[Python-Dev] Too many Python accounts

Carey Tilden carey.tilden at gmail.com
Sun Nov 15 21:20:05 CET 2009


On Sun, Nov 15, 2009 at 11:31 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>
> > Well, when I login my registered ID is www.voidspace.org.uk and *not*
> > fuzzyman.myopenid.com - so I believe you are incorrect (and in fact this
> > very point was touted as one of the advantages of openid - that your
> > account is independent of your provider and that you *can* change
> > provider whilst retaining the same id).
>
> On the wire (between relying party and provider), voidspace.org.co.uk
> does never appear. From the OpenID 1.1 specification:
>
> # Now, when a Consumer sees that, it'll talk to
> # http://www.livejournal.com/openid/server.bml and ask if the End User
> # is exampleuser.livejournal.com, never mentioning www.example.com
> # anywhere on the wire.
>
> So all I (as a relying party) get verifyied is fuzzyman.myopenid.com.
> Why should I trust that voidspace.org.uk is actually a valid ID?

Since the user entered voidspace.org.uk, they presumably believe it's an
address they control.  You have to assume they delegated to another
provider on purpose.

> Can't you then produce hundreds of IDs, all delegating to the same
> identity?

Yes.

> IOW, why should I (as a relying party) pay any attention to the ID
> that you entered, rather than to what I get actually validated?

Because the user entered the value they wanted as their identity.  This is
the reason delegation even exists in the spec.  In fact, the very next line
after the section you quoted is:

# The main advantage of this is that an End User can keep their Identifier
# over many years, even as services come and go; they'll just keep
# changing who they delegate to.

If the provider dictates the identity, as you keep insisting, that sentence
makes no sense whatsoever.  The value entered as the identifier is the
identifier you should use.  Otherwise, what's the point of delegation at all?

> Regards,
> Martin
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/carey.tilden%40gmail.com


More information about the Python-Dev mailing list