Re: [Privacy-pass] support for adoption of privacy pass documents
Michele Orrù <lists@tumbolandia.net> Wed, 16 September 2020 02:55 UTC
Return-Path: <michele@tumbolandia.net>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C813A0044 for <privacy-pass@ietfa.amsl.com>; Tue, 15 Sep 2020 19:55:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tumbolandia.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dGxvKMHIPYm for <privacy-pass@ietfa.amsl.com>; Tue, 15 Sep 2020 19:55:29 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D19183A0039 for <privacy-pass@ietf.org>; Tue, 15 Sep 2020 19:55:29 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id w16so6447693oia.2 for <privacy-pass@ietf.org>; Tue, 15 Sep 2020 19:55:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tumbolandia.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ndimGYdHkzhrDG0RXLVTe4XvqOYEa/ikQAPo3AZRkUo=; b=Dpw9lu5Hjx3F0T6v0XDK8t9mvKozpz+eu3Y8CRDsBZlqMBtEhIntrCOp5OlZnCR2P+ 5PJvm+NxqWVNGEkK7zkLQwx0hJ9Jlm6A8yc8OuJ27y8rHxIiHEMSKgbTUTxWqqAGVu5m DT14cca9oq0/k+GwVgd2UFXIDCkauVqSkRGcL2fbaaQsUKFyxxHM2bQHfM5lwojg1qAP lLQO6qu47qnHEEH/3yq0Ghh7ZJ0m78f1or7zLVhtnqHt0Z+1Uh+aqJoGg8B8BAq6oFzv uLK2TJ/qg3VycpfheWpCWXSK9Gkz96mhtu5ob5447PgYQiof593HuKp+W87EBvdPMeCN hBgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ndimGYdHkzhrDG0RXLVTe4XvqOYEa/ikQAPo3AZRkUo=; b=J4vHlPVUAD6BaKgcAzP0yf5Rf56zcZhLZ6cI2eO3dJnPWR5obI8ZCrRouPm+S3hwUU SsWBSQY8GuJpvY9HxBM1FFapCsw/0ukyWiyHWR9lhYTjkOWuHjDUDesa4tlDxtvqmh8Q QFhzrsVNbvT5QIa5aVqU0eHAqnmK/yCh+/nm8P2zoEz3AhF7UH7MF4mjgqZFt6bqZi3a cx7Vdbp1hwMKf1MYxkSxnz/r8L+SWMLLV2r9oWNJjFXSAP/rQrIU+Ft+YyM7RBKJg0YD zXb7a7cLJrjL7nuI3m3X4nY11GlW9Wg4nqmvqhdqq8ywEvEwDLU0JcKkyGh6z8NfrPZ7 4xNA==
X-Gm-Message-State: AOAM532ngap30aJsYVbSV6MvaoHQXO4UGTu/LTa/+r/BriuJ7EMiWF/M 73xpRaW76vLUpovdLR0MR0ph0CNUt6590bVyHtBN4BrlaeBBmr3z
X-Google-Smtp-Source: ABdhPJxi2rXv6zuJKeAI/BeE2cBfZMLFniUwWCaXeyxfNanjyoGrY98JYrAHShTCzLrrP+AEEU50Nqk+/dMiTo9BPKk=
X-Received: by 2002:aca:3542:: with SMTP id c63mr1704101oia.157.1600224928879; Tue, 15 Sep 2020 19:55:28 -0700 (PDT)
MIME-Version: 1.0
References: <MW3PR15MB38816BE725748B180599BC98B6200@MW3PR15MB3881.namprd15.prod.outlook.com>
In-Reply-To: <MW3PR15MB38816BE725748B180599BC98B6200@MW3PR15MB3881.namprd15.prod.outlook.com>
From: Michele Orrù <lists@tumbolandia.net>
Date: Wed, 16 Sep 2020 04:55:12 +0200
Message-ID: <CAOyO2_J=edg04y-27FiZDkc+BZ-i9PKKBpoebi4qpMhUoJtJFQ@mail.gmail.com>
To: Subodh Iyengar <subodh=40fb.com@dmarc.ietf.org>
Cc: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000726b7505af6566d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/12SUFAMyRSvimnSvKlba6GfGQqo>
Subject: Re: [Privacy-pass] support for adoption of privacy pass documents
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 02:55:32 -0000
Dear Subodh, thanks a lot for your email. I have a couple of questions regarding your high-level feedback: - When you say «Our deployment of blind signatures / privacy-pass is a split server model […W]e minimize data-sharing between the application server and the credential server by only sharing the final MAC validation key rather than all the message data. », I don't understand what's your setup (even after your blogpost): Are you issuing blind signatures (are they deterministic?) and then using them as a MAC key for authentication of a particular resource? Are you suggesting that in the Privacy Pass standard there is a «split server model» where an oracle provides the MAC key for the «application server» (the server running the verification algorithm)? I'd be very interested in knowing more in detail your solution, and I believe it would be of interest for the whole standardization process. - Could you please motivate your sentence «In most use cases we've been using blind signature / Privacy Pass-based tokens, strict un-linkability between redemption requests is not required.»? I'm not sure I understand what your scenario is. If I can track users across all servers except the one providing issuance, what's the point? It seems to me that it completely breaks anonymity in the Tor/Cloudflare use case for instance, or same-origin policy in the web. What's your use-case? - You seem to suggest that in the Privacy Pass standard, the verifiers keep a counter for each nonce, to allow for re-use of tokens. Have you already thought about what are the tradeoffs between using a counter-based solution like yours (with the associated problems in my previous question) or a multi-use token (e.g. Algebraic MACs) that are active only for a certain window of time? If you want to avoid sending zk proofs to the client, I'm not sure that challenging the server randomly is the way to go (to get a soundness error of 10% you'd have to ask for a proof 90% of the time?), and we have much better solutions already out there <https://slides.com/micheleorru/anonymous-tokens/#/26> ( https://link.springer.com/chapter/10.1007/978-3-030-56784-2_11). -- Michele.
- [Privacy-pass] support for adoption of privacy pa… Subodh Iyengar
- Re: [Privacy-pass] support for adoption of privac… Michele Orrù
- Re: [Privacy-pass] support for adoption of privac… Steven Valdez
- Re: [Privacy-pass] support for adoption of privac… Subodh Iyengar
- Re: [Privacy-pass] support for adoption of privac… Steven Valdez