[pmwiki-users] OpenID bounty

Patrick R. Michaud pmichaud at pobox.com
Fri Oct 6 09:15:24 CDT 2006 

On Fri, Oct 06, 2006 at 02:54:37PM +0200, Thomas -Balu- Walter wrote:
> On Thu, Oct 05, 2006 at 01:47:10PM -0500, Patrick R. Michaud wrote:
> > ...that's a requirement for meeting the bounty, yes.  But
> > I'm suspecting that they expect packages to use a pre-existing
> > OpenID library somewhere, and I'm wondering about the license
> > for that library, and if I'd run into compatibility issues
> > with that library and some of my other plans for PmWiki.
> 
> I've also just quick-searched the pages, but I can not find such a
> requirement. 

I just checked...the PHP library for enabling a site with 
OpenID is licensed under the LGPL, so I *think* there wouldn't 
be a problem for PmWiki to bundle it with non-GPL licensed stuff.

However, the library seems like overkill, since the package
includes a complete OpenID server and a number of storage
backends in addition to the client part that does the 
authentication.  So, I probably wouldn't want to bundle the
library itself with PmWiki, but simply to say that it has
to be available on the server in order to use OpenID
authentication.  Hmm, I think I like that -- but I don't know
if saying "you must have the PHP OpenID library already 
installed on your server" meets the bounty requirements.

> What I would not like is the requirement to "advertise" openID:
> 
> * Place an OpenID logo in the signon form (as on this site).
> * Answer "What is OpenID?" (or link to an answer) near the signon form.

I don't think I have a problem with this -- I would read this 
requirement as being active only when OpenID is enabled.  So, 
the default installation is the same, enabling OpenID in a site
causes the logo and "What is OpenID?" links to appear, wiki 
administrators can still customize the Site.AuthForm or other 
features to eliminate the logo and link.

> And there are some issues with openID afaik - I like the decentralized
> idea, but if e.g. a spammer sets up an identity provider this can easily
> be exploited.

The OpenID sites are pretty clear that OpenID is simply an
identity management system, not a trust system.  We can't
(or shouldn't) blindly say "if you have an OpenID identity
it's safe to post" -- there still has to be something somewhere
that says *which* OpenID identities are to be trusted.  But
this can be as simple as:
   - listing authorized OpenIDs in Site.AuthUser or local/config.php
   - only accepting OpenIDs coming from "trusted" OpenID servers

Thanks!

Pm

More information about the pmwiki-users mailing list