esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vassil Dichev <vdic...@apache.org>
Subject Re: Broken OpenID
Date Mon, 14 Jun 2010 10:16:47 GMT
> And my question still remains the same ;-)
> Should we use time on this right now, or would it be easier to remove the field in the
UI for now?

Sorry for not following up on this: I had the impression that OpenID
worked as intended and the user is not supposed to create a user
through OpenID. This would mean that the username would be
autogenerated and currently you cannot edit the username. This is not
a hard requirement, but do we want to make the username editable? It
might make some implications for using existing pools, actions, etc.
(not that they're bound to the username, but an attacker might use it
for phishing/social engineering).

Another drawback of OpenID user auto-creation is that a user will not
have a password initially, and might not ever choose to set it. I'm
not sure this is desirable, considering that OpenID might not always
be available and there's no other way to log in.

Finally, from usability point of view if you think you have associated
an OpenID URL with an existing account, but you're not, then logging
in with OpenID will create a new account you do not want. This is
especially tricky considering that we treat these as different URLs:

http://host/path/
http://host/path/index.html
http://host.domain.com/path/

So is OpenID actually broken? If it's not, there's no point in fixing it.

Vassil

Mime
View raw message