[Catalog-sig] OpenID on PyPI

"Martin v. Löwis" martin at v.loewis.de
Fri Sep 11 09:24:02 CEST 2009

> The point of OpenID is something like this:
> * Create an account in your system.
> * Link that account to an unforgeable, easy to use, "token".
> * Everytime somebody can prove "token" ownership, the user is logged in.

There is one more aspect to it: user registration. As a relying party,
I want to eliminate/reduce the effort of account management. As such,
the provider needs to provide me with an email address, and (ideally)
a real name.

> The OpenID is the "token". If I link my account to an OpenID and only
> *ME* can prove "ownership" of it when I try to login, then I can prove
> my identity to your system.

No, they can't (see below).

> In this aspect you don't need a "well known" OpenID provider. 

I sure do. I have to trust that your local OpenID provider
creates unforgeable tokens. I don't trust that it does.

> If fact,
> depending of a "well known" OpenID provider is a risk if: that provider
> goes down (let's say Gmail last week :-) ), it is hacked, it goes out of
> business, or the OpenID admins are not to be trusted.

Right - that may happen. Therefore, I (as a relying party) have to
really trust the providers I rely on (as have my users). It's
called *relying* party for a reason.

> If you don't require me to use a Gmail email address, for instance, I
> don't see why you require I use a "widely used" OpenID provider. It is
> the very same thing.

No, it's not. Not only the users need to trust the provider, but also
(and more so) the relying party. Many relying parties don't care about
that trust (which is their choice), but I do.


More information about the Catalog-SIG mailing list