Update: It seems I’m not the only one to ask about trust, and Simon answered it:
OpenID is not an account. Just treat it as an alternative to a traditional username and password and you can’t go wrong.
Fair enough, I guess we’ll have to keep looking for a better method than CAPTCHA to prevent automatic signups though.
I noticed OpenID a while ago, as a possible way to do single-sign-on for internet applications. Recently I wondered why Google used CAPTCHA, and despite it being the most viewed article on this blog (thanks to Matthew Mullenweg), no one pointed out the obvious problem with my argument.
Comment vs sign-on
It wasn’t really a huge hole, but I had raised Akismet and other WordPress pluggins as an alternative to CAPTCHA. The point still stands that CAPTCHA is bad and Google could find/create a better way, however, comment spam and sign-ups aren’t the same thing.
Akismet, and to some extent the other WordPress oriented options that prevent comment spam, don’t help sign-ups to other services such as forums, newsletters and custom applications that might allow posting content.
If there is a disconnect between sign-up and posting content, spammers could get through, or at least make it very difficult to prevent abuse. Not that one of the solutions wouldn’t get around that.
Not long after my post (and completely disconnected), Simon Willison posted up about OpenID,
an open, decentralized, free framework for user-centric digital identity.
It’s quite difficult to get you’re head around how easy it is, but Simon has made it very easy to understand, just check out his OpenID screencast. You create your own central ID, that you control.
A popular techie blog completely missed Simon’s post (despite looking at Yahoo closely), and replicated his efforts. However, they go on to talk about single-sign-on methods from Yahoo, Google and others, so it’s worth reading.
From a user point of view OpenId seems great, I now have a single-sign-on to Simon’s blog, Magnolia bookmarks and other sites. However, I’m going to raise one primary question:
What prevents abuse of the system?
I can work out why people can’t spoof your ID, but what stops the spammers from creating loads of accounts to abuse? I don’t know enough about this topic (it’s not marked usability or accessibility ;)), but I haven’t worked out why we can’t have an individual public/private key mechanism like that used for SSH?
(NB: I’m hoping there’s a good answer and this post can be quickly archived, but I have to ask.)
There doesn’t seem to be a trust mechanism such as that built into Gez Lemon’s idea, or a way of preventing spammers creating many throw away accounts.
Why can’t I publish my public (
DSA SSH) key on my site in a
link and reference that?