OpenID doesn't solve the trust issue unless the site using OpenID already knows to trust you somehow, or has steps in place to see if you are "trust"worthy. One of those steps can be a captcha. For all the site knows, your OpenID "proves" that someone has the URL and proper authentication required to get past the provider, but not much else in the average case. Basically, you can be who you say you are, but the site doesn't know if you're a spammer, an unwanted person like a troll, or someone who is the complete opposite and is a legitimate user. Now, of course, if a spammer went as far as to do all this, a captcha may be trivial, but so is getting a new OpenID or rolling your own setup. Even the "you are who you say you are" part is slightly problematic with OpenID since you don't know who's using it. For all you know it might be two people sharing the same OpenID. Therefore there is really no trust involved. Just barely identity, to the point that OpenID is typically being used for exactly what it was originally meant for: to replace the username and password for an account on a site but *nothing else*.
To use your analogy from my point of view: it doesn't matter who gives you the key. When you go to a safe (it wouldn't be yours, that part of your analogy makes no sense) with a key, the owner of the safe needs to decide whether or not they should let you open it. They'd have to be crazy to let anyone with a key open the safe. If I were the safe owner, I'd want more than a key. Unless it was my friend who gave you the key with my permission...which leads to my next point.. One possible way to solve the trust issue and therefore to remove anything like a captcha is if the site already has an explicit trust relationship with the provider. But uh, have you seen how many different places you can get an OpenID from, as well as running your own server? That's just prohibitively difficult and annoying for a lot of people (or maybe too complicated for most), and it still wouldn't really solve the unwanted user problem. I can understand where you're coming from, but until OpenID gets some fundamental changes, or someone comes up with a better *trust* (and not just *identity*) model, it's not going to happen. cheers, jane On Thu, Oct 2, 2008 at 11:07 AM, Chris Blouch <[EMAIL PROTECTED]> wrote: > While OpenID does not resolve captcha in of itself, if we could use one > central authentication system then it might be worth having more accessible > (higher cost) account creation solutions available at that one point. Today > it would be prohibitively costly to do anything but an automated captcha > generator for the millions of instances where validating your humanity is > required. Using my previous analogy, if you had one central vault rather > than little safes spread all over town, it might be cost effective to have a > concierge there to help. With little safes all over town nobody can afford > anything but the most simplistic automated security. So if the big safehouse > can use their real human person to validate that you are you and give you a > key to all your other safes around town, that would be ideal. Today on the > web we have disparate authentication systems so every site has to test you > over and over for humanity and authorization. OpenID attempts to clear this > up by being a central authority to validate that you are you. So the > individual sites don't have to do all the captcha hoop jumps or whatever to > validate you. Not only that, there can be choices of authorization places. > So if one authentication provider isn't accessible, use somebody else. Right > now if you're on a particular site, if their authentication systems is > inaccessible you are stuck. > > CB > >
