Re: [Privacy-pass] Privacy Pass extensions
Nick Doty <ndoty@cdt.org> Mon, 28 August 2023 15:32 UTC
Return-Path: <ndoty@cdt.org>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F219CC15109C for <privacy-pass@ietfa.amsl.com>; Mon, 28 Aug 2023 08:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4erI-2CUeCH for <privacy-pass@ietfa.amsl.com>; Mon, 28 Aug 2023 08:32:02 -0700 (PDT)
Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95DF5C15107D for <privacy-pass@ietf.org>; Mon, 28 Aug 2023 08:31:44 -0700 (PDT)
Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-58dce1f42d6so59693867b3.0 for <privacy-pass@ietf.org>; Mon, 28 Aug 2023 08:31:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; t=1693236704; x=1693841504; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=f7dOc1a2G77Rh2Jxn/R6rInOcH5Fwcoc9qAi3Kyqpxo=; b=nB2aQnYhTJNcZrAq93B6rby/JWnWqrLvLFTcZqeXSHmitwpZLGC1yg89+vWW7qTnIn gsQA7Ful1IDVMnaOWbkAwU3W9BEgBQSV6Fi15dSiInTKFdHU0jHFLTsC9cXFWcGENL/x R0Jsd/bt7JJquuWsaxkIE/YkCvUsi9wP4Vxe8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693236704; x=1693841504; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f7dOc1a2G77Rh2Jxn/R6rInOcH5Fwcoc9qAi3Kyqpxo=; b=UzmvWFLtPH/bgxWqyIj39rl5QYd7AsjpARQCoeToYYai5BF2+A4EhY+S3XPTcpQhE2 2FZINWyoBsDWF9w7IoOnjyEkgTbOTSdwMva8x1mNQqCNNKyr3iw9QDyeMuHEBaAbcdFd KDhKiUz1j6LxTfQWAzose4y4c9uy05wZDqWtB1iM0hlv7ANVPGhGJCTKf/4pCnyVQRak OzcLw1kjURZMuffYYy0JRT7fI+f/39+LMEWBlJsKlUzdd+ViTX6LgFvqCVRWV8IET0ej QGF0kXJo0sQF2AMMOxUXL7Ae7ysxCI/E/xLJyki4A5FbHjprQqj4qz273ddPBVfnjLtQ 8/Ww==
X-Gm-Message-State: AOJu0YzPKWPBt5yZpm7Nn80QqTrKTL2ma521ZOGMitZRQz3JYQ9S3vbG twEgBhEZ8Nlul5CrTNC6uQ/MIZeDACH0oqYPxikFvMD3GuSJR6PuNOM=
X-Google-Smtp-Source: AGHT+IFNBuiKNcZ+KaC1BgLUf1kdeZI3t0O1z+wfQPrgnc9pe9rZ11iiSH5oRPT0uN4UwDbbHVzp/3Do0qxducop2rU=
X-Received: by 2002:a0d:d78f:0:b0:586:a68b:4c97 with SMTP id z137-20020a0dd78f000000b00586a68b4c97mr28034423ywd.13.1693236703726; Mon, 28 Aug 2023 08:31:43 -0700 (PDT)
MIME-Version: 1.0
References: <8c43e5a6-eb22-4a9f-8816-2f858cb26d67@app.fastmail.com>
In-Reply-To: <8c43e5a6-eb22-4a9f-8816-2f858cb26d67@app.fastmail.com>
From: Nick Doty <ndoty@cdt.org>
Date: Mon, 28 Aug 2023 11:31:32 -0400
Message-ID: <CA+tYtvFjzhkamEEhcXMzR_KojmJ_j0RDFEGvHpF3tkx1exAnjw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: privacy-pass@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/4CRuBJ4pvzEjsZK9WpSokv5iqu8>
Subject: Re: [Privacy-pass] Privacy Pass extensions
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2023 15:32:06 -0000
Thanks for considering this question directly and fleshing out some privacy considerations for an example of additional metadata for a privacypass extension. Apologies in advance that I haven't understood all the text or design decisions. I don't think I follow how the expiration metadata is to be selected in this case. Perhaps that's just application-specific, but it makes it harder to evaluate the privacy implications. Presumably the origin has some policy that it communicates to the client and the client uses that to select the expiration time that it requests tokens for: is that right? (Otherwise, the client would just request tokens that expire in the distant future.) But how the origin communicates this policy to the client would appear to affect how distinguishing the information is. An origin might communicate different policies to different clients, or might choose a narrow policy that makes it harder to choose consistent timestamps shared by many other clients. The possible mitigations described (though none would be required, everything would be application and implementation-specific) are focused on promoting consistency between clients. So I won't show up as uniquely identifying if there are other clients that also selected the same expiration timestamp. But the expiration timestamp won't be the only distinguishing piece of information about me, it will be combined with