I agree that OpenID has a lot of fundamental problems. I guess where I
was going is that if there was some way to set up a centralized
authentication system then it would be more cost effective to implement
more accessible interaction models. My own company uses audio and image
captchas for creating accounts and we get complaints about how hard the
audio is to understand, but the alternative is to open the door to
spammers trying to make bogus accounts. We toyed with the idea of real
people making telephone conversations with folks wanting accounts, but
that was very costly and didn't guarantee much more security. If I even
had the option of choosing my authentication provider I might even be
willing to pay for one that does things better. It's a tough nut to
crack and I don't think anybody has it worked out yet.
CB
Jane Lee wrote:
OpenID doesn't solve the trust issue unless the site using OpenID already
knows to trust you somehow, or has steps in place to see if you are
"trust"worthy. One of those steps can be a captcha. For all the site knows,
your OpenID "proves" that someone has the URL and proper authentication
required to get past the provider, but not much else in the average case.
Basically, you can be who you say you are, but the site doesn't know if
you're a spammer, an unwanted person like a troll, or someone who is the
complete opposite and is a legitimate user. Now, of course, if a spammer
went as far as to do all this, a captcha may be trivial, but so is getting a
new OpenID or rolling your own setup. Even the "you are who you say you are"
part is slightly problematic with OpenID since you don't know who's using
it. For all you know it might be two people sharing the same OpenID.
Therefore there is really no trust involved. Just barely identity, to the
point that OpenID is typically being used for exactly what it was originally
meant for: to replace the username and password for an account on a site but
*nothing else*.
To use your analogy from my point of view: it doesn't matter who gives you
the key. When you go to a safe (it wouldn't be yours, that part of your
analogy makes no sense) with a key, the owner of the safe needs to decide
whether or not they should let you open it. They'd have to be crazy to let
anyone with a key open the safe. If I were the safe owner, I'd want more
than a key. Unless it was my friend who gave you the key with my
permission...which leads to my next point..
One possible way to solve the trust issue and therefore to remove anything
like a captcha is if the site already has an explicit trust relationship
with the provider. But uh, have you seen how many different places you can
get an OpenID from, as well as running your own server? That's just
prohibitively difficult and annoying for a lot of people (or maybe too
complicated for most), and it still wouldn't really solve the unwanted user
problem.
I can understand where you're coming from, but until OpenID gets some
fundamental changes, or someone comes up with a better *trust* (and not just
*identity*) model, it's not going to happen.
cheers,
jane
On Thu, Oct 2, 2008 at 11:07 AM, Chris Blouch <[EMAIL PROTECTED]> wrote:
While OpenID does not resolve captcha in of itself, if we could use one
central authentication system then it might be worth having more accessible
(higher cost) account creation solutions available at that one point. Today
it would be prohibitively costly to do anything but an automated captcha
generator for the millions of instances where validating your humanity is
required. Using my previous analogy, if you had one central vault rather
than little safes spread all over town, it might be cost effective to have a
concierge there to help. With little safes all over town nobody can afford
anything but the most simplistic automated security. So if the big safehouse
can use their real human person to validate that you are you and give you a
key to all your other safes around town, that would be ideal. Today on the
web we have disparate authentication systems so every site has to test you
over and over for humanity and authorization. OpenID attempts to clear this
up by being a central authority to validate that you are you. So the
individual sites don't have to do all the captcha hoop jumps or whatever to
validate you. Not only that, there can be choices of authorization places.
So if one authentication provider isn't accessible, use somebody else. Right
now if you're on a particular site, if their authentication systems is
inaccessible you are stuck.
CB
