Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

[John Levine <asrg at johnlevine.com>]

>A previous objection to the feasibility of this filter was:
>"High-speed updates are the hardest part of a database system, and
>this is a worst case scenario because the info for a message needs to
>be available as soon as the message has been sent."

Right.

>This can be addressed by holding all incoming challenges and
>preventing them from reaching the user's inbox for 10 minutes (or
>whatever length of time). The challenge is passed to the user's inbox
>once it is clear that the database in up-to-date.

Even assuming this synchronization is practical (in a large system
with many MTAs, it probably isn't) this makes no sense whatsoever.  

If the MTA can tell what incoming mail is a challenge, and it knows
what's in the database (it must, if it knows when all of the updates
have been posted), why is it delivering the challenge to the user at
all rather than just answering it?

But the more important question is why bother to create the expensive
giant database and the complex synchronization and the special purpose
challenges when remotely verifiable message signatures a la DK solve
the problem much better, with no database and no challenges.

R's,
John



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg