IETF Logo Mail Archive

Re: [Privacy-pass] Issuer directory representation (#369)

Colin Bendell <colin@bendell.ca> Mon, 12 June 2023 02:31 UTC

Return-Path: <colin@bendell.ca>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306A7C14F747 for <privacy-pass@ietfa.amsl.com>; Sun, 11 Jun 2023 19:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bendell.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97f7CHTzJKmq for <privacy-pass@ietfa.amsl.com>; Sun, 11 Jun 2023 19:30:55 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 371C9C14CEED for <privacy-pass@ietf.org>; Sun, 11 Jun 2023 19:30:54 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2b1bb2fc9c6so42077511fa.0 for <privacy-pass@ietf.org>; Sun, 11 Jun 2023 19:30:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bendell.ca; s=google; t=1686537052; x=1689129052; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uCFyCBCyENn9lUN5+T+oTfasja9hm6QbWPjE0ITUlDo=; b=WGokacl0mqidKFcEM/LBPioV+CeEAy+cA+HZ+R2y/sfh+DJbh0S/BJNCasOpyVAmio JAvwqLuDwX1z2Ix06lcowTW+tqoqmFhkH4KqcN3QR9kkpmiKEMLuFJFLzJfnoGvsiokP NuK4kc8P9lzJlUYjJHLOtSPySRPE15+I6hkaM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686537052; x=1689129052; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uCFyCBCyENn9lUN5+T+oTfasja9hm6QbWPjE0ITUlDo=; b=igF9e3yqvJy7rUonV+Ust105QKQsl3iiNZ4cRn0KxeRqiihFNhTErJJh4Ic+SYu9L0 seYzn80rNhc5dsoweD5doqf5e3FpAEv+Y9ebuqPHAfIdOlgiIhyMy1AsSV/YKRF+p1Qw W+BQ2CWIqp8qAxu3x/SWoNsiilnNMw3IH1wQnV580yj0ek8SVmeb2o8MxX/QnMYxOqzx vjrt+UuILuv2SxSELqMmtKmRuhjO1/vFDnnrwHLxFJtfPJp3M5xq7sYIsiAu0J4ZuBUx PWEzOa2ExkiCrK1U3sxZ/S1ne9/U/9NHx44hj2VVEFsdrfXHMWpI6aRpw2M8Ot8eTLr/ FHqQ==
X-Gm-Message-State: AC+VfDw21e7N+u8KpAvfHm/kVDcpvR1+iOLmz27d7d5Q2iTYR2W7YWtZ +DIZbkWdDQxraaBuQYfJ/SE2HF4eNkISMaW1R9IY+dHor3qpH7ywmHA=
X-Google-Smtp-Source: ACHHUZ65rOz2ywzaknepclvhQODK45jrBwMyRR7baO3EI94DysLaD1AaULpOKEZXz2KbI6GoFZVtrhme/hzKr3X2FOY=
X-Received: by 2002:a2e:9c12:0:b0:2ac:8cc0:bee5 with SMTP id s18-20020a2e9c12000000b002ac8cc0bee5mr1574103lji.0.1686537052398; Sun, 11 Jun 2023 19:30:52 -0700 (PDT)
MIME-Version: 1.0
References: <fa636aa2-d988-42b2-ad9c-fe0fb25bc960@app.fastmail.com> <CA+AE54cshctSyXsdPkNxcRk3Tn-WPRNzwnSsMvKiqouSdYe9+w@mail.gmail.com> <CAL12FVFPfKp-dC1NCrXmn0wMO2qnLBtW3wuwz2fMirWR-UKA_w@mail.gmail.com> <CAL12FVGR1G_D=3v0jXATD2bfFreYfR8GN9HAtzH0J2t_-ukeXQ@mail.gmail.com> <B408DBD5-983A-4B53-A98D-872499073615@apple.com>
In-Reply-To: <B408DBD5-983A-4B53-A98D-872499073615@apple.com>
From: Colin Bendell <colin@bendell.ca>
Date: Sun, 11 Jun 2023 22:30:41 -0400
Message-ID: <CAL12FVHpudbPcrn7Lrw=Nc_NJmOkt-+DtuZgnNF8kTv4_M3Smg@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, privacy-pass@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e8b81b05fde581df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/F-vF39Rzed8QQ3s1pvoNqohmmrA>
Subject: Re: [Privacy-pass] Issuer directory representation (#369)
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2023 02:31:00 -0000

