While OpenID does not resolve captcha in of itself, if we could use one
central authentication system then it might be worth having more
accessible (higher cost) account creation solutions available at that
one point. Today it would be prohibitively costly to do anything but an
automated captcha generator for the millions of instances where
validating your humanity is required. Using my previous analogy, if you
had one central vault rather than little safes spread all over town, it
might be cost effective to have a concierge there to help. With little
safes all over town nobody can afford anything but the most simplistic
automated security. So if the big safehouse can use their real human
person to validate that you are you and give you a key to all your other
safes around town, that would be ideal. Today on the web we have
disparate authentication systems so every site has to test you over and
over for humanity and authorization. OpenID attempts to clear this up by
being a central authority to validate that you are you. So the
individual sites don't have to do all the captcha hoop jumps or whatever
to validate you. Not only that, there can be choices of authorization
places. So if one authentication provider isn't accessible, use somebody
else. Right now if you're on a particular site, if their authentication
systems is inaccessible you are stuck.
CB
Jane Lee wrote:
Yes, but that's how many of the captchas are being broken today.
OpenID is also an issue..I think my situation defines it pretty well: I have
something like a dozen OpenIDs spread over lots of sites (already pretty
much violating the principle of openid), and there are only two times I ever
use my main openid: to comment on blogs, and to login to a site called stack
overflow. And arguably one place where captchas are used often are on blogs.
So how does someone prove using openid that a person is a spammer or not?
You can't. OpenID is for authentication and not to be confused with
reputation or authorization. And yes, you hit on another issue of OpenID: a
single failure point..although it's sort of meaningless *until* you know
someone already has a reputation/authorization to do something somewhere via
their OpenID.
cheers,
jane
On Wed, Oct 1, 2008 at 10:46 AM, Chris Blouch <[EMAIL PROTECTED]> wrote:
Good solution but hard to scale and has internationalization issues.
Captchas, being entirely algorithm generated can be more easily cracked by
algorithms, or by cheap labor. It's just hard to come up with solutions that
work for a globalized internet. There is always a security usability trade
off. This is why some kind of central authentication system needs to be
worked out, like OpenID. Then you can burn a lot of resources one time with
human intervention or whatever to authenticate, spreading that cost over
lots of disparate sites. Lock all the treasures in one vault with one good
lock rather than thousands of little vaults with separate weak locks. Of
course that highlights the failure point of that solution. If the good lock
fails they bad guys have access to all the treasure.
CB
