WebAIM - Web Accessibility In Mind

E-mail List Archives

Re:

for

From: tedd
Date: Mar 15, 2007 12:00PM

Alastair :

At 4:57 PM +0000 3/15/07, Alastair Campbell wrote:
> > One problem at a time. There are different types of CAPTCHA's, as you
>> can see here.
>
>Which is fair enough, but why not have a few providers rather than
>having to implement several of them on every site? (And people having to
>use them on everysite.)

The problem as I see it, is that the typical person who wants a spam
prohibiting mechanism most commonly looks to a CAPTCHA as a solution.

My attempt here is to provide solutions that are accessible. That
does not prohibit anyone from seeking other methods.

> > As for OpenID, I have an account with them
>
>Err, who? AOL, MS, MyOpenID?

Err, as I said -- "OpenID" -- as found here: http://openid.net/

As for AOL and M$, I may be mistaken, but I seriously doubt that they
will provide anything leading edge. The "pick the cat" technique
recently discussed is an example where you certainly could have added
"What about the blind?" or for those visual impaired. Even I had a
hard time finding the cat AND they did even have the foresight to tie
the image to a zoom level -- for example, see this:

http://sperling.com/examples/zoom/

That's a very easy technique to implement and they simply didn't take the time.

I think my "Performance CAPTCHA" certainly surpasses the "pick the
cat" attempt -- and I've had that for many years.

http://sperling.com/examples/assorted-captcha/

> There are quite a few providers already!
>
>Yep, but it's gathering momentum pretty quickly. There are many
>providers, it's the sites that need to catch up now.

That's part of the problem -- a user may have to register with
several providers to cover all the places where s/he may want to post.

>Actually, it's quite easy to automate, or at least make very quick, and
>can't serve as a trust mechanism. You could also automate the creation
>of OpenIDs, which is why you would still need a trust mechanism.
>Possibly one of the methods I suggested, although I'm sure there could
>be other methods.

How about this?

The goal is:

1. The user wants to logon to a blog and post.

2. Blog owners want only legitimate users to post.

Legitimacy is defined as a user having their own web site or a place
where they can store a verifiable key. The key need not be a secret
nor permanent -- but only needs to be tied to a url temporarily.

How would this work?

User wants to post on your blog and without a confirmed ID is
directed to the clearing house.

User contacts a clearing house and request an account. The clearing
house asks for their web address. After which the clearing house
generates an "unique ID" key and shows it to the user (i.e.,
abc123456789.html) and instructs the user to place it in their web
site as a name for a html document.

The user follows instructions and creates a blank document entitled
abc123456789.html and places it in their web site. After which the
user returns to the clearing house web site and request verification.

The clearing house asks for the users web site address, looks that
web address up in its dB, and checks to see if the unique html key is
present at the user site. If it is, then the process is verified, and
the user can pick a "user ID" (anything they want, which is not what
OpenID provides) and that would be confirmed as being linked to the
users web site.

The clearing house would now store the user's; a) web site address,
b) and a confirmed user ID. The unique ID and associated html would
no longer be needed. The user would be instructed as such and could
remove it from their web site if they wanted.

Now, everyone who has a blog and wants confirmed users would then
subscribe to the clearing house service via a form which simply
gathers the user's ID and the user's web site address and submits it
to the service for verification.

In other words, a logon for me would be:

UserID: tedd
Web Site: sperling.com

That information would then be sent to the clearing house and checked
for consistency. Is "tedd" a confirmed user ID for "sperling.com"? If
true, then the clearing house responds with "true" and the user can
input data, if not, then access is denied.

The only downside here is that it limits the users to having a web
site or access to somewhere where they can place a unique html.

The upside is that spammy probably won't want to go through the
trouble. And, I don't see an automated way to do this.

Am I wrong?

Cheers,

tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com