[OpenID] OpenID and trust
Martin Atkins
mart at degeneration.co.uk
Mon Jan 15 19:14:57 UTC 2007
Marcin Jagodziński wrote:
> Well, the "usual measures" are not very efficient in my opinion when
> dealing with email spam, so I don't think it will be efficient when
> dealing with "OpenID spam".
One major difference between email spam and "OpenID spam" is that a
sender can pose as another user with email, but that's not true of
OpenID. Therefore a whitelist can be 100% effective where it cannot for
email.[1]
The obvious strategy then is to screen comments from identifiers you
haven't seen before, but once a user has convinced you that he or she is
trustworthy you white-list them. If they then screw you over and post
some spam, you can un-whitelist them. It seems unlikely that a spammer
will take the time to pose as a valid user in order to get whitelisted
on some random weblog, so this strategy should be effective on all but
the most popular sites.
For those sites where the above is inadequate or somehow unsuitable,
there's always the option of doing normal user registration with
whatever email validation and CAPTCHA tests you want, but asking the
user for a validated OpenID identity instead of a username/password.
That will work for OpenID just as well as it has worked for traditional
username-/password-based accounts.
---------
[1] Assuming a previously-trusted user's identifier doesn't somehow
become compromised, of course.
More information about the general
mailing list