Henning Jungkurth wrote:
On 6/27/05, Brion Vibber <brion(a)pobox.com>
wrote:
...
quite an interesting problem. And I don't think there is "The
Solution" that you are all hoping for.
It sounds a little bit like the problem of distributing keys in any
encryption technology, but actually it is way worse than that.
Any key, user-agent-string, or other authentication method would have
to be written down somewhere in the source code of the application
that is using the API. And since one of the primary aims of the API
are going to be open source applications, everything "hidden" in the
source code, is publicly accessible. So whatever is the method for an
application to say "Hi, it's really me!", it can be copied, thus
another application can fake it.
It would work with closed source applications, but offering the API
only to closed source application isn't really an option.
So, there isn't any way to identify the individual applications. But
there is a way to identify the individuals who are using the
application which is using the API. Why do you want to block the
application? Just limit the use of the API to 1000 accesses an hour by
IP-adress (replace with different numbers as you see more fit). That
blocks any application, that is misbehaving.
Ok, it would also block any other application that runs on the same
machine (or over the same proxy), but I think that is acceptable, if
it's to keep the whole thing running.
There could also be an option to still have user-agent-strings, and
limit the access by application (a low number) and have an overall
limit (a resonably larger number). That would keep one application
from stopping all other access, but also protect against any
misbehaving application that changes user-agent-strings.
hmmm...that sounds to easy...what did I miss? :-)
regards
Henning Jungkurth
what about adding user logins into the mix?
Use ip-based or user agent-based limits for anonymous access and
user-based limits for those who use a login. The login should be the
same as their wikipedia web login. That way a logged-in user wouldn't be
restricted by ip limits.
in order words:
If logged in{
decrease user quota
} else {
decrease ip/agent quota
}
if quota==0 {deny request}
Sincerely,
Jason Edgecombe - a lurker who spoke up :)