[pmwiki-users] OpenID bounty
Patrick R. Michaud
pmichaud at pobox.com
Fri Oct 6 09:15:24 CDT 2006
On Fri, Oct 06, 2006 at 02:54:37PM +0200, Thomas -Balu- Walter wrote:
> On Thu, Oct 05, 2006 at 01:47:10PM -0500, Patrick R. Michaud wrote:
> > ...that's a requirement for meeting the bounty, yes. But
> > I'm suspecting that they expect packages to use a pre-existing
> > OpenID library somewhere, and I'm wondering about the license
> > for that library, and if I'd run into compatibility issues
> > with that library and some of my other plans for PmWiki.
> I've also just quick-searched the pages, but I can not find such a
I just checked...the PHP library for enabling a site with
OpenID is licensed under the LGPL, so I *think* there wouldn't
be a problem for PmWiki to bundle it with non-GPL licensed stuff.
However, the library seems like overkill, since the package
includes a complete OpenID server and a number of storage
backends in addition to the client part that does the
authentication. So, I probably wouldn't want to bundle the
library itself with PmWiki, but simply to say that it has
to be available on the server in order to use OpenID
authentication. Hmm, I think I like that -- but I don't know
if saying "you must have the PHP OpenID library already
installed on your server" meets the bounty requirements.
> What I would not like is the requirement to "advertise" openID:
> * Place an OpenID logo in the signon form (as on this site).
> * Answer "What is OpenID?" (or link to an answer) near the signon form.
I don't think I have a problem with this -- I would read this
requirement as being active only when OpenID is enabled. So,
the default installation is the same, enabling OpenID in a site
causes the logo and "What is OpenID?" links to appear, wiki
administrators can still customize the Site.AuthForm or other
features to eliminate the logo and link.
> And there are some issues with openID afaik - I like the decentralized
> idea, but if e.g. a spammer sets up an identity provider this can easily
> be exploited.
The OpenID sites are pretty clear that OpenID is simply an
identity management system, not a trust system. We can't
(or shouldn't) blindly say "if you have an OpenID identity
it's safe to post" -- there still has to be something somewhere
that says *which* OpenID identities are to be trusted. But
this can be as simple as:
- listing authorized OpenIDs in Site.AuthUser or local/config.php
- only accepting OpenIDs coming from "trusted" OpenID servers
More information about the pmwiki-users