Re: [Privacy-pass] The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in state "Candidate for WG Adoption"

Thibault Meunier <ot-ietf@thibault.uk> Mon, 08 January 2024 15:34 UTC

Return-Path: <ot-ietf@thibault.uk>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0642FC15109E; Mon, 8 Jan 2024 07:34:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thibault.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S0kQunhI8yz7; Mon, 8 Jan 2024 07:33:55 -0800 (PST)
Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C1AFC151539; Mon, 8 Jan 2024 07:33:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thibault.uk; s=protonmail; t=1704728032; x=1704987232; bh=bjTNCE4s+4NUaWSdC3hXEZCYuLfwMjI9jjG12xv37x0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=arrpRahqh96mea2ehZ7CgsXZnrHGBDCBVJR8np+WEKrbJSEx++0HMWw2FfiYiOpXA LYV6rRDGhA2Eg5ipdf8BbMl4nXEkaMsA8pqbOkF5BrS6DUdn+QTkl52dDc6Cu8DJfV X1g5/K9CbR5EK1yZ1N5xmWjx+n3QhVliNP8X+k+k=
Date: Mon, 08 Jan 2024 15:33:30 +0000
To: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
From: Thibault Meunier <ot-ietf@thibault.uk>
Cc: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, IETF Secretariat <ietf-secretariat-reply@ietf.org>, "draft-group-privacypass-consistency-mirror@ietf.org" <draft-group-privacypass-consistency-mirror@ietf.org>, "privacypass-chairs@ietf.org" <privacypass-chairs@ietf.org>
Message-ID: <Tzo2uz_jr_lFdKE3OCUt_GtL5JUSR-0zaQmHjX0bjRRDUWlg3NW6NNdp6yDehS2gLA6Ek4YdmtjFwQ4EOFIRmfGrru8x7KCbNUD7C1dYlaA=@thibault.uk>
In-Reply-To: <BN8PR15MB32811657C0AEC39E213E8798B382A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <170137846545.34849.17139555973021303518@ietfa.amsl.com> <BN8PR15MB32811657C0AEC39E213E8798B382A@BN8PR15MB3281.namprd15.prod.outlook.com>
Feedback-ID: 60844204:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_AwKrJRDVvdNKI7NniMqsCKS3PgG93tETYKN3Fs6dxs"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/EKM_HG1OSZSLeyZKCSU9sbWcQN0>
Subject: Re: [Privacy-pass] The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in state "Candidate for WG Adoption"
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2024 15:34:00 -0000

Hi Privacy Pass WG,

This is a late email given the adoption window closed about 3 weeks ago, and the document is set to expire on Thursday. I would support adoption of this document by the group, as its goal is clear and beneficial.
I've added some edits on GitHub [1], covering typos, and a clarification to avoid max-age to be accounted for twice, once by the mirror, and then again by the client.

For deployments of Privacy Pass, this document is useful to better define how clients can check the consistency of a remote issuer.

For Privacy Pass specifically, I think it is worth defining an OPTIONAL endpoint /.well-known/mirror-resource that would allow clients to retrieve all issuer keys before discovering it when prompted by an Origin. A similar endpoint is provided in Cloudflare attester implementation [2] for instance. This endpoint could be as simple as a list:
GET /.well-known/mirror-resources
https://issuer1.example/.well-known/private-token-issuer-directory
https://issuer2.example/.well-known/private-token-issuer-directory

It would be interesting to mention how this setup interact with CORS in the Web environment. An issuer could restrict their responses to attester.example/* for instance. The use of wrapped response would not benefit from this sanitasation.

Regarding the use of BHTTP, I would agree with the GitHub issue [3]. Copying content instead of using BHTTP makes implementation straightforward, as can be seen in this non caching mirror used to avoid CORS locally [4].

Best,
Thibault Meunier

[1] https://github.com/chris-wood/draft-group-privacypass-consistency-mirror/pull/30[2] https://github.com/cloudflare/pp-attester#get-v1private-token-attester-directory
[3] https://github.com/chris-wood/draft-group-privacypass-consistency-mirror/issues/25
[4] https://github.com/thibmeu/pepe-debug/blob/main/src/server/index.ts#L115

On Thursday, November 30th, 2023 at 10:39 PM, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:

> We are opening a two-week Call for Adoption (ending Friday, December 15th) for "Checking Resource Consistency with HTTP Mirrors".
>
> Please comment in this thread with your view as to whether this document should be adopted by the PRIVACYPASS working group.
>
> --Ben Schwartz, for the chairs.
>
> ---------------------------------------------------------------
>
> From: Privacy-pass <privacy-pass-bounces@ietf.org> on behalf of IETF Secretariat <ietf-secretariat-reply@ietf.org>
> Sent: Thursday, November 30, 2023 4:07 PM
> To: draft-group-privacypass-consistency-mirror@ietf.org <draft-group-privacypass-consistency-mirror@ietf.org>; privacy-pass@ietf.org <privacy-pass@ietf.org>; privacypass-chairs@ietf.org <privacypass-chairs@ietf.org>
> Subject: [Privacy-pass] The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in state "Candidate for WG Adoption"
>
> !-------------------------------------------------------------------|
> This Message Is From an External Sender
>
> |-------------------------------------------------------------------!
>
> The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in
> state Candidate for WG Adoption (entered by Benjamin Schwartz)
>
> The document is available at
> https://datatracker.ietf.org/doc/draft-group-privacypass-consistency-mirror/
>
> --
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass