- From: Chris Wood <chriswood@cloudflare.com>
- Date: Tue, 15 Feb 2022 11:59:28 -0800
- To: Dimitris Theodorakis <dth@humansecurity.com>
- Cc: public-antifraud@w3.org
- Message-ID: <CAHOm9weH=8FFs2_0DKiS_u_4u2XwjV96D2YysPChnwfd8oaPrA@mail.gmail.com>
Thanks for breaking out the use cases into a separate document! I think listing different attack scenarios is valuable. However, I'm not sure the current framing, which seems to suggest that only certain attack scenarios would be in scope, is the best path forward. Some of these attacks seem to stem from a common (set of) problem(s), e.g., ease of automation. It might be useful to try and tease out the core properties that enable each attack, and then determine if addressing those properties is in scope. For example, we might say that preventing attacks which can be easily automated at the application layer -- including credential stuffing, payment transactions, content scraping, etc -- are in scope. (I am certainly not an expert here, but I don't think attacking account creation would be included in this list.) We might also say that attacks that can be automated at the network layer -- including volumetric DoS attacks -- are in scope. But the solutions to these problems could very well be quite different. What do folks think? Best, Chris On Tue, Feb 15, 2022 at 11:01 AM Dimitris Theodorakis <dth@humansecurity.com> wrote: > As a follow up from our last meeting we've moved the use cases proposal to this > doc > <https://docs.google.com/document/d/1GXX3QkQQCT0h75K5LdML8ap4qZTMSD6tDPWz16dUDno/edit#> > to encourage collaboration. Everyone should have comment/suggest access. > > Thanks, > Dimitris >
Received on Tuesday, 15 February 2022 20:01:13 UTC