[Catalog-sig] OpenID login to PyPI

Ben Finney ben+python at benfinney.id.au
Mon Nov 16 21:47:49 CET 2009

James Bennett <ubernostrum at gmail.com> writes:

> The problem here, I think, is that you're expecting more from OpenID
> than it really provides. OpenID lets me make an assertion about a URL
> (namely, that I "am" that URL) and lets you verify the truth (or
> falsity) of that assertion.

More precisely, it lets you make the assertion “I control this URL as an

"Martin v. Löwis" <martin at v.loewis.de> writes:

> That's not true. The Attribute Exchange extension, and the Simple
> Registration extension allow precisely that. See
> http://openid.net/specs/openid-attribute-exchange-1_0.html
> http://openid.net/specs/openid-simple-registration-extension-1_0.html

The strongest assertion you can make about that information, though, is
“this is what the user has provided in answer to these questions”. This
is different from the authentication information in that it is *not* an
assertion of the verity of any of that information, nor is it meant to

> The PAPE extension is designed to talk about policies that a provider
> follows. Of course, the provider may follow additional policies,
> making one more trustworthy than another.

But again, the *only* authentication that is asserted by those policies
is “the user controls the Claimed Identity”. No assertion can be implied
about the other attributes.

> > Somewhat sad to note: I cannot use my OpenID with PyPI. I delegate
> > to myopenid.com, but my OpenID is and always has been
> > "http://www.b-list.org/"
> Did you try that out? I can't see a reason why you shouldn't be able
> to use that with PyPI - just follow the myOpenID link on the front
> page (or, if you have already a PyPI account, login, go to your user
> information, and *then* follow the myOpenID link).

This is a persistent misapprehension you're making, but I suppose it
could come from your focus on the relying party side of this
transaction. You are mistakenly taking the transitory “OP-Local
Identity” and treating it as something that it's not.

The OP-Local Identity is transitory, only to be used during a given
authentication session. It changes whenever James wants it to, at any
future point in time, and the *real* identity — the Claimed Identity in
OpenID protocol-speak — does not change as a result. Thus, their Claimed
Identity is the one that they identify with, and they can delegate
authentication of that identity to someone else (the provider du jour)
at their option and whenever they choose. That is indeed one of the
primary *reasons* for people using OpenID.

To make it clear: when an OpenID user speaks of “my OpenID”, they are
speaking of what the OpenID Authentication protocol calls the Claimed
Identity. That identity is the one that must be persistent with their
account, since that's what they will provide next time they want to log

 \         “If nature has made any one thing less susceptible than all |
  `\    others of exclusive property, it is the action of the thinking |
_o__)                          power called an idea” —Thomas Jefferson |
Ben Finney

More information about the Catalog-SIG mailing list