IETF Logo Mail Archive

Re: [Privacy-pass] Issuer directory representation (#369)

Colin Bendell <colin@bendell.ca> Fri, 16 June 2023 18:13 UTC

Return-Path: <colin@bendell.ca>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6C0C151084 for <privacy-pass@ietfa.amsl.com>; Fri, 16 Jun 2023 11:13:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bendell.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rzLX-JH9Dd3 for <privacy-pass@ietfa.amsl.com>; Fri, 16 Jun 2023 11:13:40 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AA7BC14CE39 for <privacy-pass@ietf.org>; Fri, 16 Jun 2023 11:13:40 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2b3424edd5fso14366641fa.0 for <privacy-pass@ietf.org>; Fri, 16 Jun 2023 11:13:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bendell.ca; s=google; t=1686939218; x=1689531218; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0UgFq7mwCwK3I4hRjpR2tg0xJJc79iqEEzaa409ErNo=; b=dJVjl5IzJ78hNnTwwXdvOQSugwLRgHmJ5M2P+nEFdpP882PslGkI6qMPUuemz5sn+w iV0n5gcavPqrBEkmURsX//f45vTTla81m2lyCx+QKmv3fvN6OfbpeI9VRgSQ/GMcppdw EiKbjrTLszLHs1caJWmx/3qWmXRyBd7ue7CCQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686939218; x=1689531218; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0UgFq7mwCwK3I4hRjpR2tg0xJJc79iqEEzaa409ErNo=; b=Dn1bGtScFK22NgrcgyKiBYZQml3wyNkcnOfekfW96VA+0bzhbGNj7WsmYaVy/YtSo/ juF73akgk2SEQRUxM/8dUlZlWFYa/Qft785iQynY9U7fjsX/44yK+Gqz4j+LwTPyI7Uc FVEuYVUIrNRO/K1t00tmYZnriYXs3CaYO+FZHSlfn0H/g5abTdMW7bevBhX5QEIDsXIW JiQz31jYyGBwD4pLc9e6EzHkAM1mvVvYUQZhG8b38LM9iw+v7TwnkjdE/s1jp1aa1W2i fuFECuqUOA4TeAQEy0Avzn3QLpz5+KElKFWTKm7uIWXhISXpJUbaZnZfxIo3JDC8LUyK MgLg==
X-Gm-Message-State: AC+VfDx7ZdwfTNfCaIROys6e4c1+GHk3lyRESmd43iUKPqW8QRCadznf SJXUtzdAN9QYphLQQ10nO+yqJ7b2uHo6NSmrLgSQuSerfbpsYy+38Wc=
X-Google-Smtp-Source: ACHHUZ7h04tgKqJomH5u3dpY9FSSnqLZvXgDFLMOUkHj3kk20r4BdKb8uyK/RVUC1pZDlUYckfChwmovVG8+r48d8c4=
X-Received: by 2002:a2e:2d02:0:b0:2b0:5f62:8b8 with SMTP id t2-20020a2e2d02000000b002b05f6208b8mr2426586ljt.42.1686939218255; Fri, 16 Jun 2023 11:13:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAL12FVFcKDvqQ359EUVpirKEto7ZQzX6V+xeeB3wixQcVY6f3w@mail.gmail.com> <1C7185E0-3B61-4C66-9992-76A2DF1A0CA1@heapingbits.net>
In-Reply-To: <1C7185E0-3B61-4C66-9992-76A2DF1A0CA1@heapingbits.net>
From: Colin Bendell <colin@bendell.ca>
Date: Fri, 16 Jun 2023 14:13:26 -0400
Message-ID: <CAL12FVHsV5Mx5-6WupjXL9J62-vJ21Qp2Cm7GokDbZCBgGq3Gw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Tommy Pauly <tpauly@apple.com>, Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org>, privacy-pass@ietf.org
Content-Type: multipart/alternative; boundary="000000000000dcb93d05fe432474"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/BSlwewlGCvZeK6X4qdMskmn8B0s>
Subject: Re: [Privacy-pass] Issuer directory representation (#369)
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2023 18:13:44 -0000

