openid for bazaar-vcs.org?
Stephen J. Turnbull
stephen at xemacs.org
Thu May 14 17:09:38 BST 2009
John Arbash Meinel writes:
> Well, as mentioned another thread, it sounds like initial support would
> be just for the Launchpad open id auth. Mostly because if you allow
> generic openid auth, then a spammer can create their own authority and
> have login to everything that allows arbitrary open id
> authentication...
How is that different from creating a throwaway OpenID at one of the
commercial ID laundries, and using that to log in? This particular
restriction is just typical "hey, here's a great open standard I can
use to lock in and/or track my clients" brain damage (or possibly
simply lack of resources to even think carefully about the relaying
case).
The way to prevent spamming is to have some valve in the pipeline that
every new user has to pass through, at some positive cost. So far,
the requirement of a usable email address has worked pretty well. I
see no reason why insisting on the usual email handshake won't work as
well for OpenID with generic authority as it does for Launchpad ID
with no authority whatsoever. But it does save the user (who is
willing to have their activity tracked across sites) the annoyance of
maintaining multiple logins at the low, one-time cost of doing the
email dance at every new site. (Damn, I'm starting to sound like one
of those TV shills!)
More information about the bazaar
mailing list