[OpenID] Discouraging "anonymous" OpenID users

Sat Jul 26 04:50:59 UTC 2008

One of the risks posed to Consumers is, what's to stop spammers from 
just automating the process of generating URI's (with any of an 
ever-growing list of Providers) that can be used to authenticate as 
"real" people?

Last month I wrote about distinguishing between identities:
http://openid.net/pipermail/general/2008-June/005025.html
PGP is okay, but I have a problem with it: the requirement of a User 
ID, usually a 5-character "Real name" as the bare minimum. Isn't the 
public key enough? Forget not using my "Real" name as the unique 
identifier; I shouldn't have to use *any* name. Other people can 
assign me whatever name they wish, at their own discretion, and we 
don't have to worry about conflicts between namespaces. Never mind 
distinguishing between two people named "Shade"; what guarantee do 
people have that EITHER of us is *really* named Shade?

None. But here's the big deal: they also don't CARE.

Think about this for a moment: is your Significant Other in love with 
*you*, or in love with your name? Everything about you, that is 
meaningful to other people - is the *name* really part of this?

Do we really *need* names to know what we like/value in other people, 
or just to keep them separate in our heads? And if that latter is all 
that's needed, all that's left for what we find meaningful *in* 
identity is information *about* someone.

The same sort of information (usually content of some kind) that's 
exchanged in all kinds of social interaction. As this (valued) 
content accumulates under a single identity, we value that source 
even *more* - because, even if we don't know who it is, we can still 
appreciate their contributions.

Even if they suddenly "vanish" (never to be heard from, or seen, 
again), we still have those contributions. We've *received* some 
value - if they turn out to be spammers, just setting up the 
appearances to *seem* like a real person, we *still have that value*.

Think of it as a security deposit against spam - but one where the 
entity making this deposit receives cumulative interest on their 
deposit, which may eventually exceed the amount that they originally 
paid to earn initial "trust". Because that's what this is about: 
trusting people, to be *real* people, by asking them to volunteer 
some original "value" which they can only retain claim to if they 
maintain a consistent identity. They can start over, but it would 
require another deposit.

And the best part of all? The infrastructure for this wouldn't 
require any marketing for adoption, because people are *already* 
rating one another's contributions. We've become *used to* this 
model. In one sense, the infrastructure for this is already here; it 
may need some technical details, but we're already performing 
value-judgements on what we read, and what it means to us.

This is all the introduction anyone should need.

-Shade

Postscript: And yet I can't help but wonder what will happen when I 
begin publishing under the "Claimware" license that I worked out, 
several years ago, as an idle foray into driving the RIAA *nuts*: 
anyone may claim to have authored the content, but only if they 
refuse to name any sources they might have acquired it through 
previously, practice a non-assertion covenant of their "rights" 
against others claiming the same content under the Claimware license, 
and include the Claimware license with their copy.