Weblog Identities

Mark Pilgrim's discussion of how to stop spam in comments is very interesting. I don't have an answer for it, but I think it also brings up another important issue related to comments: persistent identity across sites. I think there are a couple of types of people who post comments. Some people have a carefully constructed Internet identity that is linked to their real-world identity. They care about how they are perceived on the Web because it affects their real-world lives. Others post anonymously with pseudonyms, and they don't care how that username is perceived because it isn't linked to their real-world life. I think there's a place for both types of posters, and the level of identity-revelation should be voluntary. I think this difference causes friction though, and it could get worse...especially as it relates to persistence.

How do I know that "WackyD00d" posting on site A is the same real-world person behind "WackyD00d" posting on site B? Especially when current weblog comment systems allow the user to put anything they want into the name, url, and email fields. How would the real person behind "WackyD00d" posting on site A police the use of his/her online identity on a site they don't control? Abuse could hinder discussion. It doesn't seem to matter if everyone is posting anonymously, but when real-world reputations are on line it could be problematic. For weblogs to be taken seriously as a place for discussion, I think this problem needs to be addressed.

Requiring a login with email verification could provide some protection, but you run into the problem of putting up a barrier to conversation...especially if you have to register on every site that you'd like to participate. I think some sort of central "Identity Bank" that generates a pgp-style key that could be included with comments across sites could work. It would be a barrier (though lower than a login), and there are some privacy concerns. (I wouldn't trust my info with Passport/Microsoft, for example.) But somehow offering that option to people who care about their online-offline identity link could help. And I think it could be done like PGP, where no one company has the keys to everyone's ID. Mabye it could even be done with PGP somehow.

Comments

I think this is clearly an idea that's about to become a significant concern. I'm surprised none of the weblog tool vendors or other repositories of identity info have seized the opportunity. I'd love to use my MetaFilter login everywhere.
Of course, this illustrates the problem. The real "pb" didn't post that comment. Or this one?
I had the same line of thinking a few months ago, pb. The thing about a 'central identity bank' is that it seems natural to connect this to existing publishing systems like Blogger, MT, and Radio UserLand. But since they're individual systems it calls for a larger, generic and standard way of interoperating.

In essence, it's like Microsoft's .net without the crap. I did poke around the web for something like this earlier this year, and there are a few open source .net implementations and derivatives; it might be a good idea for blogging systems to consider it.
Drupal's already been there ahead of us: as long as the site owner hasn't disabled "distributed authentication" ( http://www.drupal.org/node.php?id=312 ), you can log on to a Drupal site with a username/password from Blogger, Delphi Forums, Drupal, Jabber, Manila, or Yahoo. Some of those I'd rather not pass out to any site where I happen to want to comment(would you really submit your MeFi password to any random weblog?), but the fact that it includes Manila (as in, register to comment on one Manila site, and you can use that ID to comment on any Drupal site) points out that anyone with an XML-RPC client and server can do distributed authentication. It would be nice if everyone could agree on a single format, so I could just sign in anywhere as phil@philringnalda.com rather than phil@mt.philringnalda.com/mt/ to indicate that the site needs to use Movable Type's authentication protocol at philringnalda.com/mt/mt-authent.cgi, but even with a dozen different schemes it would still be vastly better than having to register separately at each weblog.

Of course, with totally decentralized authentication, you also have to have a way to blacklist not only 'joeschmoe@philringnalda.com' but also '*@haXors.net', and a way to distribute blacklists (and a way to withdraw false blacklistings, and who knows what else...). When this first started, I bristled any time someone suggested just shutting off comments and using (Track|Ping)Back and referrers as a substitute, but the more I think about solutions to harden comments (all of which are easier to script around than they are to implement), the more I wonder. We already have a threading nightmare: my original post on this has 25 comments, 13 trackbacks, and at least 30 unique referrers, and many of those trackbacks and referrers have additional comments or trackbacks. I'm not sure we'd be any worse off making comments completely distributed, maybe keeping a separate comments weblog of things that we don't want to include in our main weblog. It would certainly be easier to keep track: I've left plenty of comments about this in places that I'll never remember to check again.
Ulp. I'll remember to check this thread, though, every time I get spam addressed to joeschmoe at philringnalda.com, won't I?
I don't think I'd be happy trusting my ID to a distributed login system with MT, Blogger, Userland, or any commercial interest hosting my identity. I was picturing some sort of text key that could be used anywhere to verify my identity, with tool makers simply adding another text field to display the info...or it could be used in the URL field somehow. (No shared logins, information, or RPC calls.) Posts with the key could be verified for authenticity. Posts without would be as they are now. I'm not as worried about authentication across multiple sites. I know Web app vendors are great at hosting my identity for their specific service, but I would worry about relying on them to keep a login system open for use across applications in the future. I think some sort of non-commercial ID-bank that people can use with existing systems would be the way to go. That way you wouldn't even need to wait for tool-makers to implement/adopt it. I'm not sure about the specifics of how it would work, but it *seems* possible to me.
It is a challenge. In login systems that I have designed for applications (web) I have tended to use an email verification - i.e. sent an email with a secret key, following that secret key (usually a URL) turns on the account.

However to post comments to a random blog - this is by far overkill.

One thought that comes to mind - how about using a cookie driven verification scheme?

i.e. the comment system would have an graphic from a central system (blogspot.com for example), this could then request a given cookie (from that domain) - based on the content of the cookie - the comment system could add the identity to the comment post.

This might work in a manner akin to Slashdot's "real" URL mapping - a user would still enter Name, URL, comment just as before - but in a [] next to the name could be a "verified name".

This has the advantage of being fairly easy to implement and would avoid the blog owner ever having access to the actual identity pieces (as the cookie would be going to the central server, not the site hosting the blog).

Shannon
As we become the slaves of our 'idents' we lose our freedoms. Consider..one day it's blogger, but next day blogger [is] google.
Also, [the] Liberty Project begun by Sun and Oracle to end-run around MSpspt a few days ago was co-opted by DoD (which includes the rest DCI, etcetc)...all following on the Idea that "we" need to have A Single UID for all-purpose. What you're discussing seems to me a singular
off-shoot of this AUTH schema. Question is just who are we trying to keep out?
Or let in. (sorry...just my .05)
PS. yeah I have a blogger acct from early on.
×

Search Results

No emoji found