I believe that this is also where PAPE comes in to some degree. It all comes down to whether what the OpenID provider says is good enough for the RP though — just because you can technically facilitate relationships, it's doesn't mean that you actually have one. That's where technology meats policy and law, and things inevitably gets grayer, slower and more riddled with "social bugs".<div>
<br></div><div><a href="http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-07.html">http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-07.html</a></div><div><br></div><div>
Chris<br><div><br><div class="gmail_quote">On Thu, Mar 26, 2009 at 4:46 AM, Rabbit <span dir="ltr"><<a href="mailto:rabbit@cyberpunkrock.com">rabbit@cyberpunkrock.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word"><div>I was entertaining the idea of dynamic behavior based on trust or some model for reputation rather than outright limiting. For example, and RP could choose to require a Captcha for any OP other than a small set of providers the RP believes has done an adequate job at eliminating bots.</div>
<div><br></div><font color="#888888"><div>=Rabbit</div></font><div><div></div><div class="h5"><br><div><div>On Mar 26, 2009, at 3:19 AM, Nate Klingenstein wrote:</div><br><blockquote type="cite"><div style="word-wrap:break-word">
Rabbit,<div><br></div><div>Unless you're limiting the set of OP's you're willing to work with(quite likely in the future, in my view, but that's not universally shared), I think it will prove necessary to retain the CAPTCHA. It's trivial to generate arbitrary OpenID's for robots, and would certainly happen rapidly if there were more exposed RP's in the world.</div>
<div><br></div><div>Take care,</div><div>Nate.</div><div><br><div><div>On 26 Mar 2009, at 06:55, Rabbit wrote:</div><br><blockquote type="cite"><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px">
<font face="Helvetica" size="3" style="font:12.0px Helvetica">Services rely on OpenID to prove a user is *who* they claim to be. Should services also rely on OpenID to prove a user is *what* they claim to be?<span> </span>The cautious would say no but I thought the question was interesting. Should proving to Google that I am a human be good enough for an RP to believe it too? Is there an implied transitive property of trust that comes along with using some services as opposed to others?</font></div>
</blockquote></div><br></div></div></blockquote></div><br></div></div></div><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Web Advocate<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> // <a href="http://diso-project.org">diso-project.org</a> // <a href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
</div></div>