[Catalog-sig] OpenID login to PyPI
Tres Seaver
tseaver at palladion.com
Mon Nov 16 21:58:44 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin v. Löwis wrote:
> That's right: you can't use the delegation feature of PyPI right
> now. But you could certainly use your OpenID with PyPI, as myopenid.com
> is one of the accepted providers. I can understand that you may
> not *want* to use that - but it would be certainly possible and
> easy for you to do so.
By blocking delegation, you are forcing James to use an OpenID which is
not the one he prefers.
> Even if PyPI would support entering "www.b-list.org", it would
> still notice and remember that you are "ubernostrum.myopenid.com",
> because it's part of the protocol that it does.
PyPI should be remembering the claimed ID, not the delegated ID. If you
choose to trust only a subset of all authenticating delegates, that is
fine: any "claimed" ID with an unsupported delegate should just be
rejected. But if the "claimed" ID switches its delegate tomorrow from
MyOpenID to Google, PyPI shouldn't need to care.
> I don't know what the point of OpenID delegation is; to me, it
> appears as a work-around to not have people remember long and
> complicated IDs, but rather have them type something they can
> remember. With PyPI, you don't have to remember your ID at all -
> it never ever becomes relevant for anything.
The point is that the "claimed" ID is the "real" identity: the
"delegated-to" ID is an implementation detail which might change in the
future: I might switch from MyOpenID to Google, for instance, if I
thought the service / availability was better, or if Evil Co. bought
MyOpenID and started charging for the service. My "claimed" OpenID
('http://palladion.com/') is my permanent OpenID, no matter who is
handling the delegation during my current browser session with PyPI: it
will remain mine for as long as I keep control of the domain.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAksBvQAACgkQ+gerLs4ltQ6OtwCgsy1c85j5ygQaBZEpBzHdDSsb
ll4AoLbo/QLbwkSr5huIqOGGYUFGBPDC
=2aVN
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list