Use Case: should RPs remember identifiers?

[Dan Lyke]

On Tue, 28 Nov 2006 14:35:34 -0800, Dick Hardt wrote:
> Scenario "E" is a different use case where there is "soft auth" until
> a critical function is needed.

I always have an internal struggle here when I'm trying to resolve the  
notion of late authentication (give them the comment box, ask 'em to  
login if they decide to use it) with the idea of not confusing the  
user with too many options. I've also recently had some automated spam  
systems take advantage of this because by randomly mashing stuff into  
input fields they managed to create a page full of links in my wiki,  
and then create a user whose name and password were more fields of  
links. I'm not sure that doing things user-first would have prevented  
that, but it might have disconnected the notion of authentication from  
that of the operation enough that the automated approach wouldn't have  
swamped my system.

So to the specifics of Johannes's example, if Alice leaves the public  
terminal and Bob comes back, then Bob gets the notion that he can  
rollback wiki changes, only to be blocked when he goes to do so. I  
guess a big "I'm not Alice" button solves this problem, I just think  
that the implementors have to be careful to not give away anything  
critical when Bob comes in afterwards.

I'd hate, for instance, to have some deeply religious fundamentalist  
use a web browser after I've bought something from Amazon.

Dan