CONCEPT Cited by 1 source

Rate-limit trilemma¶

The rate-limit trilemma is Cloudflare's framing for a fundamental tension in how the Internet governs access: a web-access-governance system can be any two of decentralized, anonymous, and accountable — but not all three simultaneously without active design work.

The three corners¶

Decentralized + anonymous → no accountability. The default of the Web. No central authority controls participation; clients need no durable identity to access services. When a client is blocked, it can spawn a fresh identity with no reputation consequence. The cost: origins must over-invest in mitigation because every interaction starts from zero trust.
Decentralized + accountable → sacrificed anonymity. The OAuth "Log in with X" model: any site can verify a client, but the client's identity is exposed to both the site and a third-party identity provider. Works for products where users already accept account-based interaction; fails as the default of the Web.
Anonymous + accountable → requires governance. Neither existing corner of the open Web achieves this for the same actor. The closest precedent is the Web PKI — server accountability through CA policies and Certificate Transparency — and when that governance fails, there are consequences. No equivalent exists on the client side today.

Why decentralization is non-negotiable on the open Web¶

The post's guardrail: "do the methods allow anyone, from anywhere in the world, to build their own device, their own browser, use any operating system, and get access to the Web? If that property cannot hold, we should stop."

Consequence: the corner we must reach is anonymous + accountable + decentralized (dropping the "pick two" premise by adding governance). Decentralization is mandatory; the design question is how to add accountability without sacrificing either anonymity or decentralization. This is what Privacy Pass (systems/privacy-pass) and its successors ARC / ACT try to build via anonymous credentials with open issuer ecosystems.

How today's signals map to the trilemma¶

Current bot-management signals — TLS fingerprints, IP addresses, robots.txt, User-Agent strings — sit in the "decentralized + anonymous, trying to approximate accountability" space. They work as long as the derived fingerprints remain stable enough to serve as de-facto identifiers. As clients diversify (AI assistants, zero-trust proxies, screen readers, automation), the fingerprints drift and accountability erodes. The trilemma says this is not a detail of deployment — it's a structural limit of the category.

The key insight¶

The two-out-of-three framing is not a theorem — it's a description of which corners naive schemes occupy and why the third corner (anonymous + accountable at scale) requires deliberate cryptographic primitives (anonymous credentials) plus deliberate governance (open issuer ecosystem, no single gatekeeper).

The escape from the trilemma is not to "balance" two properties — it is to make accountability a property of issued credentials rather than identified actors. A client can present a proof of "I have good standing with issuer X" without issuer X, the origin, or a third party being able to correlate presentations across sites or sessions.

Seen in¶

sources/2026-04-21-cloudflare-moving-past-bots-vs-humans — Cloudflare's canonical articulation; Figure 4 shows the decentralized / anonymous / accountable triangle with "pick two" labels.

concepts/anonymous-credential — the primitive class that aims to reach the third corner.
concepts/unlinkability — cryptographic property that makes anonymous + accountable feasible.
systems/privacy-pass — RFC 9576/9578 instantiation.
systems/web-pki — server-side analog (the closest existing "anonymous + accountable" deployment, but on the server axis).
patterns/open-issuer-ecosystem — governance posture required to avoid replacing "no gatekeeper" with "single gatekeeper" on the path to the third corner.
concepts/bot-vs-human-frame — why the binary frame fails, surfacing the trilemma as the more useful governance model.