> And my question still remains the same ;-) > Should we use time on this right now, or would it be easier to remove the > field in the UI for now?
Sorry for not following up on this: I had the impression that OpenID worked as intended and the user is not supposed to create a user through OpenID. This would mean that the username would be autogenerated and currently you cannot edit the username. This is not a hard requirement, but do we want to make the username editable? It might make some implications for using existing pools, actions, etc. (not that they're bound to the username, but an attacker might use it for phishing/social engineering). Another drawback of OpenID user auto-creation is that a user will not have a password initially, and might not ever choose to set it. I'm not sure this is desirable, considering that OpenID might not always be available and there's no other way to log in. Finally, from usability point of view if you think you have associated an OpenID URL with an existing account, but you're not, then logging in with OpenID will create a new account you do not want. This is especially tricky considering that we treat these as different URLs: http://host/path/ http://host/path/index.html http://host.domain.com/path/ So is OpenID actually broken? If it's not, there's no point in fixing it. Vassil
