On Mon, 15 Jun 2020 21:28:08 -0400 Sean Conner <sean at conman.org> wrote: > Authentication is done via > certificates. But unless confirmation is required for _every_ request with a certificate (is it? I'll have to re-read the spec) then the problem persists, since the request is done by the victim. > About the only valid issue is the SPAM issue you > brought up, but I think it *is* possible to detect since the server > will have the IP address of the sender---repeated requests could be > blocked by blocking the IP address. It's not detectable without nonces, because the spammer doesn't have to do any request, only the victims (with presumably different IPs) > Another issue with the nonce (other than how to send it back) is > that a malicious bot can just make a request that returns the nonce > and use it, like like a Gemini client with a human driver will do. Yes, but like in the web we can act on that first request an check for client cert (which the attacker won't have) and IP (which will always be the attacker's one)
---
Previous in thread (8 of 11): 🗣️ Francesco Gazzetta (fgaz (a) fgaz.me)
Next in thread (10 of 11): 🗣️ Jason McBrayer (jmcbray (a) carcosa.net)