[Catalog-sig] OpenID on PyPI

Adam Lowry adam at therobots.org
Sun Sep 13 19:52:20 CEST 2009

On Sep 12, 2009, at 10:40 PM, Martin v. Löwis wrote:
> However, I don't think that's actually the case. It is certainly
> possible for a provider to spare me the work of verifying the user
> information. It's just that I have to be selective in trusting
> providers.

I think if you do some reading on discussions of SREG/AX and verified  
email you'll find that this is truly in its nascent stages; only a  
very few RPs have made the leap to trusting any email addresses, and  
PyPI is the only one I've heard of that requires it, since it  
restricts usage to a tiny minority of OpenID users.

And please consider the case where I have an existing PyPI account,  
with a verified email address, but for convenience and security I wish  
to use my OpenID. You don't need any email address from the provider.  
And the PyPI login uses basic auth over an unencrypted channel, so any  
OpenID provider is more secure from my end.

> Sorry, I'm fundamentally opposed to integating a text box into the  
> user
> interface.

Why is that? Technical audiences like those of PyPI's userbase have no  
trouble with optional OpenID fields for login. If it's an aesthetic  
issue, there are many ways to highlight your preferred providers while  
maintaining choice. I can provide examples for both cases or put you  
in touch with other implementers, if you'd like.

I won't bother you much longer, as you obviously feel very strongly  
about it, but as far as I can see the majority of the OpenID  
Foundation leadership itself wouldn't be able to use OpenID on PyPI,  
as a great many delegate or run their own providers and many of those  
that don't use other major providers.


More information about the Catalog-SIG mailing list