CAPTCHA is today used for against ballot stuffing or casual trolling/spam.
In the proposed pairing protocol, CAPTCHA (or perhaps other solutions)
defeats someone who wants to disturb you by displaying a bogus pairing
message on your phone. He/she won't obtain anything (footnote1).
This is similar to knocking at the door of someone and running away.
The attacker doesn't obtain anything (and may be identified if authentication
can be required). He can do it if he wishes, but this is stupid. In our case
this attack is even more stupid because the attacker also has to solve a
difficult problem before disturbing someone.
===
Footnote1: You can push on the YES button by mistake and have your phone paired
with a spammer. This could happen. (you can always avoid this problem by
activating the reachable mode more carefully if you wish, it's your call.
there are possibly many different usage models and user types.)
However note that this a privacy solution. It helps privacy basically.
Remote pairing, the proposed solution, also helps you change your phone
number (for whatever reason) and stay reachable. Your friend will have to
re-initiate pairing and solve again a CAPTCHA in this case before he/she can
call you.
pars
ps: Sorry for continuing the discussion here I'm posting here because
the CAPTCHA discussion started here. (I prefer moving to the list personally,
if you subscribe one day :-)
the number of subscribers is not enough for the moment)
https://www1.ietf.org/mailman/listinfo/humanresolvers
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf