[security] security

[Dan Lyke]

On Sat, 28 Oct 2006 15:33:10 -0700, James A. Donald wrote:
> without machinery in the protocol and libraries for
> whitelisting, greylisting, and blacklisting, the
> widespread adoption of openid will eventually lead to
> spammer attack.

As someone who's run a weblog since early 1998, with easy comments  
since some time in 2000, I disagree.

Reputation systems merely require an identity which will be shared  
between systems. OpenID provides that.

Reputation systems can be built on top of OpenID completely  
independently of OpenID. Indeed, they should, as the sorts of users  
who I want to provide priority in my community are very different from  
the ones that other people want to promote in theirs.

If you want a centralized login system with some weight to the sign-in  
process, both Yahoo and Google will let you use their user base. It's  
not that hard to sign up for those systems. Those users have been  
through a CAPTCHA authentication. Yahoo and Google both have TOS  
agreements under which they terminate users.

I want to use OpenID precisely because it *isn't* controlled by some  
centralized authority, and because we can use it to build distributed  
reputation systems.

Dan