[wp-hackers] Should OpenID be in WP core?

Elias Torres elias at torrez.us
Thu Mar 8 14:32:04 GMT 2007



Alex Günsche wrote:
> On Thu, 2007-03-08 at 09:04 -0500, Elias Torres wrote:
>> For example, on comments, the first time someone posts with a OpenID
>> identity it goes in the moderated queue. If you approve it, then we
>> could say that you've allowed her access for future posts and these will
>> no longer get placed in the moderated queue.
> 
> As I said in my first message, I haven't used OpenID so far, but have
> read a bit about it.
> 
> However, especially with the comments, this gives me the following
> question: Let's assume I'm a spammer. I would go to your form and just
> enter *some* URL which I assume could be involved via OpenID. I could
> increase my success rate by checking which other URLs have already
> commented on this article or blog.

I don't know everything about OpenID either, but this is what I
understand. In order to sign-in with OpenID is not just about entering
the URL, there's a 3-way dialogue between the RP, your provider and you.
The blog receiving the comment, will redirect you to your provider where
you authenticate directly with (most likely user/pw or cookie) then the
receiving blog will get an authenticated identity from the provider.

I don't think that spammer bots can just go enter a "valid" URLs and get
away with it, I think that would make OpenID very stupid. I said that
once you have approved an identity (URL), future posts don't get
moderated, but they still get authenticated with the same dialogue above.

> 
> By the way, wouldn't this try'n'error method just work with any OpenID
> based authentication? Or is there a major point I'm missing?

Maybe.. read above and let me know if I didn't get your question.

> 
> 
> Regards,
> Alex
> 

-Elias


More information about the wp-hackers mailing list