Yes, but that's how many of the captchas are being broken today. OpenID is also an issue..I think my situation defines it pretty well: I have something like a dozen OpenIDs spread over lots of sites (already pretty much violating the principle of openid), and there are only two times I ever use my main openid: to comment on blogs, and to login to a site called stack overflow. And arguably one place where captchas are used often are on blogs. So how does someone prove using openid that a person is a spammer or not? You can't. OpenID is for authentication and not to be confused with reputation or authorization. And yes, you hit on another issue of OpenID: a single failure point..although it's sort of meaningless *until* you know someone already has a reputation/authorization to do something somewhere via their OpenID.
cheers, jane On Wed, Oct 1, 2008 at 10:46 AM, Chris Blouch <[EMAIL PROTECTED]> wrote: > Good solution but hard to scale and has internationalization issues. > Captchas, being entirely algorithm generated can be more easily cracked by > algorithms, or by cheap labor. It's just hard to come up with solutions that > work for a globalized internet. There is always a security usability trade > off. This is why some kind of central authentication system needs to be > worked out, like OpenID. Then you can burn a lot of resources one time with > human intervention or whatever to authenticate, spreading that cost over > lots of disparate sites. Lock all the treasures in one vault with one good > lock rather than thousands of little vaults with separate weak locks. Of > course that highlights the failure point of that solution. If the good lock > fails they bad guys have access to all the treasure. > > CB > >