On Fri, 9 Jun 2023 at 23:15, Tommy Pauly <tpauly@apple.com> wrote:

> On Jun 9, 2023, at 1:14 PM, Colin Bendell <colin@bendell.ca> wrote:
> For reference, I have a few examples using the publicly available keys.
>
> Here is cloudflare's demo issuery directory:
> *
> https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json
> And the same in jwks format (nb: I've set "kid" to the
> "truncated_token_key_id" value instead of preserving "version")
> *
> https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json
>
> I believe this link should be this, right?
>
> https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.jwks.json


Yes. thanks for finding the correct link.


> Overall, while I’m not opposed to JWK being defined at some point, I don’t
> think it simplifies things for privacy pass, and this proposal is missing
> key pieces of information like the token type, and isn’t consistent with
> the formats clients would commonly see in HTTP auth challenges. Defining
> JWK formats in a new document where the details of how they should work and
> what clients might benefit from them — sure! Removing definitions for the
> simple JSON format — not so much.
>

The one thing that strikes me is if you look at even the cloudflare
implementation, they have had to add all the standard kinds of things like
'version' and 'not-before'. While I agree that there are specific nuances
that are unique for privacy-pass, it feels like all the other standard
mechanics of key rotation would benefit from aligning to a common standard.
There are many additional features I assume implementers will eventually
also require (including: not-after, not-before, version, priority,
revocation uri, cache policy, etc).

I proposed JWK because it has browser support in webcrypto. I wonder
if there are other standards that have flushed these nuances out more
completely?

At the very least Privacy Pass should define some of these common fields
because as it stands the 'not-before' field is currently implementation
specific. Is it in epoch seconds? milliseconds? Is it like PST and measured
in microseconds? (madness!)


> A couple comments inline below:
>
> On Fri, 9 Jun 2023 at 16:13, Colin Bendell <colin@bendell.ca> wrote:
>
>> The argument for JWK is that it reduces the sprawl of directory syntaxes
>> and allows the devs to lean on pre-existing tooling and documentation. JWKS
>> does have extensibility built into the RFC to be adapted for this purpose.
>>
>> The main advantages for using JWKS are:
>> 1. we don't need to introduce a new iana for algorithm types.
>> issuer-type=2 is the same as alg="PS384". This will further allow for
>> future expansion and key selection
>>
>
> Having JWK for the issuer dictionary would not mean we don’t need token
> type — token type is not just a cryptographic algorithm, it defines the
> issuance protocol. Type 2 and type 3 have the same format for the resulting
> token, but different properties throughout issuance.
>
> Thus, a JWK format would need to *also* be paired with token types.
>

This is a good point. Right now EC/P384 and RSA/PS384 are convenient short
hands for type 1 and type 2, As you say, it might not always be the case -
particularly if the Type's are used as a stand-in for rfc versions where
type=4 is the vNext of what is type=2 today. (I'm assuming that type won't
include minor versions)


>
>> 2. adopting a consistent standard leverages existing dev and infra tools
>> around the jwk and jwks ecosystem. Particularly for key store loading,
>> rotating and management. This is particularly important if aligning
>> Private-State-Tokens is a goal of Privacy Pass. With PST, the UA is
>> expected to consume these public key stores.
>>
>
> I think that aligning with Privacy Pass standards should be a goal of
> proposals like private state tokens. But clients already can directly
> consume public keys with existing deployments of privacy pass, and that
> doesn’t seem to be a burden. Also, privacy pass communicates keys in HTTP
> challenges, which are in the format that’s in the issuer dictionary, not a
> JWK.
>

To be fair, it's not a burden today only because there are only 2 issuers
that are in use in production environments. And the issuer directory isn't
available for one of them.

If PST aligns with this spec, we should expect multiple orders of magnitude
increase in the number of valid issuers and origins+clients that are
consuming them.

