[Catalog-sig] OpenID on PyPI
jcea at jcea.es
Thu Sep 10 19:16:50 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Martin v. Löwis wrote:
>> The point of OpenID is not
>> to depend of a centralized service. That is the reason I have my own
>> OpenID provider.
> If that's the idea, then I think OpenID is severely flawed.
The point of OpenID is something like this:
* Create an account in your system.
* Link that account to an unforgeable, easy to use, "token".
* Everytime somebody can prove "token" ownership, the user is logged in.
The OpenID is the "token". If I link my account to an OpenID and only
*ME* can prove "ownership" of it when I try to login, then I can prove
my identity to your system.
In this aspect you don't need a "well known" OpenID provider. If fact,
depending of a "well known" OpenID provider is a risk if: that provider
goes down (let's say Gmail last week :-) ), it is hacked, it goes out of
business, or the OpenID admins are not to be trusted.
> Your provider will have to compete with the other providers to be
> acceptable for PyPI, according to the criteria posted at
Of course you can require whatever you want, but I don't really see the
point. I could comply with all the requirements except the first: "must
be in wide use, using procedures that the community trusts".
If you don't require me to use a Gmail email address, for instance, I
don't see why you require I use a "widely used" OpenID provider. It is
the very same thing.
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/
. _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Catalog-SIG