[Catalog-sig] OpenID login to PyPI

"Martin v. Löwis" martin at v.loewis.de
Mon Nov 16 19:40:32 CET 2009

> The problem here, I think, is that you're expecting more from OpenID
> than it really provides. OpenID lets me make an assertion about a URL
> (namely, that I "am" that URL)

That's not true. The Attribute Exchange extension, and the Simple
Registration extension allow precisely that. See


> and lets you verify the truth (or
> falsity) of that assertion. It doesn't let me make assertions about my
> real name, email address or other information, and it doesn't let you
> verify the truth (or falsity) of such assertions.

The PAPE extension is designed to talk about policies that a provider
follows. Of course, the provider may follow additional policies,
making one more trustworthy than another.

>> As a relying party, I have to trust the provider. Some providers I
>> trust, others I don't (it seems that myOpendID.com is less trustworthy
>> than I was originally told, in that respect).
> Somewhat sad to note: I cannot use my OpenID with PyPI. I delegate to
> myopenid.com, but my OpenID is and always has been
> "http://www.b-list.org/"

Did you try that out? I can't see a reason why you shouldn't be able
to use that with PyPI - just follow the myOpenID link on the front
page (or, if you have already a PyPI account, login, go to your user
information, and *then* follow the myOpenID link).

> But unless/until PyPI supports using my actual OpenID, and not just
> the transient provider I happen to be delegating to at the moment, the
> OpenID features on PyPI are basically useless to me.

I fail to see why that is the case. Does it not work, or are you simply
refusing to use even though it would work?


More information about the Catalog-SIG mailing list