[Catalog-sig] OpenID on PyPI

"Martin v. Löwis" martin at v.loewis.de
Sun Sep 13 07:40:01 CEST 2009

> I wanted to note in particular that
>> must provide a validated email address, either through AX or SREG
> is not very useful for this sort of system. Keep in mind that Google and
> MyOpenID, two of the providers on the whitelist, can return email
> addresses, they are optional.

That's perfectly fine. If the user choses to not provide an email
address, PyPI will refuse to register them.

> It's just as likely that a Google user
> will opt not to return an email address. And I believe (although I'm not
> sure right now) that with MyOpenID you can return any email address you
> want.

That would be unfortunate. If that's possible, and becomes a problem in
practice, I will need to disable MyOpenID (for new users).

> In short, you still have to verify the email address through traditional
> means.

If that was the case, the whole OpenID process would be pointless for
a relying party.

However, I don't think that's actually the case. It is certainly
possible for a provider to spare me the work of verifying the user
information. It's just that I have to be selective in trusting

> As another point, I do use MyOpenID as my provider, but I do so through
> delegation from my personal site; that way I don't have to do the work
> of maintaining a provider but I can use one that I trust. With this
> whitelist I cannot use my chosen identifier.

But you don't have to. Just follow the OpenID link and be done.

> Please reconsider allowing a user-chosen identifier, even if you do keep
> the identifier-select buttons.

Sorry, I'm fundamentally opposed to integating a text box into the user


More information about the Catalog-SIG mailing list