[Python-Dev] Offtopic: OpenID Providers

Donald Stufft donald at stufft.io
Fri Sep 6 21:40:33 CEST 2013 

On Sep 6, 2013, at 3:34 PM, "R. David Murray" <rdmurray at bitdance.com> wrote:

> On Fri, 06 Sep 2013 15:17:12 -0400, Donald Stufft <donald at stufft.io> wrote:
>> On Sep 6, 2013, at 3:11 PM, "R. David Murray" <rdmurray at bitdance.com> wrote:
>> 
>>> IMO, single signon is overrated.  Especially if one prefers not to make
>>> it easy for various accounts to be automatically associated with one
>>> another by various entities who shall remain nameless but have been in
>>> the news a lot lately :)
>> 
>> If I recall Persona doesn't leak this data like OpenID does, but
>> perhaps Dan can speak to that better than I can.
> 
> Note that I said that single signon *itself* was overrated.  If you use
> the same token to authenticate to multiple sites (and here the 'token'
> is the email address) then your identities on those sites are ipso facto
> associated with each other.  *If* that email address is also never
> leaked (never displayed, even to other signed on users, all communication
> with the site encrypted), then you only have to worry if the
> sites exchange information about their accounts, or if the government
> comes knocking on their doors....
> 
> Yes, I'm paranoid.  That doesn't mean they aren't listening.
> 
> That said, sometimes you *want* identities to be associated, so I'm not
> saying Persona is a bad thing.  Just that single signon is overrated.

Well that's fine to have that opinion but I think you're under estimating just
how easy it is to link two disparate accounts especially if you have the
cooperation (willing or otherwise) of the site operators. I've personally
seen Google do some particularly amazing connections between accounts
that I don't believe using the same authentication token is going to make
that any easier or harder for them.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130906/af163ab9/attachment.sig>

More information about the Python-Dev mailing list