Skip to content
This repository has been archived by the owner on Dec 31, 2020. It is now read-only.

Server-server authentication #49

Closed
jonasschneider opened this issue Sep 9, 2012 · 2 comments
Closed

Server-server authentication #49

jonasschneider opened this issue Sep 9, 2012 · 2 comments

Comments

@jonasschneider
Copy link

As of now there is no backchannel identify verification of a POST /followers. Somebody could make me follow every known Tent identity (probably multiple times with some URL twiddling) and DDoS my server.

This is because the Discover -> Create -> Notify path requires no auth at all but still allows me to create the Follower and the NotificationSubscription. A scheme like the one used in PubSubHubbub to verify the call could be used to address this.
@titanous
Copy link
Member

titanous commented Sep 9, 2012

Yeah, this is a good point. We'll add verification to the follow flow.

@titanous
Copy link
Member

This was implemented in tent/tentd@9771924, docs to come soon.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonasschneider @titanous