Re: [Privacy-pass] New drafts for IETF107
Mariana Raykova <marianar@google.com> Thu, 26 March 2020 18:23 UTC
Return-Path: <marianar@google.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3852D3A0DB9 for <privacy-pass@ietfa.amsl.com>; Thu, 26 Mar 2020 11:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfkURM42o3Qf for <privacy-pass@ietfa.amsl.com>; Thu, 26 Mar 2020 11:23:10 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3143A0D8D for <privacy-pass@ietf.org>; Thu, 26 Mar 2020 11:23:10 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id m17so9043635wrw.11 for <privacy-pass@ietf.org>; Thu, 26 Mar 2020 11:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6u/GhCFVB3NoqctiFxUKzmB53stQm4tuIGafGpm7e4k=; b=Iuqjsdq+M5WwZ54kBa0vlvaPCwnrEMCziQoNkURh9YAMs9BGRMvwKjeooUJyjzlHyG QEOcjLstOLzodKkm7hyL5q4ADqgcXJj+3M4mHJWlfJcYsg4JBdyo1u3GfVMkwb1ZmyhZ bs9xlUCQdQiQKGcfecr1nnc2aXkE0zQYqNQY0vpLOthRyeU0KiaBfiMB4SttTb1K+Dv8 aJuPQV5iD2DM9+JUblZqUBOqywqrp4ZpnKxMiaTmsz/5BUYVJtjdUqzN5/ld+KZOa0hT sTzBgCigs62tv77rqNwXyPnBid+RyXu6udlEIGY1noK9nsoUlLRBKTIje+PuorAWK0oE ugFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6u/GhCFVB3NoqctiFxUKzmB53stQm4tuIGafGpm7e4k=; b=pwPbOE8HUVp89g8OwRPFYO2E1AthgAuvc9Vf+9/OVqWxdBQAFkHK4CTRXllX0xh9ji btb1eqioJ7nbVQZU2hRdqNRHPnZxcplSOYWK1wWbsvsYqnWErRkKQRZf1Jso8B5eObdk UGw2yv6OKR/zs5fHpRNiJza0UU820JSmRWNu5B+eAr6+i2O2FMkiRIniu2nomSxTkuzD PHjjNFt7hfZgp1fj5mU7CCuj9RkoDn3eM4CEnPX5YeXSdne16i8wyStkKii78z4cfaWD JgFlyjQTjfwRAPowrSyptlKYYNTLvhVTOzIk1w+UF7L68xrmzk+BHB7gWlXGBwnk3TXB yfmA==
X-Gm-Message-State: ANhLgQ2vu/EVxAx77Kzquwm4hddMAf0tp3muot5wXVfC242FqB3Suvyc dmJ5nOoqsirPSAtREAlfRtumZ9lgeL9565W4n3JZPA==
X-Google-Smtp-Source: ADFU+vtWo/i8eIbWzQ2gy3/caIfBw1/2mtgz+hC6ljCkYIbLcCKKvDKj7F2oZTvgl/fY8Vx8RzakLNVRAGx7dPUr2EU=
X-Received: by 2002:a5d:4e03:: with SMTP id p3mr10473331wrt.408.1585246988704; Thu, 26 Mar 2020 11:23:08 -0700 (PDT)
MIME-Version: 1.0
References: <62860787-70C2-4B39-BC6B-B0A83DDCD824@cloudflare.com> <CANduzxDCEi3izVM49EmTwyLf=LNpO1dTPqb6JmO7zxaHPTCaTg@mail.gmail.com> <1F946C3A-D194-435E-9A0F-2388C70324C3@cloudflare.com> <38505538-5FC5-4496-BD80-760C6071BD01@cloudflare.com> <0E23922F-9E2A-4192-B4CA-E8462CC672A2@cloudflare.com> <CANduzxDAKjQion4sUxquu7OHZDbv+PO9+oRRnBYaoAkOrXCicw@mail.gmail.com> <8FBF8C9F-6B9A-4D9D-AF92-0912BCD7A955@cloudflare.com> <CANduzxANrL7TBRhPz2vqsS19NCQM45KUPhrUACnGJQ494n-J5w@mail.gmail.com> <4889145F-5FBE-4C6F-83EA-60491426DC56@cloudflare.com> <4A86E6B1-694F-4E4D-A22F-417B690B0BE3@cloudflare.com> <ea9feab6-5f7f-f927-bd5f-73ea8a805aa1@riseup.net> <83D15981-9424-4B31-9DD7-24101E5F370E@cloudflare.com> <99682788-41a4-b933-bff7-4c40c5ff0650@riseup.net> <CAKAkE=3ds-9rO7pKa4qKNNeG3UGiTVkRp=tPNO7ioOLq-M+niA@mail.gmail.com> <57B5F73B-7282-41D1-9328-699CC7FE4A94@cloudflare.com>
In-Reply-To: <57B5F73B-7282-41D1-9328-699CC7FE4A94@cloudflare.com>
From: Mariana Raykova <marianar@google.com>
Date: Thu, 26 Mar 2020 14:22:56 -0400
Message-ID: <CAKAkE=0TAYP2AawRiofKA4y-WjVCoXSrZg0rSqS7wYzRbQKUOg@mail.gmail.com>
To: Alex Davidson <adavidson=40cloudflare.com@dmarc.ietf.org>
Cc: Sofía Celi <cherenkov@riseup.net>, privacy-pass@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a50b4405a1c61367"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/Fy9GT2sU_x_R7nfsotCGHxgK640>
Subject: Re: [Privacy-pass] New drafts for IETF107
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 18:23:28 -0000
On Thu, Mar 26, 2020 at 11:01 AM Alex Davidson <adavidson= 40cloudflare.com@dmarc.ietf.org> wrote: > Hi all, > > @Mariana: Thanks for bring up. I agree that adding a discussion on the > consideration of attaching some small amount of metadata to tokens that are > issued is something that we will want to bring up the core documents. In > particular, a potential path forward would be to add an additional > implementation of the Privacy Pass API in the protocol draft based on the > https://eprint.iacr.org/2020/072.pdf construction that incorporates the > additional metadata bit, to go alongside the existing implementation. Then > we would address the privacy analysis of incorporating this extra bit in > the architecture