other details about my behavior and client configuration. Even if there was an enforcement that at least k other clients used the same expiration timestamp that I did (one possible mitigation forseen by this draft, although not required), those other k clients likely won't be the ones accessing the service from Durham, North Carolina or using my User-Agent. These considerations will vary by application, of course. In the Web context, I would anticipate that this would be adopted primarily for browser fingerprinting: in addition to whatever other entropy gathered about the client, the origin can add how many minutes past the hour (or which hour of the day, or...) is the expiration timestamp, etc. It would also make it less safe to cache tokens across clearing of local state (clearing cookies). While linkability between attester and origin contexts is always a risk if parties are trying to collude, the extra metadata of expiration time would seem to make it much easier to accomplish; even if tokens are cached for a long time, the origin can help narrow it down extensively by adding the extra detail about expiration time (as well as IP address, etc.). One mitigation might be ensuring that every client that accesses an origin at time T to have the same expiration timestamp T+X, so that the metadata provides no additional information to the origin. This would seem to require standardizing how the expiration policy is communicated and to provide consistency checks to ensure that that policy is consistently provided to all clients. That would be easier to evaluate, and would lend itself to normative requirements in the extension spec to ensure that that condition was met. Cheers, Nick On Mon, Aug 7, 2023 at 5:16 PM Christopher Wood <caw@heapingbits.net> wrote: > > Hi folks, > > During last week's meeting we spent some time discussing extensions to Privacy Pass [1]. One of the concerns raised -- rightfully so! -- was the need to clearly articulate the privacy implications of using any sort of metadata, as well as mitigations to deal with any possible privacy regressions. > > As most here probably know, the architecture document does attempt to provide some general considerations for token types that include metadata [2]. Certainly, the exact implications depend on the extension in use -- an extension which encodes the IP address of the client is a lot different than one which encodes a single bit key epoch. I think it's clear that any work on extensions need to have a well understood privacy story that's clearly documented before publication. > > In the interest of making forward progress, we updated the expiration extension draft to provide (what we feel are) reasonably clear guidance. You can view the diff at [3], and the full version at [4]. > > At this point, we'd like to understand if this split in guidance strikes the right balance for the group's work on extensions. In particular, does this text -- when combined with what's currently in the architecture document -- provide adequate guidance for implementers and other relevant deployment stakeholders? If not, what is missing, and where is it missing? > > Thanks, > Chris, for the editors > > [1] https://datatracker.ietf.org/doc/slides-117-privacypass-proposed-extensions-to-privacy-pass/ > [2] https://ietf-wg-privacypass.github.io/base-drafts/draft-ietf-privacypass-architecture.html#name-partitioning-by-issuance-me > [3] https://author-tools.ietf.org/iddiff?url1=draft-hendrickson-privacypass-expiration-extension-00&url2=draft-hendrickson-privacypass-expiration-extension-01&difftype=--html > [4] https://datatracker.ietf.org/doc/html/draft-hendrickson-privacypass-expiration-extension-01 > > -- > Privacy-pass mailing list > Privacy-pass@ietf.org > https://www.ietf.org/mailman/listinfo/privacy-pass
- [Privacy-pass] Privacy Pass extensions Christopher Wood
- Re: [Privacy-pass] Privacy Pass extensions Nick Doty