Hi,
It is for my private network. However, guest access is granted solely
through my own server, so I trust it.
Thanks for listening,
Alex,
On 4-Oct-08, at 5:58 PM, Jane Lee wrote:
I'm combining my replies to Chris, Alex, Ryan and Jacob here for the
sake of
not sending out 10 emails:
Chris: That is a nice idea, but inevitably leads back to trust. One
central
authority can "validate" that the OpenID user is a user who can pass a
captcha or other similar test, but how do you know to trust the
authority as
a site implementing OpenID? And still, even you point it out..this
kind of
stuff doesn't guarantee anything more since each site is going to
have a
different criteria to meet a "legitimate user" standard.
Alex: That doesn't work until you can trust the OpenID (or any other
"identity") provider. Let's say I let you login to my computer with
OpenID..there is no way I'd let you have even guest access without
knowing
who you are and passing some sort of test from me to you. Now, if
you had an
OpenID from a provider I explicitly trust, and you passed the test I
set
(lets say the test was a captcha plus a few questions), I'd grant a
guest
account to your OpenID. That's how it works now, in a way, anyway.
You'd
still have some glaring security issues with OpenID and OpenID server
implementations, as well as user issues (phishing, anyone?).
Ryan, Jacob, et al: Whether or not that form of captcha can be
implemented
on a site depends on the audience: for example, who cares about
Japanese
when your blog is in English for English speakers and someone
leaving a
comment in Japanese is more likely to be marked as a spammer for being
irrelevant/not understood? If they wanted to leave a comment, the
implied
behavior would be that the Japanese speaker would have had to read the
entire post in English and therefore should not have a problem either
understanding a captcha in English or writing a comment in English
as well.
I've mentioned this before, but one of the blogs I read has a system
where
you have to pick out sentences that were in the blog post, mixed
together
with sentences from other irrelevant blog posts, in order to leave a
comment. The system can be extended to ask one of a set of random
questions
that a reader and commenter of the site would implicitly know (e.g.
if it's
an Apple-related blog, asking a question like "what's that company
that this
blog is talking about?" or "what's the name of the phone
manufactured by the
company that this blog is about?"). Since that implies that you must
have at
least read and understood most of the blog post in order to comment,
that
kind of system would not put much of a burden on commenters and
would be
pretty difficult for spammers to do anything about as long as they
have no
huge incentive to do so.
cheers,
jane
