[Catalog-sig] OpenID login to PyPI

"Martin v. Löwis" martin at v.loewis.de
Mon Nov 16 07:51:17 CET 2009

> Martin van Löwis writes:
>> But then, users can easily create as many fake accounts as they want
>> to.
> What is a “fake account”?

It's one setup with malicious intent, such as spamming.

> I have three OpenIDs that I use for different
> purposes. On some sites, I will associate them together; on others, I
> only use one. Are any of those “fake accounts”?

No - since you don't have any malicious intent (I presume).

> If on the other hand you mean “fake PyPI account”, there's nothing about
> OpenID that circumvents a proper registration process.

Well, from my view (as a relying party), THAT'S THE WHOLE POINT OF
OPENID (sorry for shouting). I don't understand what's so difficult
about that. Sure, it is convenient to the user to not need to remember
their passwords and account names in these various sites - but OpenID
also can (if done properly) simplify the life for the service operator.

> An OpenID provider can provide data on the user's behalf during the PyPI
> account registration process (using “Simple Registration extension”),
> but there's nothing requiring you to treat that data any differently
> from whatever else the user might put into a form.
> Does that address the “fake account” concern, or have I misunderstood?

No. It fails to address the opportunity for a simplified registration


More information about the Catalog-SIG mailing list