Niels Möller via Sigsum-general sigsum-general@lists.sigsum.org writes:
Simon Josefsson via Sigsum-general sigsum-general@lists.sigsum.org writes:
So how about a rate-limiting mechanism where the Sigsum log (when it decide it wants to perform rate-limiting) returns a URL to the client which the human operating the client has to visit in a browser and perform some kind of CAPTCHA, OpenID login, OAuth exchange against GitLab/GitHub/Mastodon/whatever,
Some variant of OpenID login could perhaps make sense, with quota per id (maybe somehow using dns/publicsuffixlist-based rate limit for the openid provider, to prevent an abuser from creating millions of openid providers and millions of accounts at each provider). Do you know how that relates to how sigstore handles user identities? I've never looked into the details.
To approve Sigstore operations you get redirected to oauth2.sigstore.dev which currently offers Login via GitHub, Google and Microsoft. You can reproduce their workflow using my recipe posted here:
https://lists.debian.org/debian-go/2024/12/msg00020.html
If you follow the first URL, you get here:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigst...
GitHub don't seem to implement any kind of replay protection, so I'm able to complete a GitHub authentication using that stale link and get a HTTP redirect to localhost with (presumably) a fresh token.
Another nice thing with this approach is that you can automate it from within a GitHub Action runner, so that if Sigsum would trust GitHub's OAuth flow for rate-limit bypass, you could make this work automatically from within a GitHub Action. Presumably the same will be true for GitLab runners, whenever Sigstore gets around to supporting those via oauth2.sigstore.dev (maybe this already happened).
Of course, there are many less nice things with this approach (see my rant in the e-mail above). But supporting this for rate-limiting bypass seems like a relative low risk trade-off. Knowing the GitHub.com username of spammers of the Sigsum log is probably sufficient to be able to block them or open a conversation with github.com or directly with that individual.
/Simon