Comment 21 for bug 1169
Revision history for this message
| Kevin Turner (keturn) wrote on OpenID provider clearinghouses | #21 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I suggest verifying email addresses and OpenID identifiers independently. An OpenID provider is really only authoritative for the OpenID identifier; any other data you receive from it is really only a convenience to save the user from having to re-type it.
I'd argue against relying on a clearinghouse for OpenID providers. You trust the developer to manage their SSH key and their GPG keys, why not trust that they have sane management practices for their OpenID as well?