Comment by ocdtrekkie

Sure, and I think generally speaking this is also not a hard problem: A CA can advertise the networks it expects to be able to validate your control from, and you can also choose to selectively allow access for domain validation purposes to those networks. The modern firewall is quite discriminatory.

I just find a constant frustration that geoblocking is often discussed as "bad" when... if you aren't running a global service, is an incredibly powerful tool. Even among global services, the hesitation to intelligently use risk-based authentication strategies remains deeply frustrating... there's no reason an account which has never been accessed outside the United States should be permitted to suddenly log in from Nigeria. Credit card companies figured this stuff out decades ago.

tptacek a day ago

You don't have to give up geoblocking, right? You only need enough "unblocked" surface to resolve domain ownership challenges.

Reply View 1 reply

ocdtrekkie a day ago

Sure, and I think generally speaking this is also not a hard problem: A CA can advertise the networks it expects to be able to validate your control from, and you can also choose to selectively allow access for domain validation purposes to those networks. The modern firewall is quite discriminatory.
I just find a constant frustration that geoblocking is often discussed as "bad" when... if you aren't running a global service, is an incredibly powerful tool. Even among global services, the hesitation to intelligently use risk-based authentication strategies remains deeply frustrating... there's no reason an account which has never been accessed outside the United States should be permitted to suddenly log in from Nigeria. Credit card companies figured this stuff out decades ago.

Reply View | 0 replies