[Catalog-sig] OpenID login to PyPI

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Mon Nov 16 14:48:06 CET 2009

On 06:51 am, martin at v.loewis.de wrote:
>>Martin van Löwis writes:
>>>But then, users can easily create as many fake accounts as they want
>>What is a  1Cfake account 1D?
>It's one setup with malicious intent, such as spamming.
>>I have three OpenIDs that I use for different
>>purposes. On some sites, I will associate them together; on others, I
>>only use one. Are any of those  1Cfake accounts 1D?
>No - since you don't have any malicious intent (I presume).
>>If on the other hand you mean  1Cfake PyPI account 1D, there's nothing 
>>OpenID that circumvents a proper registration process.
>Well, from my view (as a relying party), THAT'S THE WHOLE POINT OF
>OPENID (sorry for shouting). I don't understand what's so difficult
>about that. Sure, it is convenient to the user to not need to remember
>their passwords and account names in these various sites - but OpenID
>also can (if done properly) simplify the life for the service operator.

Since I can create as many gmail accounts as I want and use them to 
register as many separate PyPI accounts as I want, what's the point of 
trying to enforce this restriction on OpenID-based accounts?

It seems that it only causes problems for people who want to use OpenID, 
while not really preventing any opportunities for spammers (who can 
always just use non-OpenID authentication).

Is the plan to eventually disable non-OpenID authentication?


More information about the Catalog-SIG mailing list