[Catalog-sig] OpenID login to PyPI

James Bennett ubernostrum at gmail.com
Mon Nov 16 21:48:05 CET 2009

On Mon, Nov 16, 2009 at 2:37 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> That's right: you can't use the delegation feature of PyPI right
> now. But you could certainly use your OpenID with PyPI, as myopenid.com
> is one of the accepted providers. I can understand that you may
> not *want* to use that - but it would be certainly possible and
> easy for you to do so.

It is possible, but it is far from easy.

> Even if PyPI would support entering "www.b-list.org", it would
> still notice and remember that you are "ubernostrum.myopenid.com",
> because it's part of the protocol that it does.

No. It's part of the protocol that you see the OP-local identifier.
When I'm doing delegation, that identifier *IS NOT* the OpenID, and
you shouldn't be assuming that it is.

> I don't know what the point of OpenID delegation is; to me, it
> appears as a work-around to not have people remember long and
> complicated IDs, but rather have them type something they can
> remember. With PyPI, you don't have to remember your ID at all -
> it never ever becomes relevant for anything.

The point is this:

Right now I use myopenid as my provider. It's not the only place where
I can get an OpenID provider, though, and in the future it may go out
of business or I may decide I no longer want to use myopenid,
preferring instead some other provider. Delegation lets *me* keep
control of my identity by maintaining a consistent OpenID in that case
-- before the switch, my OpenID is "www.b-list.org", delegated to
myopenid, and after the switch my OpenID is "www.b-list.org",
delegated to some other provider. This puts my identity in my hands
and not my provider's, and is a huge win for me being able to manage
and control my identity.

But since PyPI doesn't properly support delegation (since, it seems,
you're quite attached to the idea of incorrectly using the OP-local
identifier instead of my actual OpenID), I can't do any of this and so
OpenID on PyPI is useless to me and to anyone else who makes use of

"Bureaucrat Conrad, you are technically correct -- the best kind of correct."

More information about the Catalog-SIG mailing list