On Fri, 16 Jun 2023 at 13:07, Christopher Wood <caw@heapingbits.net> wrote:

>
> On Jun 16, 2023, at 12:58 PM, Colin Bendell <colin@bendell.ca> wrote:
>
> 
>
> On Thu, 15 Jun 2023 at 19:28, Christopher Wood <caw@heapingbits.net>
> wrote:
>
>> To hopefully close the loop in this, I put together this PR that
>> conceptually lifts the concept of key commitments from PSTs into the
>> current Privacy Pass issuer directory:
>>
>
> I initiated this thread after contrasting the similar key-sets exposed
> forPrivacyPass and Private-State-Tokens. As an outsider here, I'd like to
> see PrivacyPass expand the set of tokens so that PST can remove the
> definition from the W3C spec and depend exclusively on the PrivacyPass
> definition. To this end, the issuer directory should also include:
> * expiry
> * batch-size
> * key-id / version
>
>
> I think expiry information can be inferred from the resource’s cache
> control directives,
>

I think you missed my comments below.

As I said, the http cache-control only describes the document's lifecycle.
Two main issues:

1. The directory might have a TTL, but that doesn't reflect the specific
age of each entry. What TTL should you set for a directory of 100 keys with
a rolling 60 day offset for expiration? I think what you are assuming is
that the CC should be 60 day and then the expired entry just disappears
magically leaving 99? The challenge of course is that this doesn't give any
signal to the consumer which key is nearing expiration relative to the
other keys.

2. The TTL from Cache-Control does not cleanly map to an
expiration date/time since you need to depend on other transient details.
(This is a classic problem of the interdependence of the Age, Date and
Cache-Control headers). For an infrastructure operator, certificates are
expected to have a fixed date/time for expiration and when the cert will be
removed from rotation. This provides assurances of a token that is issued
and when to expect that the token should expire. Just depending on the cert
to be 'removed' from the directory is a surprising behavior for certificate
change management processes.

Further, as I mentioned below, in the PST case, the specific expiration of
a key is used in the selection process in the client-issuer communication.
In PST, the UA uses 6 keys with the longest expiry date. Only tokens issued
from this 6 can be added, while previous tokens are permitted. (I'm not
sure how strong this argument is, since I'm not sure how much of a priority
it is to converge the W3C / IETF variations. As an outsider, it would be
nice if these spec's did align. Allowing for these directory attributes
would pave a way to simplify the W3C spec. IMHO of course)

and version is implied from the list of keys in the directory. That leaves
> key ID and batch size. The former is computed directly from the public key,
> so we don’t need to redundantly include it. The latter could be included as
> an optional parameter for issuance protocols that want to communicate this
> hint to the client. That parameter could even be included in the batch
> token issuance spec (
> https://datatracker.ietf.org/doc/draft-robert-privacypass-batched-tokens/
> ).
>

Ah! Why not merge the support for batch-tokens into the type=1 definition?
I had assumed this was the intention since VOPRF BlindEvaluate function
(draft 21) already allows for individual or arrays of elements. The only
gap then is the TokenRequest & TokenResponse structs (and possibly
adding ristretto255-SHA512 ) This is probably a different conversation
though. The cross-over is the necessity to specify the batch-size in the
issuer-directory.


>
> So altogether I think we’re covered?
>
> Best,
> Chris
>
>
> Expiration is important for PST because it is used by the UA to select
> from a set of possible keys. HTTP Cache-Control does not serve the same
> function as a certificate expiration. The cache-control header reflects the
> ttl of the directory, but the expiration for each public key. If we were to
> use HTTP cache policies, all public keys would be treated as if they had
> the same expiration.
>
> Batch-Size is interesting for VOPRF workflows where the issuance request
> includes multiple nonces. In this case the compute work for the issue
> request needs to be known apriori. Can the issuer handle 1 or 10 or 100
> token batches?
>
> key-id or version is not needed for the protocol, but as a dev ergonomics
> it is nice to have a common implementation. Is it called 'version' or 'id'
> or 'key-id'?
>
>
>> I think we can pursue alternative representations separately.
>>
>
> Sounds good.
>
> /colin
>
>>

v2.23.0 | Report a Bug | By Email