1. Captchas are worthless security theater.
If a given site is not a target, then of course they're not needed.
If a given site is a target, then they will be bypassed at will by
any modestly-talented, modestly-resourced attacker -- either
with automation, with humans, or with a combination of the two. [1]
In either case, they serve only to complicate site design/operation
and to make life more difficult for people who *already* are facing
difficulties.
2. If the goal (or one of the goals) here is to ensure that IETF
content is accessible to everyone and remains so in the face of
various attacks (and what *are* those, exactly?) then one simple
and robust approach is to set up static mirrors *and* to enable
rsync access so that anyone who wishes to can set up their own.
---rsk
[1] A few (of many) items discussing this, in no particular order:
Stanford researchers outsmart captcha codes
http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html
CIntruder: pentesting tool to bypass captchas
http://cintruder.sourceforge.net/
How a trio of hackers brought Google's reCAPTCHA to its knees
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
Snapchat Account Registration CAPTCHA Defeated
http://it.slashdot.org/story/14/01/23/2037201/snapchat-account-registration-captcha-defeated
Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA
http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html
Troy Hunt: Breaking CAPTCHA with automated humans
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html
Now Even Photo CAPTCHAs Have Been Cracked
http://it.slashdot.org/article.pl?sid=08/10/14/1442213
Cheap CAPTCHA Solving Changes the Security Game
https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/