I say, Yes!
First, why did I create the server if I knew/realized this as well? Well to generate awareness the hard way
What about spam?
Again, this is not a trust system.
The above statement at OpenID.net reflects total ignorance about it. C’mon guys, we cannot be ignorant about it. I am sure all “normal” people hate spam. I think we must implement a solution for it in the protocol itself. We don’t have to be 100% accurate but we must be able to deter a major chunk of spammers.
See, all that I did to create my Anonymous OpenID server was to modify a few lines of code in phpMyID and the spammer friendly OpenID server was up and running. (And, no, I am not going to release the changes I made.)
We know that spammers have lot of domains and I am sure all of their servers are capable enough to have one or the other OpenID IdP running. This means they are also capable of generating unlimited number of OpenID’s like I did.
I don’t think using only blacklists is a good idea given that all that it takes for a spammer is to buy a domain, modify and setup phpMyID and voila! He’s back in business (maybe only for sometime but still).
Here is what I propose:
When we initiate the process, the client/consumer sends a dynamically generated image to the IdP. The IdP shows the normal login form, along with the captcha image and a input field.
When the user submits the form, the IdP server communicates with the client/ consumer and gives it the text the user entered for the captcha image to verified. The client checks if the text is proper and sends the reply back to the server.
If the user entered captcha text was not proper, we request another image from the client. We do it at maximum 3 times for a given IP.
If the user entered text for captcha image is found to be correct, we proceed with the present authentication process.
Is the solution proposed full-proof? Ofcourse not, but it will deter a lot for the spammers.
I am sure there will be folks that will not like the above captcha idea given that some people may have problems reading them etc. I do understand that. I think with some constructive discussion around it, we can do it in a way that suits everyone and can make things difficult for the spammers.
I hope I’d be successful in my attempt to get the protocol changed slightly and to try and make things difficult for spammers.
What will I do with this Anonymous OpenID server? Well, it will be online for now till I am able to convince the change of protocol. If the spammers use it too often or I have any bandwidth issues, I might take it down earlier.
On a side note, Dmitry also thinks that the Anonymous OpenID server is a perfect anti-phishing solution since no authentication happens
But, that won’t stop the anti-phishing debate though