[Catalog-sig] OpenID login to PyPI

Tres Seaver tseaver at palladion.com
Mon Nov 16 21:58:44 CET 2009

Hash: SHA1

Martin v. Löwis wrote:

> That's right: you can't use the delegation feature of PyPI right
> now. But you could certainly use your OpenID with PyPI, as myopenid.com
> is one of the accepted providers. I can understand that you may
> not *want* to use that - but it would be certainly possible and
> easy for you to do so.

By blocking delegation, you are forcing James to use an OpenID which is
not the one he prefers.

> Even if PyPI would support entering "www.b-list.org", it would
> still notice and remember that you are "ubernostrum.myopenid.com",
> because it's part of the protocol that it does.

PyPI should be remembering the claimed ID, not the delegated ID.  If you
choose to trust only a subset of all authenticating delegates, that is
fine:  any "claimed" ID with an unsupported delegate should just be
rejected.  But if the "claimed" ID switches its delegate tomorrow from
MyOpenID to Google, PyPI shouldn't need to care.

> I don't know what the point of OpenID delegation is; to me, it
> appears as a work-around to not have people remember long and
> complicated IDs, but rather have them type something they can
> remember. With PyPI, you don't have to remember your ID at all -
> it never ever becomes relevant for anything.

The point is that the "claimed" ID is the "real" identity:  the
"delegated-to" ID is an implementation detail which might change in the
future:  I might switch from MyOpenID to Google, for instance, if I
thought the service / availability was better, or if Evil Co. bought
MyOpenID and started charging for the service.  My "claimed" OpenID
('http://palladion.com/') is my permanent OpenID, no matter who is
handling the delegation during my current browser session with PyPI:  it
will remain mine for as long as I keep control of the domain.

- --
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Catalog-SIG mailing list