Chris, quoting your posts to insert some context. On Mon, Oct 6, 2008 at 11:04 AM, Chris Blouch <[EMAIL PROTECTED]> wrote: > > Once those things are fixed then OpenID can be trusted and single sign on > will be a possibility. In the meantime I have a jillion accounts and > passwords to manage and get to wade through more captchas to create more > accounts.
I cut out a whole bunch here because I agree with you on all the security issues surrounding OpenID. But no matter what happens, you will still have a problem with the end user. Then again, you always will no matter if you use OpenID or a homebaked solution. And like I said, OpenID is not about trust, it's about identity, and they are two different ideas. OpenID was to solve the "jillion accounts and passwords" problem, not the "not wade through more captchas" one. I'm going to throw in a little situation here as well: what happens when a spammer gets an OpenID account from a "reputable provider" and OpenID were used in lieu of a username *and* captcha on many sites. That gives the spammer carte blanche to spam while only possibly verifying once with the "reputable provider" with a captcha, and at that point it becomes no better if not worse than what we have now. Do you get the problem here? A site owner can't possibly whitelist every OpenID provider that verifies accounts using a captcha or other technique, nor can a site owner can't necessarily validate that such a thing happened. > As far as automated contextual question generation, I wonder how that would > be done? Sounds pretty high on the artificial intelligence quotient. So some > code is going to read blog posts, slice and dice them and then present > unique relevant questions to a user about the blog content? If you get that > working I'm sure there's some big bags of venture capital waiting for you. Hmm, maybe I haven't linked it here. It doesn't involve any AI since it's not generating unique questions, just a repetition of what's already there...it's a pretty simple concept involving parsing the current blog post and another random blog post or two for some sentences and you ask the commenter to choose the sentences they read from the blog post they're about to comment on. The other questions you ask the user for an answer they should know could be as simple as generating random numbers (for math questions) or just having a short list of predetermined questions and answers. While it may be in theory possible for a spammer to get around this in an automated fashion, the effort required to do so would be prohibitively high. This kind of "captcha" is already in existence, and the one in particular I mention about diced up blog posts is on http://lemurcatta.org/ (general website) and the blog is at http://www.atomicwang.org/alison/ And thanks, but I'm confident I have at least some sort of bag of venture capital waiting for my current startup when I need funding *wink* Whoops. You're correct. the Hexidecimal version of 2 is 2 <smile> I did mean > those answers in jest as I realize most people would answer "two". > I did say I was just nitpicking *smile* It's still a tough nut to come up with a large number of these kinds of > questions that a parser couldn't pick apart and automatically answer. Ever > play Zork? I *love* interactive fiction. But you generally use a set number of keywords and phrases while playing an IF game, and those are easy to parse. Anyway, I know that in theory if someone were really out to spam me, it is entirely possible to get past a captcha like "what is 2+2" or the sentence-picking blog I mentioned above either automated or with an actual human (that doesn't necessarily defeat the purpose of a captcha, after all). The idea is to make the effort to spam me so difficult or unique that it's not worth the time/money/human attention. After all, captchas don't keep out the trolls. They just try to keep out automated spammers (and humans that can't solve it, unfortunately). cheers, jane
