Hi,
I am building on the idea of open ID. My moddel is that anyone can
login to any computer accross my network and virtually from any other
computer, or even accessing certain things on a mobile phone, all with
the same ID.
Thanks for listening,
Alex,
On 3-Oct-08, at 9:20 AM, Chris Blouch wrote:
I agree that OpenID has a lot of fundamental problems. I guess where
I was going is that if there was some way to set up a centralized
authentication system then it would be more cost effective to
implement more accessible interaction models. My own company uses
audio and image captchas for creating accounts and we get complaints
about how hard the audio is to understand, but the alternative is to
open the door to spammers trying to make bogus accounts. We toyed
with the idea of real people making telephone conversations with
folks wanting accounts, but that was very costly and didn't
guarantee much more security. If I even had the option of choosing
my authentication provider I might even be willing to pay for one
that does things better. It's a tough nut to crack and I don't think
anybody has it worked out yet.
CB
Jane Lee wrote:
OpenID doesn't solve the trust issue unless the site using OpenID
already
knows to trust you somehow, or has steps in place to see if you are
"trust"worthy. One of those steps can be a captcha. For all the
site knows,
your OpenID "proves" that someone has the URL and proper
authentication
required to get past the provider, but not much else in the average
case.
Basically, you can be who you say you are, but the site doesn't
know if
you're a spammer, an unwanted person like a troll, or someone who
is the
complete opposite and is a legitimate user. Now, of course, if a
spammer
went as far as to do all this, a captcha may be trivial, but so is
getting a
new OpenID or rolling your own setup. Even the "you are who you say
you are"
part is slightly problematic with OpenID since you don't know who's
using
it. For all you know it might be two people sharing the same OpenID.
Therefore there is really no trust involved. Just barely identity,
to the
point that OpenID is typically being used for exactly what it was
originally
meant for: to replace the username and password for an account on a
site but
*nothing else*.
To use your analogy from my point of view: it doesn't matter who
gives you
the key. When you go to a safe (it wouldn't be yours, that part of
your
analogy makes no sense) with a key, the owner of the safe needs to
decide
whether or not they should let you open it. They'd have to be crazy
to let
anyone with a key open the safe. If I were the safe owner, I'd want
more
than a key. Unless it was my friend who gave you the key with my
permission...which leads to my next point..
One possible way to solve the trust issue and therefore to remove
anything
like a captcha is if the site already has an explicit trust
relationship
with the provider. But uh, have you seen how many different places
you can
get an OpenID from, as well as running your own server? That's just
prohibitively difficult and annoying for a lot of people (or maybe
too
complicated for most), and it still wouldn't really solve the
unwanted user
problem.
I can understand where you're coming from, but until OpenID gets some
fundamental changes, or someone comes up with a better *trust* (and
not just
*identity*) model, it's not going to happen.
cheers,
jane
On Thu, Oct 2, 2008 at 11:07 AM, Chris Blouch <[EMAIL PROTECTED]>
wrote:
While OpenID does not resolve captcha in of itself, if we could
use one
central authentication system then it might be worth having more
accessible
(higher cost) account creation solutions available at that one
point. Today
it would be prohibitively costly to do anything but an automated
captcha
generator for the millions of instances where validating your
humanity is
required. Using my previous analogy, if you had one central vault
rather
than little safes spread all over town, it might be cost effective
to have a
concierge there to help. With little safes all over town nobody
can afford
anything but the most simplistic automated security. So if the big
safehouse
can use their real human person to validate that you are you and
give you a
key to all your other safes around town, that would be ideal.
Today on the
web we have disparate authentication systems so every site has to
test you
over and over for humanity and authorization. OpenID attempts to
clear this
up by being a central authority to validate that you are you. So the
individual sites don't have to do all the captcha hoop jumps or
whatever to
validate you. Not only that, there can be choices of authorization
places.
So if one authentication provider isn't accessible, use somebody
else. Right
now if you're on a particular site, if their authentication
systems is
inaccessible you are stuck.
CB
