Cloudflare's spec is here.
A video demo of this extension working is here.
Where we're at:
- Implement RSA blinding/unblinding/signing etc.
- Get a test server responding with proper meta tags.
- Client/extension detects meta tag.
- Client submit tokens for signing.
- Server sign and respond.
- Client recieve tokens.
- Client redeem tokens.
- Server verify tokens.
- Transport encryption/jwt.
Also todo:
- Handle multiple signing keys better
- Use a full domain hash for blinding the message
- Make signature verification constant time
- Compare formats for sending tokens: stringifyed nums? bytes?
- Fill unsigned token pool asynchronously
- Move blind, keys, tokens to a node package
- Refresh page on redemption
- Enforce number of signatures allowed per captcha on server