[Catalog-sig] OpenID on PyPI
Adam Lowry
adam at therobots.org
Sun Sep 13 19:52:20 CEST 2009
On Sep 12, 2009, at 10:40 PM, Martin v. Löwis wrote:
> However, I don't think that's actually the case. It is certainly
> possible for a provider to spare me the work of verifying the user
> information. It's just that I have to be selective in trusting
> providers.
I think if you do some reading on discussions of SREG/AX and verified
email you'll find that this is truly in its nascent stages; only a
very few RPs have made the leap to trusting any email addresses, and
PyPI is the only one I've heard of that requires it, since it
restricts usage to a tiny minority of OpenID users.
And please consider the case where I have an existing PyPI account,
with a verified email address, but for convenience and security I wish
to use my OpenID. You don't need any email address from the provider.
And the PyPI login uses basic auth over an unencrypted channel, so any
OpenID provider is more secure from my end.
> Sorry, I'm fundamentally opposed to integating a text box into the
> user
> interface.
Why is that? Technical audiences like those of PyPI's userbase have no
trouble with optional OpenID fields for login. If it's an aesthetic
issue, there are many ways to highlight your preferred providers while
maintaining choice. I can provide examples for both cases or put you
in touch with other implementers, if you'd like.
I won't bother you much longer, as you obviously feel very strongly
about it, but as far as I can see the majority of the OpenID
Foundation leadership itself wouldn't be able to use OpenID on PyPI,
as a great many delegate or run their own providers and many of those
that don't use other major providers.
Adam
More information about the Catalog-SIG
mailing list