WebAIM - Web Accessibility In Mind

E-mail List Archives

Re:

for

From: Alastair Campbell
Date: Mar 16, 2007 2:40AM

Hi Tedd,

I think there are a few false assumptions here, I'll try to clarify:

Firstly, I'm not being critical of your CAPTCHA methods, it's great that
someone is making some progress. However, I don't think that sites in
general should use them because including accessible CAPTCHAs is too
complex, for the user as well as developer. If they were to be taken on
by big providers, that would be better than their current methods.

> As for AOL and M$, I may be mistaken, but I seriously doubt that they
> will provide anything leading edge.

Possibly not, but the point is that they are large organisations and
could provide offline methods of creating an account.

> That's part of the problem -- a user may have to register with
> several providers to cover all the places where s/he may want to post.

The whole point of OpenID is to prevent that. If you have an AOL account
(right now, it already works), you use it with *any site* that supports
OpenID.

Simon Willison has been leading the charge on this, it's worth looking
into:
http://simonwillison.net/tags/openid/


> 1. The user wants to logon to a blog and post.
>
> 2. Blog owners want only legitimate users to post.
>
> Legitimacy is defined as a user having their own web site or a place
> where they can store a verifiable key. The key need not be a secret
> nor permanent -- but only needs to be tied to a url temporarily.
>
> How would this work?

On Simon's blog for example, I would put in my name and URL
(alastairc.ac), I would be re-directed to MyOpenID where I log in (if I
have been inactive for 20 minutes since my last login), and I get taken
back to Simon's site where I can freely post comments.

If I've used another OpenID site in that session, I wouldn't even notice
the login check, and I wouldn't have to login at my OpenID provider.

See this for how to use your own site for your openid:
http://simonwillison.net/2006/Dec/19/openid/

Your clearing house example sounds similar to a public-private key
mechanism, which would be great for people with sites, but not much use
to regular people who just want to use their AOL/MS/Yahoo account on any
site.

> The upside is that spammy probably won't want to go through the
> trouble. And, I don't see an automated way to do this.
>
> Am I wrong?

Probably not, but I don't see regular users doing that either, which is
essentially the same issue I have with CAPTCHAs.

There are some problems with OpenID (primarily phishing potential), and
it isn't the whole answer (http://simonwillison.net/2007/Feb/25/six/),
but it does seem to be the starting point for the solution.

Kind regards,

-Alastair

--
Alastair Campbell | Director of User Experience

Nomensa Email Disclaimer:
http://www.nomensa.com/email-disclaimer.html