[Nym3-devel] Account creation and proof of work.
Nick Mathewson
nickm at freehaven.net
Mon Apr 11 04:19:07 CEST 2005
On Sun, Apr 10, 2005 at 07:07:24PM +0200, Laurent Fousse wrote:
[...]
> My current feeling is that the PW (proof of work) field for the CREATE
> command (section 4.3.1) is useless. We already check that the whole
> account creation message is not bogus by using the signature in the
> header. So when the server gets this message it is already "proven"
> that the identity key works. My suggestion is that we drop the PW
> field here.
The idea of the proof-of-work field is not to 'prove that the identity
key works' --- it's to require an amount of computational or human
effort to set up a new account, to prevent an attacker from creating
millions of accounts and flooding the system.
You can do this by requiring an amount of computation, but that isn't
such a good idea---see this paper for one set of opinions.
http://www.cl.cam.ac.uk/users/rnc1/proofwork.pdf
Another option is to require an amount of human work, like how you
need to type in the letters from an image in order to create a hotmail
account. For more info here, google RPOW and CAPTCHA. This approach
has problems too.
For a nymserver, for now, I'd just recommend that we change the field
to have a length field and a body, with values for the length field
other than 0 currently unspecified. How does that sound?
yrs,
--
Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: not available
Url : http://lists.noreply.org/pipermail/nym3-devel/attachments/20050410/c374c408/attachment.pgp
More information about the Nym3-devel
mailing list