Pete Rowley wrote:
I don't think it is, other than the resources expended processing the request message - which is akin to a DSA on a web site by requesting lots of pages. The important point to note is that the DMD0 protocol is stateless and that for the most part the participants have no need to keep any kind of state during a transaction, or indeed to care if the transaction is completed, simply dealing with responses as they arrive is sufficient. So there is no point at which any thread will be blocked waiting for a response - that would be a broken implementation anyway.
Let's say I am trying to log into amazon.com as gmail.com/robyates. I go to amazon and type in my homesite gmail.com. I am bounced to gmail, I authenticate and then I am bounced back to amazon. Amazon must now validate that I am in fact gmail.com/robyates. To do this it must make two requests, one to retrieve my persona document to check that the homesite can make this assertion and then again to verify the message signature and it must do all this before letting me in as gmail.com/amazon. Isn't amazon's thread (the thread servicing my login attempt) blocked on those two requests? and if an attacker controls the homesite then can't he block those threads for quite a while?
Rob _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
