Re: [Privacy-pass] Questions on client trust
Ben Schwartz <bemasc@google.com> Wed, 15 April 2020 03:53 UTC
Return-Path: <bemasc@google.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA443A0474 for <privacy-pass@ietfa.amsl.com>; Tue, 14 Apr 2020 20:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOotpGIld8Vj for <privacy-pass@ietfa.amsl.com>; Tue, 14 Apr 2020 20:53:21 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C11B43A046E for <privacy-pass@ietf.org>; Tue, 14 Apr 2020 20:53:20 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id k11so16728608wrp.5 for <privacy-pass@ietf.org>; Tue, 14 Apr 2020 20:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CFxdxVh0j2K5t86/lXJ6tbh7ZAk2kUMlNfuVvO8AKfI=; b=HAB2umfa7dDsFF4pR9Ql0+R8cxrBxaSBrJ8cLwWqRFuqFuXD8HLgrcY+d5WXAX/T8G /rbsjv1UhozkvvDgByjI67Kuk/Xct8f8MDWbvknYOmLfNLY2V3yI7rvFOZifzaS5oUtk WyUeqxMNvFXtNGk6MXh+vtgHrk1vLF7SDB3q/g/fGtNF4lslroWHUU9kZmyjw5Ge0N1X k/UGRAeamDa4zkp4U2Xi2J+GKC11xceYLRjcrAHGCGnU41Qr+8vStF8NymkNFocHERrw +9VEPEh/jM4EyLrpwgzdHAUIP6+F5S39lRB05r48acPwsPS+fJbLbbbt4j92SmuxFPuU rtmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CFxdxVh0j2K5t86/lXJ6tbh7ZAk2kUMlNfuVvO8AKfI=; b=FctxtL7Yfn0038WGs9X9XVoBu61pV0A6T6+utXmpmaleMk78wXz0QtHRN+Bzpy8b/p OcBxgIIyIjVjxyrz129X5vMOFZuuWk0uRomXtSMBrD7KxkNUdXvaGQzHZsQE+cWGMNTE FX0GFafp/5WOuVM3HMXojSii2IdoJgfFNjN3OB0jw37p94FYWoIMCCB3TATGak97b0MZ VrNFkTcMuqJbG0AGkbyQUgLSh2sGRbZJs2U5GVHRTqUVX8EHJFbmge2eZ1LXhWE1JT1V a9uxxlAYMyFmcgPIcanT1S8A5iT1XaJHPQKlEHNZO3rg69PP6Ns1wYru7zHraGgBKgGP 8/UQ==
X-Gm-Message-State: AGi0PuYVQb7UkDHtZ5xfQ2v46M6NEfRtztri4cUZWJXV4YLCXtPtRNX2 slMVIOAOHRuQ8dl+rsf62EPww+m8LctqHulnL4ad/hWS
X-Google-Smtp-Source: APiQypIQDzhEyGN99BPXx80Gm5V1a1ThtEIDWreffZ9B4uEAyOYwoZ4A7kiuKrcGTvrsO4ftT3syPR9IXunkDcGecd4=
X-Received: by 2002:a5d:610e:: with SMTP id v14mr17862352wrt.159.1586922798549; Tue, 14 Apr 2020 20:53:18 -0700 (PDT)
MIME-Version: 1.0
References: <9A77145D-1506-4DC4-ADE2-9C5BD4B2AC86@cloudflare.com> <CAHbrMsBfsJ1+ueTZBnsQxXiHQHkGLHG=j+5R8FgeJwt5nooQzw@mail.gmail.com> <439fd8f8-5942-4f4a-94fd-672d3de76f13@www.fastmail.com> <F31C1153-9C53-41AC-B461-145DA5F038D0@cloudflare.com>
In-Reply-To: <F31C1153-9C53-41AC-B461-145DA5F038D0@cloudflare.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 14 Apr 2020 23:53:06 -0400
Message-ID: <CAHbrMsDZTMF+2SwB3yp16muP3sQT-v=ieFCFafu_5u65T8tkuQ@mail.gmail.com>
To: Alex Davidson <adavidson=40cloudflare.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, privacy-pass@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000bb671d05a34c413a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/3j33uNphzR8UiaYHWqbPHgSRiqo>
Subject: Re: [Privacy-pass] Questions on client trust
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 03:53:23 -0000
I don't understand what "is human" is supposed to mean. Surely for this protocol it is always false! For clarity, I would not want this phrasing in the charter. I also don't understand how a transferable, anonymous, single-use token asserts anything about the holder, or has anything to do with trust. I think we should adjust the phrasing there too. I would prefer to have a charter that speaks of acquiring and spending unlinkable tokens. I think we should rule all content (blind signing) strictly out of scope. The complexity of supporting content is not worth it for N<4 bits; just encode the content in unary by the choice of issuer. If that proves too inefficient after this is all finished, we can consider a follow-on specification with content. On Tue, Apr 14, 2020 at 7:50 AM Alex Davidson <adavidson= 40cloudflare.com@dmarc.ietf.org> wrote: > > > On 14 Apr 2020, at 03:43, Martin Thomson <mt@lowentropy.net> wrote: > > > > On Tue, Apr 7, 2020, at 04:57, Ben Schwartz wrote: > >> On Thu, Apr 2, 2020 at 6:44 AM Alex Davidson > >> <adavidson=40cloudflare.com@dmarc.ietf.org> wrote: > >>> - To what extent should client's trust the issuers when redeeming > >>> tokens? > >>> - Under what conditions should they accept/redeem tokens? > >>> - What information does the client trust the issuer to encode in the > >>> tokens? > >>> - How does an ecosystem protect itself against issuer consolidation > >>> and/or centralization? > >> > >> Since we are chartering, not designing, I think it's premature to try > >> to solve these problems. At this stage, our goal should be to describe > >> (1) the problems and (2) the scope of our ambition to address them. > > > > I think that this cuts to the core of the question of feasibility. That > is, is this a research project or an engineering task? > > > > There are two paths that avoid having to deal with these questions: > > > > 1. pick a single manifestation of the system, like "is human", build to > that, and document this > > > > 2. make it very clear that the way in which the token conduit acts is > very much subject to some