration process.
Well, from my view (as a relying party), THAT'S THE WHOLE POINT OF
OPENID (sorry for shouting). I don't understand what's so difficult
about that. Sure, it is convenient to the user to not need to remember
their passwords and account names in these various sites - but OpenID
also can (if done properly) simplify the life for the service operator.
> An OpenID provider can provide data on the user's behalf during the PyPI
> account registration process (using “Simple Registration extension”),
> but there's nothing requiring you to treat that data any differently
> from whatever else the user might put into a form.
>
> Does that address the “fake account” concern, or have I misunderstood?
No. It fails to address the opportunity for a simplified registration
process.
Regards,
Martin
More information about the Catalog-SIG
mailing list