Re: [Privacy-pass] The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in state "Candidate for WG Adoption"
Eric Rosenberg <eric_rosenberg@apple.com> Mon, 08 January 2024 18:13 UTC
Return-Path: <eric_rosenberg@apple.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8520C13AE26 for <privacy-pass@ietfa.amsl.com>; Mon, 8 Jan 2024 10:13:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mYY9TQNQsWR7 for <privacy-pass@ietfa.amsl.com>; Mon, 8 Jan 2024 10:13:42 -0800 (PST)
Received: from rn-mailsvcp-mx-lapp02.apple.com (rn-mailsvcp-mx-lapp02.apple.com [17.179.253.23]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C4CEC17C8BA for <privacy-pass@ietf.org>; Mon, 8 Jan 2024 10:13:42 -0800 (PST)
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by rn-mailsvcp-mx-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S6Y006ATFYSZR30@rn-mailsvcp-mx-lapp02.rno.apple.com> for privacy-pass@ietf.org; Mon, 08 Jan 2024 10:13:41 -0800 (PST)
X-Proofpoint-ORIG-GUID: 6La1q_TO66jEWox8yWFGL20-CQ_blI_v
X-Proofpoint-GUID: 6La1q_TO66jEWox8yWFGL20-CQ_blI_v
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.997 definitions=2024-01-08_08:2024-01-08, 2024-01-08 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 spamscore=0 phishscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 adultscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401080154
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=yApWMmXcybNYxGdjUdZEb22uJTvLCwy/JiXNEb//9b8=; b=glIyVibKpwgP5ehOT0sr7LayOKxQggdWR59mTD+hujpDt7E4xeAcuFH2G+op7DG3X5rW bIN/mX0GW/BGmDGIIrJDYufk9YLrOjCjMI4aVUb+6rRisETQ+AKCjUDF5+SpbVKd/zB3 5x7a8xhDF564ClPHxkEoJ0mwHYZkjvmEN0Osul9JlcLLs9r4CurkmiBU9UHDJ/hIR0+q jO8Ac7i5n5CYeEdQ1xWVQQvRT3g+y4XsZbLl+IQCtwkEnnNZmKXp2Oo9VOqsp8wrMBRi nTrwkB+hpQBNIKboolKc5R+UzGsaUoVcMGWrrYQN9nEmdQeavZswMNPXgs62JAZzgkTm /Q==
Received: from rn-mailsvcp-policy-lapp01.rno.apple.com (rn-mailsvcp-policy-lapp01.rno.apple.com [17.179.253.18]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S6Y00JRXFYR3FI0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Mon, 08 Jan 2024 10:13:39 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-policy-lapp01.rno.apple.com by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0S6Y00900FURNG00@rn-mailsvcp-policy-lapp01.rno.apple.com>; Mon, 08 Jan 2024 10:13:39 -0800 (PST)
X-Va-A:
X-Va-T-CD: cb5ff36b328d86b220d707ed3ff0d8c1
X-Va-E-CD: a29ca9b2ed9522e2be28b560b0c1d1a4
X-Va-R-CD: 7a59e3bf54c6bd1e678630843fb82ecf
X-Va-ID: ccc895b3-eb10-44b0-93ec-52ab887f5c33
X-Va-CD: 0
X-V-A:
X-V-T-CD: cb5ff36b328d86b220d707ed3ff0d8c1
X-V-E-CD: a29ca9b2ed9522e2be28b560b0c1d1a4
X-V-R-CD: 7a59e3bf54c6bd1e678630843fb82ecf
X-V-ID: f9d7202a-ff15-4dbb-b69c-32f03319c825
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-08_08,2024-01-08_01,2023-05-22_02
Received: from smtpclient.apple (unknown [17.11.103.6]) by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0S6Y00CJEFYQX900@rn-mailsvcp-policy-lapp01.rno.apple.com>; Mon, 08 Jan 2024 10:13:38 -0800 (PST)
From: Eric Rosenberg <eric_rosenberg@apple.com>
Message-id: <FDAEC819-5C84-4D57-B044-6E2EE7BCA81E@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_59C8D9CF-BD69-4B0C-ABE0-E53495234DCC"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Mon, 08 Jan 2024 10:13:28 -0800
In-reply-to: <Tzo2uz_jr_lFdKE3OCUt_GtL5JUSR-0zaQmHjX0bjRRDUWlg3NW6NNdp6yDehS2gLA6Ek4YdmtjFwQ4EOFIRmfGrru8x7KCbNUD7C1dYlaA=@thibault.uk>
Cc: "privacy-pass@ietf.org" <privacy-pass@ietf.org>, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, IETF Secretariat <ietf-secretariat-reply@ietf.org>, "draft-group-privacypass-consistency-mirror@ietf.org" <draft-group-privacypass-consistency-mirror@ietf.org>, "privacypass-chairs@ietf.org" <privacypass-chairs@ietf.org>
To: Thibault Meunier <ot-ietf@thibault.uk>
References: <170137846545.34849.17139555973021303518@ietfa.amsl.com> <BN8PR15MB32811657C0AEC39E213E8798B382A@BN8PR15MB3281.namprd15.prod.outlook.com> <Tzo2uz_jr_lFdKE3OCUt_GtL5JUSR-0zaQmHjX0bjRRDUWlg3NW6NNdp6yDehS2gLA6Ek4YdmtjFwQ4EOFIRmfGrru8x7KCbNUD7C1dYlaA=@thibault.uk>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/F3zwUqjfzvXmHnHn4vdOc6o8Yis>
Subject: Re: [Privacy-pass] The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in state "Candidate for WG Adoption"
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2024 18:13:46 -0000
