[OpenID] OpenID and trust

Martin Atkins mart at degeneration.co.uk
Mon Jan 15 19:14:57 UTC 2007

Marcin Jagodziński wrote:
> Well, the "usual measures" are not very efficient in my opinion when
> dealing with email spam, so I don't think it will be efficient when
> dealing with "OpenID spam".

One major difference between email spam and "OpenID spam" is that a 
sender can pose as another user with email, but that's not true of 
OpenID. Therefore a whitelist can be 100% effective where it cannot for 

The obvious strategy then is to screen comments from identifiers you 
haven't seen before, but once a user has convinced you that he or she is 
trustworthy you white-list them. If they then screw you over and post 
some spam, you can un-whitelist them. It seems unlikely that a spammer 
will take the time to pose as a valid user in order to get whitelisted 
on some random weblog, so this strategy should be effective on all but 
the most popular sites.

For those sites where the above is inadequate or somehow unsuitable, 
there's always the option of doing normal user registration with 
whatever email validation and CAPTCHA tests you want, but asking the 
user for a validated OpenID identity instead of a username/password. 
That will work for OpenID just as well as it has worked for traditional 
username-/password-based accounts.


[1] Assuming a previously-trusted user's identifier doesn't somehow 
become compromised, of course.

More information about the general mailing list