> I wanted to note in particular that >> must provide a validated email address, either through AX or SREG > > is not very useful for this sort of system. Keep in mind that Google and > MyOpenID, two of the providers on the whitelist, can return email > addresses, they are optional.
That's perfectly fine. If the user choses to not provide an email address, PyPI will refuse to register them. > It's just as likely that a Google user > will opt not to return an email address. And I believe (although I'm not > sure right now) that with MyOpenID you can return any email address you > want. That would be unfortunate. If that's possible, and becomes a problem in practice, I will need to disable MyOpenID (for new users). > In short, you still have to verify the email address through traditional > means. If that was the case, the whole OpenID process would be pointless for a relying party. However, I don't think that's actually the case. It is certainly possible for a provider to spare me the work of verifying the user information. It's just that I have to be selective in trusting providers. > As another point, I do use MyOpenID as my provider, but I do so through > delegation from my personal site; that way I don't have to do the work > of maintaining a provider but I can use one that I trust. With this > whitelist I cannot use my chosen identifier. But you don't have to. Just follow the OpenID link and be done. > Please reconsider allowing a user-chosen identifier, even if you do keep > the identifier-select buttons. Sorry, I'm fundamentally opposed to integating a text box into the user interface. Regards, Martin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
