Okay. So you know how OpenID is an actually viable identification system? And you know how PGP/GnuPG have a concept of signing other people’s keys to establish trust paths?
Well, I was just thinking about blog comments, and a) how now that I have them re-enabled, I’m getting spam, and b) I’d like to enable OpenID, and I got an idea (which, if you read the first paragraph, you’ve probably already figured out). Why not extend OpenID to also allow trust paths? Basically, if I trust Anne to be a real person and not a spammer, and he trusts Ian, I can be pretty sure that Ian’s not a spammer. And if Ian’s server is compromised and a spammer starts sending stuff as him, or if he’s paid off by the Evil Spam Operators to “trust” them, then I can either blacklist Anne, blacklist Ian, nofollow Anne (so I trust him but don’t trust his contacts), or even just wait for Anne to take care of it.
Obviously it could be fleshed out a bit more (max depth for trust paths?) and in implementations too (temporary blacklist: blacklist Anne for 24 hours and renew automatically if I got any comments through his trust path that looked like spam, else re-trust), but it looks like a start.
Thoughts?
Well, nice idea, but how you’d solve a situation, when spammer runs its own OpenID server?
I think the development of OpenID must go towards trusted OpenID servers. With OpenID server I can create millions of identities, and I can mark them as trusted. And when OpenID server get’s blocked (only manually) then I setup another one and I can spam like crazy.
That’s not a problem, unless one of your friends trusts a spammer. If no one you know trusts a spammer (and no one they know does, and so forth), then you have no trust path to the spammer, so you won’t get the spam.