[OpenID] Trust + Security @ OpenID

Simon Willison simon at simonwillison.net
Sun Jul 8 20:39:14 UTC 2007


On 7/8/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
> More than that, if everybody can be his
> own IDP (without any control) the fight against forum/blog spam is lost
> right from the start! And we are talking about the lowest level of entry for
> OpenID!!!!!

>From http://openid.net/about.bml

"""
What about spam?

Again, this is not a trust system.

Somebody could run their own identity server that says they're
http://spammer.example.com/000001/ all the way to
http://spammer.example.com/999999/ and that's not a goal of this
system to prevent. It's another layer's job to say the identities with
URL spammer.example.com/* is a spammer, or some ID server is a known
spammer, or some particular identity is a known spammer.
"""

OpenID was never intended to provide an assurance that an OpenID
doesn't belong to a spammer. That's OK; neither are regular accounts
created with a username and password. If you want to prevent automated
spammers from signing in to your blog/forum using OpenID, you need to
present a user with a CAPTCHA the first time they sign in with a
specific OpenID.



More information about the general mailing list