[Catalog-sig] OpenID login to PyPI
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Mon Nov 16 14:48:06 CET 2009
On 06:51 am, martin at v.loewis.de wrote:
>>Martin van Löwis writes:
>>>But then, users can easily create as many fake accounts as they want
>>>to.
>>
>>What is a 1Cfake account 1D?
>
>It's one setup with malicious intent, such as spamming.
>>I have three OpenIDs that I use for different
>>purposes. On some sites, I will associate them together; on others, I
>>only use one. Are any of those 1Cfake accounts 1D?
>
>No - since you don't have any malicious intent (I presume).
>>If on the other hand you mean 1Cfake PyPI account 1D, there's nothing
>>about
>>OpenID that circumvents a proper registration process.
>
>Well, from my view (as a relying party), THAT'S THE WHOLE POINT OF
>OPENID (sorry for shouting). I don't understand what's so difficult
>about that. Sure, it is convenient to the user to not need to remember
>their passwords and account names in these various sites - but OpenID
>also can (if done properly) simplify the life for the service operator.
Since I can create as many gmail accounts as I want and use them to
register as many separate PyPI accounts as I want, what's the point of
trying to enforce this restriction on OpenID-based accounts?
It seems that it only causes problems for people who want to use OpenID,
while not really preventing any opportunities for spammers (who can
always just use non-OpenID authentication).
Is the plan to eventually disable non-OpenID authentication?
Jean-Paul
More information about the Catalog-SIG
mailing list