I have a dream! :) I wish I can have a standalone blog which is friendly for my visitors, helps me to develop community of friends, but keeps spammers away. This is how I see it.
First of all – few believes.
- I believe that my visitors are busy people and want to spend as minimum clicks/effort/time interacting with my blog as possible.
- I believe in visitor’s privacy. If someone does not want to share some personal information with me – this is the right that shall be respected. For example – if a visitor does not want to give her email address – I shall not require it.
- Last, I believe some of my visitors want to share personal information with me. They are respectful Internet citizens with large footprint on the net. And if this is proven to me – I want to extend my trust to such visitors at my blog.
Now the workflow. The most common and delicate situation is – when some new (and yet unknown to me) visitor reads my blog and wishes to leave a comment. How do I want to handle it? In these simple steps:
1. Collect the data from the user.
2. Authenticate the user
3. Collect user information
4. Decide on the user trust level
5. Disposition the user comment.
Let’s look on these steps in more details.
STEP ONE. Collect the data from the user.
Here is the form on the bottom of the page that I will display for the visitor:
Have something to say? Write your comment here: [ ] [ ] Sign with you name: [ ] OR Sign with your openid: [ ] how to get openid? Remain logged in on this blog: [x] [SUBMIT]
First – let the visitor write the comment. This is what she wants – so I put it up front.
Second – I ask for a name. If user enters just name – ok. It is too little and too unreliable information, but I will not ask for more.
More interesting – if visitor signs with openid. In terms of a burden we put on visitor – it is not that much. It is still just a single string of input and, perhaps, a couple of clicks on identity server.
Last check box selection is obvious and secondary. Is it public or personal computer? It just affects the user state after the interaction.
Last control here is a link with description of what openid is and how to get one.
Intentionally, I do not want to discuss here improvements like Third Party Accounts Login. For now – let’s assume the visitor is smart enough. And if she’ve got some sort of openid from a third party – she knows how to use it.
Ok, the visitor inputs all information she wants and clicks submit. We do not want to bother her with additional questions. So, this concludes step 1 – data collection and starts
STEP TWO. Authenticate the user.
Obviously, if the visitor did not provide openid – there is nothing to authenticate. If user provides with openid – we do the usual dance with identity provider and go to
STEP THREE. Collect the user information.
Again – if visitor just left a name – we do not have much to investigate. But if user signed with openid – we have tons of possibilities. We cannot rely on any particular standard here, but in case if visitor exposes any information on his identity url – we shall retrieve it.
First we shall request all 9 profile fields by OpenID Simple Registration Extension. We shall make it all optional, but if user wants to share it – why not?
Then we can inspect the identity URL for possible hcards or other markup.
If identity is on well known host like livejournal.com or blogger.com – we can parse profile page there.
Last, but not least we can do Google search and see what other people say about this person.
Where do we store all this data – in our local user profile. Where else? If user signs with openid – we will create user record for her. So the input for step 4 is openid url and the output – the user record populated with data.
Now, when we are done with our research it’s time for
STEP FOUR. Decide on the user trust level.
How much information we collected?
How long does she have this identity?
Does she keep her own blog?
Do people link to it often?
Does user message contains links?
Did I ever mention this user in my own blog?
Obviously, if visitor does not want to provide any sort of identity (just name) or if she provides openid url that leads nowhere – the trust level is minimal.
On the other hand – if we can discover lot’s of information, we can extend more trust.
This is delicate question and the decision depends on owner of the blog. Low profile personal blogs might have just a few visitors and trust most of them. High traffic popular blogs might have tough rules and trusts only select visitors.
The output of step 4 is single number that shows how trustworthy the visitor is. And once we decide on that we can finally do
STEP FIVE, Disposition the user comment.
In step 1 we did our best to respect visitor’s privacy and visitor’s time. We did not ask for much. And now we want to reward those who shared personal data and beware of anonymous strangers. Although, disposition depends on owner preference, most common scenarios are following:
If trust is minimal – we might decide to discard the message completely.
For moderate trust we will keep the comment for premoderation or take other measures to filter spam.
If we consider visitor as trustworthy we will publish her comment right away.