- From: Watson Ladd <watsonbladd@gmail.com>
- Date: Thu, 22 May 2025 13:37:39 -0400
- To: Demi Marie Obenour <demiobenour@gmail.com>
- Cc: ietf-http-wg@w3.org
On Thu, May 22, 2025 at 1:15 PM Demi Marie Obenour
<demiobenour@gmail.com> wrote:
>
> On 5/22/25 08:59, Ben Schwartz wrote:
> > In general, the IETF has been skeptical of "proof of work" designs that deliberately waste CPU time. As an alternative, you may want to review Privacy Pass (RFC 9576-9578), which allows an HTTP Origin to require clients to expend a different kind of resource ("tokens") that may be limited, without learning the clients' identities.
>
> Does that just move the problem to the token issuer?
And from the shameless plug department, that is why privacypass exists!
Token issuers can have much better ways to issue limited use tokens:
they may be aware of hardware support on the client to limit identify
proliferation, or existing relationships that make bypassing
expensive. This capabilities cannot usually be expressed over the
Internet without significant privacy impacts (but read
https://www.usenix.org/conference/soups2022/presentation/whalen for an
alternative, and the accompanying SAC 21 paper to see how the crypto
is done (in a way that's rapidly deployable: production at Internet
scale with browser support would make different tradeoffs)).
Sincerely,
Watson Ladd
> --
> Sincerely,
> Demi Marie Obenour (she/her/hers)
--
Astra mortemque praestare gradatim
Received on Thursday, 22 May 2025 17:37:55 UTC