Re: HTTP HashCash from Ben Schwartz on 2025-05-22 (ietf-http-wg@w3.org from April to June 2025)

From: Ben Schwartz <bemasc@meta.com>
Date: Thu, 22 May 2025 12:59:08 +0000
To: Melvin Carvalho <melvincarvalho@gmail.com>, "John, Gavin N. (Gavin)" <gjohn@caltech.edu>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <SA1PR15MB4370F9E6F15912556A854512B399A@SA1PR15MB4370.namprd15.prod.outlook.com>

In general, the IETF has been skeptical of "proof of work" designs that deliberately waste CPU time.  As an alternative, you may want to review Privacy Pass (RFC 9576-9578), which allows an HTTP Origin to require clients to expend a different kind of resource ("tokens") that may be limited, without learning the clients' identities.

--Ben Schwartz
________________________________
From: Melvin Carvalho <melvincarvalho@gmail.com>
Sent: Thursday, May 22, 2025 7:44 AM
To: John, Gavin N. (Gavin) <gjohn@caltech.edu>
Cc: ietf-http-wg@w3.org <ietf-http-wg@w3.org>
Subject: Re: HTTP HashCash

čt 22. 5. 2025 v 9: 15 odesílatel John, Gavin N. (Gavin) <gjohn@ caltech. edu> napsal: Hi! I've noticed the rise in popularity of Anubis. It's an effective tool for the job (requiring additional work to access expensive endpoints),

čt 22. 5. 2025 v 9:15 odesílatel John, Gavin N. (Gavin) <gjohn@caltech.edu<mailto:gjohn@caltech.edu>> napsal:

Hi!

I've noticed the rise in popularity of Anubis<https://github.com/TecharoHQ/anubis>. It's an effective tool for the job (requiring additional work to access expensive endpoints), but I don't want to use it on my public-facing stuff because it makes it unreadable to most tools due to the use of JavaScript (I recognize that many people see this as an advantage of Anubis, however for me this is a negative I'd like to avoid). I was wondering about maybe standardizing HashCash for HTTP to make this sort of computational tax more universally supported. Thoughts?

I designed something like this for nostr.

What you need is a message, a nonce and a hash.

Then you count the number of leading 0s in the hash to determine the proof of work.  It gained some traction, as a fun niche, but I'm unsure it really proved useful.

Many hash algos can be gamed with GPUs or ASICs, but it might be a fun tool to add to the HTTP headers, namely:

- message
- nonce
- hash algo
- digest

Another approach, could be to reuse the ni:/// scheme in RFC 6920 and a query parameters for nonce

Best
Melvin

Gavin John

Caltech, Class of 2028

Received on Thursday, 22 May 2025 12:59:27 UTC