"Martin v. Löwis" <mar...@v.loewis.de> writes: > > And that registration should be using any OpenID, so that I don't > > need any new identities to participate on the Python sites: I can > > re-use existing identities. > > PyPI actually does support OpenID.
I commend the PyPI administrators for this step, but the implementation is currently insufficient: it conflates a user's OpenID (their identity, as a URL) with their OpenID provider (the service which the person has chosen to do the authentication check and serve the data). That's what I meant by “should be using any OpenID”. One of the best features of the OpenID system is identity delegation: that one's identity can be decoupled from the service behind the scenes which provides that identity. This is important, because it means I am not tied to a particular provider to maintain my identity; if they no longer provide my identity in a way I like, I can switch to a different provider while keeping the same identity. Fred can use his own OpenID ‘fred.example.org’, initially set up behind the scenes to delegate to ‘bigcorp.example.com’ as the provider. Any time he likes, Fred can *change* which provider is actually used for authentication, without changing his OpenID. PyPI gets to find out which provider Fred is using for the identity ‘fred.example.org’ each time it performs discovery on that identity, not before. So, PyPI should not be asking the user “what is your provider?” since that's (a) a detail irrelevant to the user if they just know their OpenID, (b) liable to change independent of the OpenID, and (c) discoverable from the OpenID auth process anyway. PyPI should instead ask the user for their OpenID (‘fred.example.org’), without discussing providers. Then, attempt to authenticate that user, at which point PyPI automatically gets to find out which provider is in use (‘bigcorp.example.com’). If you *then* want to be picky and complain that PyPI refuses identities provided by ‘bigcorp.example.com’, that's the time to do it. I hope that makes more sense. -- \ “Geeks like to think that they can ignore politics. You can | `\ leave politics alone, but politics won't leave you alone.” | _o__) —Richard Stallman, 2002-07-26 | Ben Finney _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