I am also in support of adoption and agree that the goal is clear and beneficial. One thing that is not clear to me is how config rotation works. I’ve provided one such example case on Github [1]. This seems solvable and something that could be addressed by the working group. Thanks, Eric Rosenberg [1] https://github.com/chris-wood/draft-group-privacypass-consistency-mirror/issues/31 > On Jan 8, 2024, at 07:33, Thibault Meunier <ot-ietf@thibault.uk> wrote: > > Hi Privacy Pass WG, > > This is a late email given the adoption window closed about 3 weeks ago, and the document is set to expire on Thursday. I would support adoption of this document by the group, as its goal is clear and beneficial. > I've added some edits on GitHub [1], covering typos, and a clarification to avoid max-age to be accounted for twice, once by the mirror, and then again by the client. > > For deployments of Privacy Pass, this document is useful to better define how clients can check the consistency of a remote issuer. > > For Privacy Pass specifically, I think it is worth defining an OPTIONAL endpoint /.well-known/mirror-resource that would allow clients to retrieve all issuer keys before discovering it when prompted by an Origin. A similar endpoint is provided in Cloudflare attester implementation [2] for instance. This endpoint could be as simple as a list: > GET /.well-known/mirror-resources > https://issuer1.example/.well-known/private-token-issuer-directory > https://issuer2.example/.well-known/private-token-issuer-directory > > It would be interesting to mention how this setup interact with CORS in the Web environment. An issuer could restrict their responses to attester.example/* for instance. The use of wrapped response would not benefit from this sanitasation. > > Regarding the use of BHTTP, I would agree with the GitHub issue [3]. Copying content instead of using BHTTP makes implementation straightforward, as can be seen in this non caching mirror used to avoid CORS locally [4]. > > Best, > Thibault Meunier > > [1] https://github.com/chris-wood/draft-group-privacypass-consistency-mirror/pull/30 > [2] https://github.com/cloudflare/pp-attester#get-v1private-token-attester-directory > [3] https://github.com/chris-wood/draft-group-privacypass-consistency-mirror/issues/25 > [4] https://github.com/thibmeu/pepe-debug/blob/main/src/server/index.ts#L115 > On Thursday, November 30th, 2023 at 10:39 PM, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote: > >> We are opening a two-week Call for Adoption (ending Friday, December 15th) for "Checking Resource Consistency with HTTP Mirrors". >> >> Please comment in this thread with your view as to whether this document should be adopted by the PRIVACYPASS working group. >> >> --Ben Schwartz, for the chairs. >> From: Privacy-pass <privacy-pass-bounces@ietf.org> on behalf of IETF Secretariat <ietf-secretariat-reply@ietf.org> >> Sent: Thursday, November 30, 2023 4:07 PM >> To: draft-group-privacypass-consistency-mirror@ietf.org <draft-group-privacypass-consistency-mirror@ietf.org>; privacy-pass@ietf.org <privacy-pass@ietf.org>; privacypass-chairs@ietf.org <privacypass-chairs@ietf.org> >> Subject: [Privacy-pass] The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in state "Candidate for WG Adoption" >> >> !-------------------------------------------------------------------| >> This Message Is From an External Sender >> >> |-------------------------------------------------------------------! >> >> >> The PRIVACYPASS WG has placed draft-group-privacypass-consistency-mirror in >> state Candidate for WG Adoption (entered by Benjamin Schwartz) >> >> The document is available at >> https://datatracker.ietf.org/doc/draft-group-privacypass-consistency-mirror/ >> >> >> -- >> Privacy-pass mailing list >> Privacy-pass@ietf.org >> https://www.ietf.org/mailman/listinfo/privacy-pass >
- [Privacy-pass] The PRIVACYPASS WG has placed draf… IETF Secretariat
- Re: [Privacy-pass] The PRIVACYPASS WG has placed … Ben Schwartz
- Re: [Privacy-pass] The PRIVACYPASS WG has placed … Thibault Meunier
- Re: [Privacy-pass] The PRIVACYPASS WG has placed … Eric Rosenberg
- Re: [Privacy-pass] The PRIVACYPASS WG has placed … Christopher Wood
- Re: [Privacy-pass] The PRIVACYPASS WG has placed … Watson Ladd
- Re: [Privacy-pass] The PRIVACYPASS WG has placed … Martin Thomson