[Catalog-sig] OpenID login to PyPI

[Ben Finney]

Message-ID: <4B00683B.6090902 at v.loewis.de>

Martin van Löwis writes:
> But then, users can easily create as many fake accounts as they want
> to.

What is a “fake account”? I have three OpenIDs that I use for different
purposes. On some sites, I will associate them together; on others, I
only use one. Are any of those “fake accounts”?

If on the other hand you mean “fake PyPI account”, there's nothing about
OpenID that circumvents a proper registration process. You just do it
after asking the user their OpenID, when you find out the OpenID isn't
yet associated with a PyPI account.

An OpenID provider can provide data on the user's behalf during the PyPI
account registration process (using “Simple Registration extension”),
but there's nothing requiring you to treat that data any differently
from whatever else the user might put into a form.

Does that address the “fake account” concern, or have I misunderstood?

-- 
 \         “I'm beginning to think that life is just one long Yoko Ono |
  `\   album; no rhyme or reason, just a lot of incoherent shrieks and |
_o__)                                      then it's over.” —Ian Wolff |
Ben Finney