amount of trust in the token issuer, explain that > any carriage of token across what might otherwise be a privacy boundary > requires that this trust exist, and build the system with that in mind > > > > The original charter might have been a shade more biased toward the > latter approach, but the designs I saw included mechanisms that seemed to > derive from a viewpoint that had less inherent reliance on trust. The > designs implied (at least to me) an assumption that the conduit didn't need > to think or trust. That might be possible for the "is human" bit in > browsers, maybe, so that's not unreasonable. That made this hard to assess > because of those implicit assumptions. > > I would rather not scope as narrowly as “is human” as I think some of the > proposed applications being considered are somewhat broader than that > specific signal. I think the path that is raised in 2) is close to the > direction that I was personally imagining that we would take. My preference > would be to assume that the client has decided which > Issuers/Registries/Vendors that it can trust and then build the protocol > and architecture with this trust already established. There may be ways > that we can provide broad recommendations on how clients may want to make > this decision (e.g. based on the past behaviour of the Issuer in > interactions, key rotations etc.) but going beyond that seems beyond the > scope of the work, in my opinion. > > >> As often seems to be the case, I think we are not really talking about > >> "more" or "less" consolidation, but rather trading off consolidation > >> pressure in different elements of the ecosystem. The charter should > >> acknowledge that some degree of consolidation pressure may be > >> unavoidable, but we will do our best to minimize and mitigate it. > > > > This notion of how protocols act to shape market pressures is new for us > here, so it might be OK to call it out as special. We used to do that for > security until it was sufficiently internalized. However, we need to > remember that this is just another factor we should each consider as we go > through this process. I don't want to over-rotate on consolidation when we > also need to consider environmental impacts, the effect on underrepresented > minority groups, accessibility, privacy, or any of a number of other > important factors. > > > > The apparent need for trust of certain types in this system does tend to > produce certain consolidation pressures that we need to acknowledge, but > until we understand the precise role of trust, we can't know for sure. > What is worse, the details of the information being conveyed likely has > more of an effect on this than anything else, and it seems like there is a > desire to make the information conveyed flexible. > > > > Maybe the consolidation thing is manageable for something like an "is > human" assertion, but is completely intractable in the general case. And > maybe that is OK from a consolidation perspective because the protocol is > completely unusable at global scale for any other sort of assertion. And > maybe that is terrible because it means the creation of islands of haves > and have-nots for privacy pass. (And maybe I should stop extrapolating > from zero information.) > > > > I think these are all valid things to consider regarding the issue of > consolidation and its relationship with the trust dynamic between a client > and the rest of the ecosystem. I agree with Ben that aiming to minimise > this pressure in the design of the protocol architecture is something that > we can commit to in the charter. We can then better establish in future > documentation exactly how this mitigation would work, and how concerns of > the nature that Martin has surfaced interplay with each other. I also agree > that making a concrete assertion about the type of signals that the > protocol can provide (“is human” or otherwise) is going to be essential in > being able to answer these questions. > > Alex > > -- > Privacy-pass mailing list > Privacy-pass@ietf.org > https://www.ietf.org/mailman/listinfo/privacy-pass >
- [Privacy-pass] Questions on client trust Alex Davidson
- Re: [Privacy-pass] Questions on client trust Ben Schwartz
- Re: [Privacy-pass] Questions on client trust Chelsea Komlo
- Re: [Privacy-pass] Questions on client trust Martin Thomson
- Re: [Privacy-pass] Questions on client trust Alex Davidson
- Re: [Privacy-pass] Questions on client trust Alex Davidson
- Re: [Privacy-pass] Questions on client trust Ben Schwartz
- Re: [Privacy-pass] Questions on client trust Eric Rescorla
- Re: [Privacy-pass] Questions on client trust Eli-Shaoul Khedouri
- Re: [Privacy-pass] Questions on client trust Ben Schwartz
- Re: [Privacy-pass] Questions on client trust Chelsea Komlo
- Re: [Privacy-pass] Questions on client trust Chelsea Komlo