openid for

Martin Pool mbp at
Fri May 15 00:58:39 BST 2009

2009/5/15 Stephen J. Turnbull <stephen at>:
> John Arbash Meinel writes:
>  > Well, as mentioned another thread, it sounds like initial support would
>  > be just for the Launchpad open id auth. Mostly because if you allow
>  > generic openid auth, then a spammer can create their own authority and
>  > have login to everything that allows arbitrary open id
>  > authentication...
> How is that different from creating a throwaway OpenID at one of the
> commercial ID laundries, and using that to log in?  This particular
> restriction is just typical "hey, here's a great open standard I can
> use to lock in and/or track my clients" brain damage (or possibly
> simply lack of resources to even think carefully about the relaying
> case).

Let's assume people are busy rather than malicious?  Trusting just one
server is inferior, but an easy first step.

> The way to prevent spamming is to have some valve in the pipeline that
> every new user has to pass through, at some positive cost.  So far,
> the requirement of a usable email address has worked pretty well.

I agree, and that valve is implemented in Launchpad, rather than in
every individual Canonical site or app.  Soon Launchpad will accept
openid from any other provider, confirm your email address, and then
just act as a relay to the wiki.  For trusted openid servers it could
potentially skip verification.

I understand that
"be an OpenID client" is greatly desired, I've made a case for it to
be on the 3.0 feature goals (ie targetted at mid 2009), and I do kind
of feel we've had enough mail about it on this list already.  (Not to
squelch new relevant discussion, but I do understand you want open

Martin <>

More information about the bazaar mailing list