[Catalog-sig] OpenID on PyPI

Jesus Cea jcea at jcea.es
Thu Sep 10 19:16:50 CEST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin v. Löwis wrote:
>> The point of OpenID is not
>> to depend of a centralized service. That is the reason I have my own
>> OpenID provider.
> 
> If that's the idea, then I think OpenID is severely flawed.

The point of OpenID is something like this:

* Create an account in your system.

* Link that account to an unforgeable, easy to use, "token".

* Everytime somebody can prove "token" ownership, the user is logged in.

The OpenID is the "token". If I link my account to an OpenID and only
*ME* can prove "ownership" of it when I try to login, then I can prove
my identity to your system.

In this aspect you don't need a "well known" OpenID provider. If fact,
depending of a "well known" OpenID provider is a risk if: that provider
goes down (let's say Gmail last week :-) ), it is hacked, it goes out of
business, or the OpenID admins are not to be trusted.

> Your provider will have to compete with the other providers to be
> acceptable for PyPI, according to the criteria posted at
> 
> http://pypi.python.org/pypi?:action=openid

Of course you can require whatever you want, but I don't really see the
point. I could comply with all the requirements except the first: "must
be in wide use, using procedures that the community trusts".

If you don't require me to use a Gmail email address, for instance, I
don't see why you require I use a "widely used" OpenID provider. It is
the very same thing.

- --
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQCVAwUBSqk0e5lgi5GaxT1NAQLwFwQAjwqwG0ENzzMZ1wF5gOZjR1CEXhyTxJcU
29rNiNIIgqO7Eu0IDDyVIPECR2v+bsLk7zBT4DO0IF2PdxSBGRBFfvnJ2GvyCJUD
a0u+fi5fYaMDfT/9FGkf6bSe/6MFCZluZZbsZJIP2xlvFWQCxSRM45BLM3strP9h
RXnOyvKurbI=
=Z6jw
-----END PGP SIGNATURE-----

More information about the Catalog-SIG mailing list