I personally agree, but the reason that will never happen is the issue
of language. Depending on the questions asked and what language the
site is in, someone who is only marginally familiar with that language
may not be able to answer the question properly. Also connected to
this issue, there's usually several ways to respond to a question. For
instance, with the one you posed, would you write "two" (the word) or
"2" (the number)? For something that simple it could easily have both
answers on record, but that isn't always the case. And what about the
languages with several writing systems, such as Japanese, and the
various character encodings and convensions that have resulted? You
can't simply rely on just Unicode, as there are still a lot of
operating systems/web browser combinations that don't fully support
the standard. This solution may be workable once our computers
understand natural language. For now, however, they don't. I'm not
defending captcha in its current form by any means, but as has been
noted here often enough, it's a tough problem to solve.
On Oct 3, 2008, at 10:41, Ryan Mann wrote:
I don't get it. It seems like the simplest way to solve the spam
problem and have accessibility at the same time is to ask the user
random questions. The web site could generate random questions such
as the following:
If you have four apples and you give your friend two, how many
apples do you have left? If somebody can't answer a question like
that, they are not smart enough to be using the internet or they are
not human.
On Oct 3, 2008, at 12:20 PM, Chris Blouch wrote:
I agree that OpenID has a lot of fundamental problems. I guess
where I was going is that if there was some way to set up a
centralized authentication system then it would be more cost
effective to implement more accessible interaction models. My own
company uses audio and image captchas for creating accounts and we
get complaints about how hard the audio is to understand, but the
alternative is to open the door to spammers trying to make bogus
accounts. We toyed with the idea of real people making telephone
conversations with folks wanting accounts, but that was very costly
and didn't guarantee much more security. If I even had the option
of choosing my authentication provider I might even be willing to
pay for one that does things better. It's a tough nut to crack and
I don't think anybody has it worked out yet.
CB
Jane Lee wrote:
OpenID doesn't solve the trust issue unless the site using OpenID
already
knows to trust you somehow, or has steps in place to see if you are
"trust"worthy. One of those steps can be a captcha. For all the
site knows,
your OpenID "proves" that someone has the URL and proper
authentication
required to get past the provider, but not much else in the
average case.
Basically, you can be who you say you are, but the site doesn't
know if
you're a spammer, an unwanted person like a troll, or someone who
is the
complete opposite and is a legitimate user. Now, of course, if a
spammer
went as far as to do all this, a captcha may be trivial, but so is
getting a
new OpenID or rolling your own setup. Even the "you are who you
say you are"
part is slightly problematic with OpenID since you don't know
who's using
it. For all you know it might be two people sharing the same OpenID.
Therefore there is really no trust involved. Just barely identity,
to the
point that OpenID is typically being used for exactly what it was
originally
meant for: to replace the username and password for an account on
a site but
*nothing else*.
To use your analogy from my point of view: it doesn't matter who
gives you
the key. When you go to a safe (it wouldn't be yours, that part of
your
analogy makes no sense) with a key, the owner of the safe needs to
decide
whether or not they should let you open it. They'd have to be
crazy to let
anyone with a key open the safe. If I were the safe owner, I'd
want more
than a key. Unless it was my friend who gave you the key with my
permission...which leads to my next point..
One possible way to solve the trust issue and therefore to remove
anything
like a captcha is if the site already has an explicit trust
relationship
with the provider. But uh, have you seen how many different places
you can
get an OpenID from, as well as running your own server? That's just
prohibitively difficult and annoying for a lot of people (or maybe
too
complicated for most), and it still wouldn't really solve the
unwanted user
problem.
I can understand where you're coming from, but until OpenID gets
some
fundamental changes, or someone comes up with a better *trust*
(and not just
*identity*) model, it's not going to happen.
cheers,
jane
On Thu, Oct 2, 2008 at 11:07 AM, Chris Blouch <[EMAIL PROTECTED]>
wrote:
While OpenID does not resolve captcha in of itself, if we could
use one
central authentication system then it might be worth having more
accessible
(higher cost) account creation solutions available at that one
point. Today
it would be prohibitively costly to do anything but an automated
captcha
generator for the millions of instances where validating your
humanity is
required. Using my previous analogy, if you had one central vault
rather
than little safes spread all over town, it might be cost
effective to have a
concierge there to help. With little safes all over town nobody
can afford
anything but the most simplistic automated security. So if the
big safehouse
can use their real human person to validate that you are you and
give you a
key to all your other safes around town, that would be ideal.
Today on the
web we have disparate authentication systems so every site has to
test you
over and over for humanity and authorization. OpenID attempts to
clear this
up by being a central authority to validate that you are you. So
the
individual sites don't have to do all the captcha hoop jumps or
whatever to
validate you. Not only that, there can be choices of
authorization places.
So if one authentication provider isn't accessible, use somebody
else. Right
now if you're on a particular site, if their authentication
systems is
inaccessible you are stuck.
CB
