OpenID yadda yadda yadda...

Tue Mar 17 07:26:48 GMT 2009

On Thu, Mar 12, 2009 at 7:01 AM, Ben Finney
<bignose+hates-spam at benfinney.id.au> wrote:
> "Stephen J. Turnbull" <stephen at xemacs.org> writes:
>
>> To everything there is a season, and the season for this was almost a
>> year ago:
>>
>> https://bugs.edge.launchpad.net/launchpad-foundations/+bug/210943
>> ~launchpad should be an openid consumer~
>
> Jelmer Vernooij <jelmer at vernstok.nl> writes:
>
>> On Tue, Mar 10, 2009 at 07:05:33PM +1100, Ben Finney wrote:
>> > I hope this is useful to whoever needs to know about it. I would
>> > submit a bug report, but unlike this mailing list it requires me
>> > to manage a separate authentication identity.
>> I agree this one of the major problems of Launchpad, and it would be
>> much appreciated if they allowed e.g. OpenID authentication or
>> something like that.
>
> Or even if one could participate entirely via email without setting up
> any explicit site-specific account, just as one can with e.g. the
> Debian bug tracker.

And Debian has to put in a fair bit of work to ensure that spam
doesn't make its way into the system.  Registration is one of the ways
that Launchpad uses to reduce the impact of spam (it certainly doesn't
stop all cases, but it does make a difference and helps in clean up).
Launchpad certainly isn't alone in this regard.

Furthermore, lack of registration and authenticated access means that
I only need to forge an email to perform actions on your behalf in
debbugs.

>> It's not *that* big a thing though imo, there are lots of other
>> sites that also require authentication using passwords, including
>> for example alioth.
>
> If someone is overloaded already with site-specific authentication
> cookies, that's no reason to take on more of them. Quite the opposite,
> I would think. I hit my limit some time ago.

Most OpenID relying party sites uses session cookies to identify the
user after authentication.  It certainly is possible to design an RP
that doesn't rely on cookies for client side state, but it will either
be via a cookie substitute (e.g. session identifier in the URL) or by
asking the user to reauthenticate every time they perform a restricted
action.

So OpenID is not going to save you from session cookies.  It will help
with managing passwords though.

>> Also, if you're subscribed to the mailing list, you did have to
>> specify a password for it in mailman, creating an account for your
>> email address on lists.canonical.com.
>
> I participate via an interface that does not require any site-specific
> account, precisely to avoid that barrier.

OpenID is not going to make a difference to whether you need a
Launchpad account in order to use Launchpad.  When Launchpad is an
OpenID RP, it'll likely mean two things:
 1. you can log into your account using OpenID authentication as the
credentials.
 2. logging in with an unknown OpenID identifier might create an
account associated with that identifier.

If you want Launchpad to send you email, you'd still need to go
through the email validation process.  While an OpenID provider can
provide an email address to the RP, this is self asserted and not much
different from a user entering an email address into a registration
form.  Any responsible site is going to verify that the owner of that
address really wants to receive mail before accepting it.

James.