[Catalog-sig] OpenID on PyPI
"Martin v. Löwis"
martin at v.loewis.de
Sun Sep 13 07:40:01 CEST 2009
> I wanted to note in particular that
>> must provide a validated email address, either through AX or SREG
>
> is not very useful for this sort of system. Keep in mind that Google and
> MyOpenID, two of the providers on the whitelist, can return email
> addresses, they are optional.
That's perfectly fine. If the user choses to not provide an email
address, PyPI will refuse to register them.
> It's just as likely that a Google user
> will opt not to return an email address. And I believe (although I'm not
> sure right now) that with MyOpenID you can return any email address you
> want.
That would be unfortunate. If that's possible, and becomes a problem in
practice, I will need to disable MyOpenID (for new users).
> In short, you still have to verify the email address through traditional
> means.
If that was the case, the whole OpenID process would be pointless for
a relying party.
However, I don't think that's actually the case. It is certainly
possible for a provider to spare me the work of verifying the user
information. It's just that I have to be selective in trusting
providers.
> As another point, I do use MyOpenID as my provider, but I do so through
> delegation from my personal site; that way I don't have to do the work
> of maintaining a provider but I can use one that I trust. With this
> whitelist I cannot use my chosen identifier.
But you don't have to. Just follow the OpenID link and be done.
> Please reconsider allowing a user-chosen identifier, even if you do keep
> the identifier-select buttons.
Sorry, I'm fundamentally opposed to integating a text box into the user
interface.
Regards,
Martin
More information about the Catalog-SIG
mailing list