OpenID and trust

Update: It seems I’m not the only one to ask about trust, and Simon answered it: OpenID is not an account. Just treat it as an alternative to a traditional username and password and you can’t go wrong.

Fair enough, I guess we’ll have to keep looking for a better method than CAPTCHA to prevent automatic signups though.


I noticed OpenID a while ago, as a possible way to do single-sign-on for internet applications. Recently I wondered why Google used CAPTCHA, and despite it being the most viewed article on this blog (thanks to Matthew Mullenweg), no one pointed out the obvious problem with my argument.

Comment vs sign-on

It wasn’t really a huge hole, but I had raised Akismet and other WordPress pluggins as an alternative to CAPTCHA. The point still stands that CAPTCHA is bad and Google could find/create a better way, however, comment spam and sign-ups aren’t the same thing.

Akismet, and to some extent the other WordPress oriented options that prevent comment spam, don’t help sign-ups to other services such as forums, newsletters and custom applications that might allow posting content.

If there is a disconnect between sign-up and posting content, spammers could get through, or at least make it very difficult to prevent abuse. Not that one of the solutions wouldn’t get around that.

OpenID

Not long after my post (and completely disconnected), Simon Willison posted up about OpenID, an open, decentralized, free framework for user-centric digital identity.

It’s quite difficult to get you’re head around how easy it is, but Simon has made it very easy to understand, just check out his OpenID screencast. You create your own central ID, that you control.

Simon's demo shows logging into his site with OpenID.

A popular techie blog completely missed Simon’s post (despite looking at Yahoo closely), and replicated his efforts. However, they go on to talk about single-sign-on methods from Yahoo, Google and others, so it’s worth reading.

From a user point of view OpenId seems great, I now have a single-sign-on to Simon’s blog, Magnolia bookmarks and other sites. However, I’m going to raise one primary question:

What prevents abuse of the system?

I can work out why people can’t spoof your ID, but what stops the spammers from creating loads of accounts to abuse? I don’t know enough about this topic (it’s not marked usability or accessibility ;)), but I haven’t worked out why we can’t have an individual public/private key mechanism like that used for SSH?

(NB: I’m hoping there’s a good answer and this post can be quickly archived, but I have to ask.)

There doesn’t seem to be a trust mechanism such as that built into Gez Lemon’s idea, or a way of preventing spammers creating many throw away accounts.

Why can’t I publish my public (DSA SSH) key on my site in a link and reference that?


Technorati Tags:

9 contributions to “OpenID and trust

  1. Nothing stops spammers from creating hundreds of accounts – and that’s fine, because you should never trust that an OpenID account is a real person and not a robot or spammer. You can still ask someone who has logged in with an OpenID to pass a CAPTCHA, or to provide e-mail for an extra verification step. All OpenID does is replace usernames/passwords as the authentication step.

  2. A PGP/GPG trust structure could be created, but in general those are not used as I want people I don’t know commenting on my blog.

    The clear answer is akismet + reporting to places like myopenid.com. You can easily ban their openid providers if they are completely spam, and I’m sure myopenid and others would keep a banlist.

  3. Thanks for clearing that up guys, I think I was hoping for too much too soon!

    Simon: I’d prefer if CAPTCHA was dropped, although at least with OpenID you’d only have to enter it once.

    codemac: You could be onto something there, you might not even need to build it into the blog: Akismet could report any spam from someone using OpenID to the provider.
    You might have to only accept people from the main provider(s) though, otherwise spammers could just use their own servers.

    I’m not sure that a PGP/GPG structure would restrict it to people you know?

    Ideally, I’d want to have a public/private key setup, with my public key published on my web site (in a link-rel), or through a provider.
    When I enter a comment or login, you provide the URL. Somehow, (no idea how!) your browser would confirm that you are the owner of the key, getting you to type in your password once per session.

    I’m not sure that would increase the trust level at all, but it just seems more ‘mine’ than something like OpenID.

  4. One of the advantages of OpenID is that users does not need to give their personal information to every single website. You have one [trusted] provider and the rest will just have to settle for less information about you.

    It is also an excellent way to create user accounts (really!) for simple website preferences. (As you will not have to manage the accounts.)

  5. Hi Daniel, I wasn’t taking away from what OpenID is about, it’s just that I (and a few other people) hadn’t really understood that it wasn’t trying to be a trust mechanism.

    I’m not sure that OpenID makes it much easier for sites to implement preferences, apart from not having to create usernames & passwords you still have to implment the preferences.

  6. OpenID doesn’t really solve anything at all. Almost all sites that use openid, do also require all the additional info they need to maintain your profile or create your account, so they get all the additional info anyway. To me it seems like a complicated way of saving the end-user from having to remember too many passwords. There is no other benefit. And to top it, it’s also confusing to end-users when sites jump back and forth and still collect additional data when they accept openid.

  7. Hi Grok2,

    I do think that not requiring users to need another username & password is sufficient justification for the technology, although others may not.

    I also think that (done well) OpenID means the user doesn’t have to type anything else in, as it gives you the option of sending your profile to the requesting site. In many cases your profile has the information needed, although some sites will want other specific items.

Comments are closed.