[security] Who bears the risk..

[Dan Lyke]

On Thu, 26 Oct 2006 19:32:23 -0700, Johannes Ernst wrote:
> On Oct 26, 2006, at 19:16, Dan Lyke wrote:
>> For instance, I may present random OpenID users with a CAPTCHA type
>> puzzle the first time they log in, but I could skip that step if
[snip]
> I'd really hate it if that happened. Because I -- speaking about
> myself -- would like to have a piece of software do a lot of things
> for me, using my identity (and me being responsible for its actions).

Since part of this whole project I'm working on (and is way too  
ambitious to be doing as a side project while I'm doing a startup in  
another field, but that's a different whine) is about heavily tiered  
security, I'd do that sort of thing only for specific capabilities.

I don't care if you read the site in an automated way, but, for  
instance, I'm going to want some sort of verification that there was  
at least once a human on the other end before I allow you to comment.  
It would likely be done once and saved as part of the identity  
(annoying is having to answer those CAPTCHAs every single time I  
comment on someone's blog), but, especially as OpenID discovery starts  
to take hold, the spammer bots are going to be a problem.

Dan