If you cannot see the difference between “OpenID Authentication provides a way to prove that an end user controls an Identifier.” vs. “OpenID was designed to prove you own the URL”, then I’m not certain that I can explain it to you. “Control” and “own” are two entirely different things. Yes, proof of ownership would provide proof of identity, but “control” is wider in scope, and provides no clue to identity.

Furthermore, neither one of these really has anything to do with “Identity”, as Brad only talks about “Identifier”, which is a critical difference. An Identifier is the same thing as the letter I in URI.

To avoid spam registratiopn, WP pluging SABRE works like a charm (with captcha, confirmation, various detection schemes without been too annoying to a regular subscriber).

Luc

His first talks about “I told people this will happen”. What’s happened? Ma.gnolia picked an alternate authentication mechanism permanently, and found it as a way to cut spam in the process?

Ok, fine. OPENID IS NOT THE SOLUTION TO SPAM. We get it Otto. Thanks. Anyone who thinks so didn’t bother to learn anything about OpenID, and become incorrectly educated.
There’s really no fix for that.

His second is an attempt to laugh right in Brad Fitzpatrick’s face…

OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.

The very first line that has ALWAYS been present in the OpenID specs, even when it was called YADIS.

OpenID doesn’t give you a universal username, it says (for example) “Matt Mullenweg owns ma.tt”. It however, serves a good purpose as a decentralized, globally unique identifier.

I hear you, Otto. I don’t want to kill anonymity. I however appreciate the improvement to identity.

Plus it would be cool if we could use Googles social api (with XFN) to check that only people that have been around on the web (have a blog/twitter/myspace/etc.) are allowed to comment. (of course that would mean grandpa would be in trouble).

OpenID was designed to prove you own the URL associated with your blog comment

No, no, no. That’s not *at all* what OpenID was designed to do, and the fact that people keep getting this wrong is what I find so annoying about the whole thing.

OpenID was designed to being an alternative to having a username and password on every bloody site you use.

Sign into digg? Enter your username and password. Sign into wordpress.com? Enter a different username and password. Annoying, no? OpenID was designed to allow single sign on. You login to your own site, and then your site tells anybody else that asks whether you’re valid or not.

It has been extended to allow for easier site-registration. If I want to create an account on newdigg.com or something, I can sign-in with my OpenID and it gets my info from my OpenID provider.

But applying OpenID to any other problem is a complete and total misuse of it. It does not stop spam and it does not prove identity. It does provide authentication and limited information transfer, but that is all.

If that service had featured a sister-option to dynamically apply to be chosen for an invitation (by another member), maybe that’s enough to block most spammers.

I see a theme in Matt’s comments: a solution has to address a big enough problem to be worth messing with. OpenID was designed to prove you own the URL associated with your blog comment; but commenter impersonation just isn’t a big problem for most blogs. OpenID is being extended to encompass reputation and therefore conceivably to becoming useful as a spam-blocking tool. But it isn’t there yet, and content-based techniques like Akismet work right now.

“OpenID has a ton of promise for the web — let’s not hurt it by setting people up for disappointment by telling them it’s a spam blocker when it’s not.” “I just want a system that puts an end to the endless signing up to websites I end up doing.”

The third way OpenID ended up getting used is as a web single sign-on system, and here is where I think a lot of people see a solution to a big problem. To me it makes a lot of sense to focus on getting some real traction for Web SSO before tackling the much tougher reputation / spam problem, which unlike Web SSO already has some workable solutions.

That said, whitelisting providers is also interesting. If I were building an alumni site for my old university I might decide to allow whitelisted access to any OpenID provided by that institution, on the basis that they would only be available to staff and students and hence someone else would already have confirmed that those people weren’t spammers.

They [the spammers] wouldn’t actually need any pre-existent ‘anonymous’ OpenID provider as it is quick and relatively straight-forward to set one up. By way of example, phpMyID allows me to be my own OpenID provider.

The benefits of OpenID are mainly ‘user-facing’ in terms of the ease of login. From the point of view of OpenID adopting sites, they should see themselves as providing some added value for their visitors but can’t really expect any benefit beyond the normal method of login.

From the Wordpress/blog platform spam-control point of view, Accepting OpenID for comments is roughly the same as allowing comments-without-login.

Akismet/YourOwnFilterOfChoice will continue to be your friend

I’m obviously pleased to see Larry’s decision to switch to all-OpenID login. However, the really big blocker to using OpenID accounts for spamming will come when there is a true cost to losing an OpenID account.

There is a cost-point and it’s not necessarily high where it doesn’t make sense to spam something. If the marginal cost of the spam is higher than the marginal benefit the spam literally isn’t worth the effort.

For starters, a plugin that worked flawlessly. WP-OpenID does not.

When you refer to whitelisting, do you mean individual identity whitelisting or whitelisting of providers? I mean, whitelisting google isn’t going to help, because spammer accounts are a dime a dozen.

Ciao!

We need a way to confirm the unique identity of an individual and right now a mobile number is probably the best option (due to the percentage of the population who have mobile phones).

If there was a system like OpenID that forced all registrants to periodically “re-authenticate” (perhaps every three months) using the same SMS method, then phone numbers wouldn’t need to be stored and the system would stay relatively spam-free. I say relatively because anything can be bought for a price.

Like Xavez said, if it costs the spammers more money than the spamming generates, it won’t be worthwhile. Spammers will never stop, but just as you don’t see the sky full of advertising blimps because it’s so expensive, we need to make it unreasonably expensive for the spammers. The only way I see that happening anytime soon is by linking the virtual world with the real one.