Charles Darke | 22 January 2007Anybody wanting to bypass OpenID by using a temporary OpenID can now use:
http://www.jkg.in/openid/
I'm glad this has been done and a little surprised more haven't cropped up earlier.
The key problem I see for OpenID is that it uses ownership of URLs rather than ownership of emails for the 'proof' of identity. My belief is that URLs don't prove identity better than emails and may possibly be 'cheaper' than emails. My own preference would be to use ownership of a domain name (which has its own problems).
Unlike email, OpenID opens up the possibility of a fully automatic way to provide a fake identity as the protocol for verification is well defined.[1] What's more, OpenID works immediately, whereas there is normally a delay for emails.
Lastly, there are now very few open relays precisely due to the problem of spam. OpenID can potentially turn any website into an open relay for comment spam.
The OpenID website used to have a long list of what OpenID was not. It never really said what it was and this new OpenID service shows that the 'convenience' of not having to remember passwords can simply be achieved by not requiring users to log in at all.
[1] In practice you can automate mail authentication too by configuring your mail server to automatically follow the verification links in email sent to a special email address.
http://www.jkg.in/openid/
I'm glad this has been done and a little surprised more haven't cropped up earlier.
The key problem I see for OpenID is that it uses ownership of URLs rather than ownership of emails for the 'proof' of identity. My belief is that URLs don't prove identity better than emails and may possibly be 'cheaper' than emails. My own preference would be to use ownership of a domain name (which has its own problems).
Unlike email, OpenID opens up the possibility of a fully automatic way to provide a fake identity as the protocol for verification is well defined.[1] What's more, OpenID works immediately, whereas there is normally a delay for emails.
Lastly, there are now very few open relays precisely due to the problem of spam. OpenID can potentially turn any website into an open relay for comment spam.
The OpenID website used to have a long list of what OpenID was not. It never really said what it was and this new OpenID service shows that the 'convenience' of not having to remember passwords can simply be achieved by not requiring users to log in at all.
[1] In practice you can automate mail authentication too by configuring your mail server to automatically follow the verification links in email sent to a special email address.
Add comment!
New topicComments (2)
Written by Charles Darke at 6:02pm, 22 January 2007.OpenID claims that it is not about spam or trust. However, people are using OpenID for anti-spam and trust.
For example, I don't care who you are, what your email is, or what URLs/domains you own so long as you don't spam my blog.
Otherwise, why bother with OpenID at all? Just let anyone post without 'proving' they own and URL or email. In effect an anonymous OpenID provider removes the only thing OpenID claims to provide.
For example, I don't care who you are, what your email is, or what URLs/domains you own so long as you don't spam my blog.
Otherwise, why bother with OpenID at all? Just let anyone post without 'proving' they own and URL or email. In effect an anonymous OpenID provider removes the only thing OpenID claims to provide.
Written by Charles Darke at 6:11pm, 22 January 2007.
Women like men in fast cars
I believe blacklists for OpenID are inevitable. However, since OpenID uses URLs rather than Domains for identity, a blacklist will either have to decide on blacklisting a whole domain (which will catch some innocent parties) or end up chasing URL after URL and losing to spammers.
For example, let's say you can host an IdP on blogger.com, you would either have to block blogger.com or keep a list of randomusers.blogger.com.
I favour blacklisting whole domains to move to using domain ownership as ID rather than URL ownership. Domains are cheap, but unlike URLs they are not free.
Bloggers who don't own their own domain but who have built up sufficient reputation could use OpenID via whitelist.