[Catalog-sig] OpenID login to PyPI
"Martin v. Löwis"
martin at v.loewis.de
Mon Nov 16 19:40:32 CET 2009
> The problem here, I think, is that you're expecting more from OpenID
> than it really provides. OpenID lets me make an assertion about a URL
> (namely, that I "am" that URL)
That's not true. The Attribute Exchange extension, and the Simple
Registration extension allow precisely that. See
http://openid.net/specs/openid-attribute-exchange-1_0.html
http://openid.net/specs/openid-simple-registration-extension-1_0.html
> and lets you verify the truth (or
> falsity) of that assertion. It doesn't let me make assertions about my
> real name, email address or other information, and it doesn't let you
> verify the truth (or falsity) of such assertions.
The PAPE extension is designed to talk about policies that a provider
follows. Of course, the provider may follow additional policies,
making one more trustworthy than another.
>
>> As a relying party, I have to trust the provider. Some providers I
>> trust, others I don't (it seems that myOpendID.com is less trustworthy
>> than I was originally told, in that respect).
>
> Somewhat sad to note: I cannot use my OpenID with PyPI. I delegate to
> myopenid.com, but my OpenID is and always has been
> "http://www.b-list.org/"
Did you try that out? I can't see a reason why you shouldn't be able
to use that with PyPI - just follow the myOpenID link on the front
page (or, if you have already a PyPI account, login, go to your user
information, and *then* follow the myOpenID link).
> But unless/until PyPI supports using my actual OpenID, and not just
> the transient provider I happen to be delegating to at the moment, the
> OpenID features on PyPI are basically useless to me.
I fail to see why that is the case. Does it not work, or are you simply
refusing to use even though it would work?
Regards,
Martin
More information about the Catalog-SIG
mailing list