Thanks for helping Andrew.

> I also would want a better explanation of what the "(blockage for a 
> period of time)" is going to solve.  As the other Andrew rightly 
> pointed out, the IP address is likely spoofable, allowing for DoS type 
> attacks.

I'm no longer intending to do this.  The other Andrew enlightened me how a
spoofed IP could be used to block the original user.

> Do requests happen on separate socket connections?

Yes.  Is this bad?

>  Is that why you are 
> interested in doing authentication on each request?  If not, would it 
> not be easier to just authenticate the connection and then allow any 
> requests from that client?

My understanding is that, although difficult, TCP connections can be hijacked. 
Man-in-the-middle would not be able to attack if "authenticating" each
transmission was required.

> In any case, it seems to me that the very next kind of security that 
> you might want to implement would be to add some privacy to the request 
> and the result, which would probably best be implemented with something 
> very SSL/TLS like.  Might it not be better to just implement SSL/TLS 
> first and be done with it?

Yes, I am not intending to reinvent this.  The users will have to secure this
themselves with an outboard SSL/TLS as you mention.

> This would also have the advantage of being an extensively 
> peer-reviewed protocol, so there'd be far less chance of some 
> "obvious-to-someone-who-hasn't-looked-at-it-yet" kind of mistake.

Agreed.

 - Chris