/colin


>
> Tommy
>
>
>> 3. Since it uses the expanded form, and not DER encoded, it
>> sidesteps some of the awkwardness of the dev ecosystem for RSASSA-PSS. Most
>> of the RSASSA-PSS implementations are spotty which is why WebCrypto has
>> dropped support [1]. Converting between RSASSA-PSS and RSA is a bit messy
>> [2] in the DER encoded form, it's much more straightforward with the JWK
>> since the modulus and exponent are already expanded.
>>
>> 4. The syntax for JWK already has extensions to pre-calculate the
>> token-key-id (see: "x5t#S256" [3]). This is an optimization that can be
>> done server side or on origin startup, having it available in a
>> materialized form has some convenience advantages.
>>
>> There are disadvantages as well, which are worth expanding:
>> 1. The syntax is terse. it does take a special decoder ring to decipher
>> the fields. Likewise, the fields are in expanded form instead of
>> encapsulating in DER format. (This is done so that you can very quickly
>> sanitize a JWK and remove the secret key fields without having to
>> re-encode.)
>>
>> 2. We would still need to define the iana values to expand JWKS for
>> fields like 'issuer-request-uri" or "issuer-name" (for PST), etc. Other
>> fields that are already common in the public issuer identifiers [4], like
>> 'not-before' and 'version' do have corrolories in JWKS.
>>
>> 3. While convenient to have the components of the key in expanded form,
>> we still need to convert it to the DER encoded form for the purposes of
>> Privacy-Pass - specifically for token-key and token-key-id fields.
>>
>> [1] https://github.com/w3c/webcrypto/pull/325
>> [2]
>> https://github.com/colinbendell/private-access-token/blob/main/src/utils.js#L382-L395
>> [3] https://datatracker.ietf.org/doc/html/rfc7517#section-4.9
>> [4]
>> https://demo-pat.issuer.cloudflare.com/.well-known/token-issuer-directory
>>
>> On Fri, 9 Jun 2023 at 06:28, Eli-Shaoul Khedouri <eli=
>> 40intuitionmachines.com@dmarc.ietf.org> wrote:
>>
>>> I do not see a benefit to adopting JWKs at this stage. As you say, they
>>> are somewhat complex for the PP use case.
>>>
>>> Eli
>>>
>>> On Thu, Jun 8, 2023 at 5:30 PM Christopher Wood <caw@heapingbits.net>
>>> wrote:
>>>
>>>> Colin filed #369 [1] to discuss the current representation we are
>>>> currently using for issuer directories. Basically, Privacy Pass chose to
>>>> introduce a new representation that bears resemblance to that which is used
>>>> in Private State Tokens [2] and is already specified in JSON Web Key Sets
>>>> [3]. We should sort out what to do with this discrepancy.
>>>>
>>>> Speaking for myself, neither a JWK or JWT expert, I think we should
>>>> stick with what's currently in the draft because (1) all formats seem
>>>> mostly isomorphic and (2) JWKS are, to my knowledge, meant primarily for
>>>> JWTs. Moreover, the way that keys are represented seems unnecessarily
>>>> complex. Why do we need to specify any of the "kty", "alg", or "kid"
>>>> parameters when they can be inferred from the token type and public key?
>>>>
>>>> Note that this is primarily relevant for origins that consume the
>>>> directory and use it for the purposes of challenging clients, but it may in
>>>> the future become relevant for clients that want to consume this resource
>>>> for consistency checking purposes.
>>>>
>>>> What do others think?
>>>>
>>>> Best,
>>>> Chris
>>>>
>>>> [1] https://github.com/ietf-wg-privacypass/base-drafts/issues/369
>>>> [2]
>>>> https://github.com/WICG/trust-token-api/blob/main/ISSUER_PROTOCOL.md
>>>> [3] https://datatracker.ietf.org/doc/html/rfc7517
>>>>
>>>> --
>>>> Privacy-pass mailing list
>>>> Privacy-pass@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>>>
>>> --
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>>
>> --
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass
>
>
>
>

v2.23.0 | Report a Bug | By Email