[Python-Dev] Too many Python accounts

"Martin v. Löwis" martin at v.loewis.de
Sun Nov 15 20:31:51 CET 2009


> Well, when I login my registered ID is www.voidspace.org.uk and *not*
> fuzzyman.myopenid.com - so I believe you are incorrect (and in fact this
> very point was touted as one of the advantages of openid - that your
> account is independent of your provider and that you *can* change
> provider whilst retaining the same id).

On the wire (between relying party and provider), voidspace.org.co.uk
does never appear. From the OpenID 1.1 specification:

# Now, when a Consumer sees that, it'll talk to
# http://www.livejournal.com/openid/server.bml and ask if the End User
# is exampleuser.livejournal.com, never mentioning www.example.com
# anywhere on the wire.

So all I (as a relying party) get verifyied is fuzzyman.myopenid.com.
Why should I trust that voidspace.org.uk is actually a valid ID?
Can't you then produce hundreds of IDs, all delegating to the same
identity?

IOW, why should I (as a relying party) pay any attention to the ID
that you entered, rather than to what I get actually validated?

Regards,
Martin


More information about the Python-Dev mailing list