Slug: id7rcom-is-this-openid Date: 2007-12-27 Title: “ Is This OpenID?” layout: post

I ran across a link to this morning, and while it’s a technically interesting application, I can’t help but see it, at best, as a complete dilution of what OpenID is supposed to mean, and at worst, an intentional abuse of OpenID and a perfect tool for spammers.

##A Quick Refresher

OpenID is a way for a user to assert to a site that the user controls/owns a URI (a good look at the benefits here), and the authentication process tries to make sure that there’s a person on the other end of that URI.

>A key feature of OpenID is that it provides a globally unique identifier for every user, no matter what site or service they are using on the Web. Simon Willison


The home page says:

>Id7r turns every email address into an OpenID identifier.

  • type in your email address (prepended with and click “verify”
  • check your mailbox for a new message with subject like “Auth Request #### from”
  • follow instructions therein to complete the process.

Now, isn’t email the thing that spammers have come very close to completely ruining due to creating millions (billions?) of randomly-generated email accounts? The “instructions therein” consist of:

>Do not reply to this message! It’s sent from an unattended mailbox.

>Hi, <me>,

>Someone (possibly you) has requested authorization at for an OpenID login.

>If you accept, please click this URL<atoken>&auth=yes to complete the process.

>Otherwise, click this URL<atoken>&auth=no to reject it.

>If your email client does not make above URLs clickable or a different browser pops up, please cut and paste either URL to the same browser you used earlier.


>The Id7r Team >

It seems to me that grabbing a link from the email and then submitting a form is not particularly hard for the scum out there.

##Am I Crazy?

So, I know that OpenID does not claim to be an end to SPAM in and of itself (thanks to singpolyma for the reminder), but this just seems completely wrong to me. There was a recent spat over the anonymous OpenID server, and the community consensus seems to be that we’re going to have to resort to server blacklists eventually (though the author of the annoymous server makes a decent case that blacklists are not going to do it either).

So am I crazy for seeing this as a huge problem? Unlike the anonymous server, looks like something that normal users would find useful, thereby making it harder on them if we simply blacklist it.

Got thoughts? Hit the comments and let me know.