I'm combining my replies to Chris, Alex, Ryan and Jacob here for the sake of not sending out 10 emails:
Chris: That is a nice idea, but inevitably leads back to trust. One central authority can "validate" that the OpenID user is a user who can pass a captcha or other similar test, but how do you know to trust the authority as a site implementing OpenID? And still, even you point it out..this kind of stuff doesn't guarantee anything more since each site is going to have a different criteria to meet a "legitimate user" standard. Alex: That doesn't work until you can trust the OpenID (or any other "identity") provider. Let's say I let you login to my computer with OpenID..there is no way I'd let you have even guest access without knowing who you are and passing some sort of test from me to you. Now, if you had an OpenID from a provider I explicitly trust, and you passed the test I set (lets say the test was a captcha plus a few questions), I'd grant a guest account to your OpenID. That's how it works now, in a way, anyway. You'd still have some glaring security issues with OpenID and OpenID server implementations, as well as user issues (phishing, anyone?). Ryan, Jacob, et al: Whether or not that form of captcha can be implemented on a site depends on the audience: for example, who cares about Japanese when your blog is in English for English speakers and someone leaving a comment in Japanese is more likely to be marked as a spammer for being irrelevant/not understood? If they wanted to leave a comment, the implied behavior would be that the Japanese speaker would have had to read the entire post in English and therefore should not have a problem either understanding a captcha in English or writing a comment in English as well. I've mentioned this before, but one of the blogs I read has a system where you have to pick out sentences that were in the blog post, mixed together with sentences from other irrelevant blog posts, in order to leave a comment. The system can be extended to ask one of a set of random questions that a reader and commenter of the site would implicitly know (e.g. if it's an Apple-related blog, asking a question like "what's that company that this blog is talking about?" or "what's the name of the phone manufactured by the company that this blog is about?"). Since that implies that you must have at least read and understood most of the blog post in order to comment, that kind of system would not put much of a burden on commenters and would be pretty difficult for spammers to do anything about as long as they have no huge incentive to do so. cheers, jane
