LJ munging OpenID comments?

[Mark Rafn]

On Tue, 20 Sep 2005, Kurt Raschke wrote:
> All right, all right.  So if OpenID is the "not anonymous", then where's the 
> "not spam" part?  Do we build a web-of-trust system on top of OpenID, or 
> what?

[For those keeping score, I've switched sides since I complained about 
this on the last go-round. Authentication and trust are different.]

I believe that's up to each consumer.

LiveJournal COULD provide whatever level of additional security they want, 
including allowing an openID-authenticated user to pass a CAPCHA, provide 
an e-mail address (that gets verified), and agree to ToS.  After that, 
they could treat the OpenID login exactly the same as a livejournal login. 
They've passed the same tests, so are equally likely to be human.

Actually, they could allow OpenID names to have journals.  That would 
be kinda cool.  And it's completely up to them.

That said, I strongly hope that LJ does the work to allow them to treat an 
OpenID user who has gone through a registration and CAPCHA at least as 
well as they do someone who created a free LJ account ten minutes ago.

> Or do I just send off my credit history and a DNA sample to LiveJournal?

Too easy to copy.  You'll need to visit in person, and submit to retina 
scan.  Unfortunately, they have only slide scanners, and you won't get 
your retina back afterward.

> On Sep 20, 2005, at 1:07 PM, Zefiro wrote:
>> It's completely ok if LJ chooses to handle other identification methods 
>> differetly than their own users (who are bound to their
>> terms, they have some date, captcha, etc).

Sure, it is EXACTLY as ok as it would be to treat some LJ logins different 
than others.  Many sites do, and LJ treats paid users differently than 
free in some ways.

>> But it is not ok to keep insisting that OpenID users are anonymous 
>> users.

I don't think LJ says that OpenID users are anonymous.  They treat 
comments from OpenID users (except those on the journaler's friends list) 
the same way they treat comments from anonymous users.  This is an 
important distinction.

>> Repeating the sentence about trust doesn't change anything, as 
>> this OpenID != anonymous does say nothing about trust, and the spec 
>> explicitely stating that it says nothing about trust does not confirm 
>> in any way that OpenID is anonymous. After all, this is the whole (and 
>> only) point in OpenID.

OpenID != anonymous.  That _is_ the point of openID.  Nobody's saying that 
an OpenID user is anonymous.  LJ does currently say that comments from an 
openID user are treated the same way that comments from an anonymous user 
are, but that does not imply that the user is anonymous.

> Look at the OpenID wiki, then look at Wikipedia.  Both use accounts to 
> identify users, but one uses OpenID to actually perform that identification, 
> and one uses an email address and password.  But there's still an account 
> being created, no matter how you look at it.  And if an account is being 
> created, then there's an opportunity to show a TOS, or demand more 
> information, or whatever.  Of course, if you're demanding more information 
> from a user, then that opens the door to automation through some type of 
> profile-exchange mechanism on top of OpenID.

What he said.
--
Mark Rafn    dagon at dagon.net    <http://www.dagon.net/>