Re: Authentication (was RE: CAPTCHA alternatives/pitfalls) from Gregory J. Rosmaita on 2010-03-19 (wai-xtech@w3.org from March 2010)

From: Gregory J. Rosmaita <oedipus@hicom.net>
Date: Fri, 19 Mar 2010 17:42:35 +0000
To: wai-xtech@w3.org, xn--mlform-iua@xn--mlform-iua.no, jfoliot@stanford.edu
Message-Id: <20100319174036.M33411@hicom.net>
aloha!

a bit of background to the discussion that spawned JohnF's recent 
cross-post to wai-xtech and public-html-a11y on CAPTCHA alternatives 
and authentification strategies...

this discussion grew out of a bug filed against HTML5 concerning a code 
sample of a CAPTCHA challange; the first thread "keep CAPTCHA out of 
HTML5" begins at:

http://lists.w3.org/Archives/Public/public-html-a11y/2010Mar/thread.html#msg361

out of this discussion (the entirety of which is linked to from the 
PFWG's CAPCTHA Update wiki page:

http://www.w3.org/WAI/PF/wiki/CAPTCHA_v2)

there is a secondary thread which led JohnF to suggest that the 
conversation be moved to wai-xtech@w3.org

"CAPTHA alternatives/pitfalls" 
http://lists.w3.org/Archives/Public/public-html-a11y/2010Mar/thread.html#msg417

thanks john for not only continuing this important discussion, but for 
moving it to a more appropriate forum...   gregory. 
---------------------------------------------------------------- 
CONSERVATIVE, n.  A statesman who is enamored of existing evils, 
as distinguished from the Liberal, who wishes to replace them 
with others.         -- Ambrose Bierce, _The Devil's Dictionary_ 
---------------------------------------------------------------- 
            Gregory J. Rosmaita, oedipus@hicom.net 
 Camera Obscura: http://www.hicom.net/~oedipus/index.html 
----------------------------------------------------------------

---------- Original Message ----------- 
From: "John Foliot" <jfoliot@stanford.edu> 
To: "'Gregory J. Rosmaita'" <oedipus@hicom.net>, "'Leif Halvard Silli'" 
<xn--mlform-iua@xn--mlform-iua.no>, "'W3C WAI-XTECH'" <wai-xtech@w3.org> 
Cc: <public-html-a11y@w3.org> 
Sent: Thu, 18 Mar 2010 23:40:56 -0700 (PDT) 
Subject: Authentication (was RE: CAPTCHA alternatives/pitfalls)

> [JF - after this initial response/post to the current CAPTCHA 
> discussion, this might stray off in a wholly separate direction - 
>  for now. I will ask that we remove it from the public-html- 
> a11y/w3c list, should anyone care to respond. Moving to wai- 
> xtech/w3c for wider discussion] 
> 
> Gregory J. Rosmaita wrote: 
> > 
> > i think that JohnF hit the nail on the head when he pointed out the 
> > advantages of universal password solutions such as those that allow 
> > you to verify yourself by logging into a service such as twitter or 
> > facebook or by using OpenID type solutions, if not OpenID itself... 
> 
> I think that there are numerous opportunities for this type of 
> 'human-ness' verification which might warrant more 
> investigation.  Currently at Stanford I am learning of the 
> Shibboleth System[1], which links a number of Universities 
> together, including Stanford. Using their local authentication 
> at *their* university, we can grant fellow colleagues access as 
> a favored guest at Stanford - and we can control what favored means. 
> 
> As well, Stanford is moving towards a university account-for- 
> life scheme, which will allow alumni to retain their SUNet 
> credentials for life; I will presume that this is currently not 
> un-common, or could be further encouraged at other universities 
> and similar institutions. 
> 
> It is a potentially very large data-set of authenticated ID's 
> issued by trusted entities such as higher education affiliations 
> - presumably other large federated verticals could use this 
> method as well (financial/banking sector for sure, likely other 
> blue-chip and middle-level federations as well - National 
> Cattlemen’s Beef Association[2] anyone?) 
> 
> The question becomes, could something like this be used at such 
> a basic but huge-scale deployment for the type of 
> 'authentication' that CAPTCHA currently provides? What kind of 
> overhead would it entail (for example)? I currently have an 
> OpenID (linked directly to john.foliot.ca) and I have a twitter 
> handle, MSN Passport, AOL double duty sign-in name, yada yada 
> yada... there are already a ton of free services out there (that 
> all required CAPTCHA to get started - sigh); however for 
> disabled communities other trusted entities could also serve to 
> assure humanness and verify as much through such a distributed 
> (but more controlled) system - I am thinking for example of 
> medical care-givers, churches, banks/post offices, NGO's etc. - 
>  entities that the disabled users are already likely affiliated to. 
> 
> So, thoughts? 
> 
> JF 
> 
> [1 http://shibboleth.internet2.edu/about.html] 
> [2 http://www.beefusa.org/] 
------- End of Original Message -------
Received on Friday, 19 March 2010 17:43:08 UTC