document, though I think this will be relatively > straightforward. Would be interested to hear what other think about doing > this. > The extra bit is equivalent to having two different signing keys on the side of the server in terms of the unlinkability for the clients. > > This does raise the question of whether we would want to be even more > general in the architecture document and discuss the privacy impacts of > adding more arbitrary metadata to tokens, up to a certain amount of bits. > It’s not clear what the implications of doing this would be, so adding a > wider discussion and analysis may well be worthwhile? > I think the privacy implications of the metadata bits can be mapped onto the analysis for different numbers of active keys for the server. I also wanted to make the point that for several of the listed extension we do not go really into detailed analysis of their additional formal security properties and I do not think this is necessary as probably any specific protocol for any of the extensions should come its own security analysis. I think the case for the metadata should be similar. > > On 25 Mar 2020, at 22:39, Mariana Raykova < > marianar=40google.com@dmarc.ietf.org> wrote: > > Hi Alex, > > Thanks for preparing the drafts with Steven. > > I would like to propose adding to the architecture document the private > metadata bit as a possible extension as defined in our paper > https://eprint.iacr.org/2020/072.pdf. We discussed this in the meeting in > New York as one of the extensions. I know that we have decided that the > actual protocols will be described in a separate CFRG document but I would > like to have the functionality as an extension to the Privacy Pass > functionality included in the document that lists several different > extensions. For example, to achieve a single-issuer with > forwarding-verifier requires significant changes to the Privacy Pass > construction and similarly other applications with general ZKPs, changes > that are on the order of the changes to achieve private metadata but. > > I think in another email thread there was a discussion about other > proposals in this space and Alex mentioned that partially blind signatures > can be viewed as an extension of the Privacy Pass framework, I think the > private metadata bit falls in a similar category. The related work of our > paper has an overview of some existing work that may also be relevant. > > thanks, > Mariana > > > @Sofia: Thanks for raising these points. I’ve inlined my reply, but please > feel free to raise issues on the GitHub repo for the things that you have > highlighted (I can also do this once I get a moment). > > > On Wed, Mar 25, 2020 at 3:35 AM Sofía Celi <cherenkov@riseup.net> wrote: > >> Hi, Alex! >> > The points that you’ve raised above all make sense to me. If you would >> be interested in submitting an issue/PR for solving them, that would be >> really useful and I would be happy to review it. >> >> Just sent it ;) I added some grammar corrections as well. >> While doing the PR, I also realized that it is not clear when the >> 'Issuance message' is sent. It seems to not be the output of any of the >> API functions... I'm not sure how that one works.. >> > > That’s true, I think in the protocol it just needs to be made more clear > that the IssuanceMessage is constructed by the client from the > ClientIssuanceElement data that it creates. However, we could probably also > condense these types down into one that is also sent on the wire. > > >> After reading the architecture document, I thought that: >> >> - Maybe it will be nice to give an example for the unique identifier for >> the client id >> - It will be nice to define what anonymity means in the draft, maybe >> taking the definitions of some papers that have defined the different >> terms around anonymity. >> > > Yes, this is a good point. We should be clearer on what definition of > anonymity we are considering. > > - This section is a little unclear for me: >> """ >> In addition, we RECOMMEND that trusted registries indicate at all >> times which issuers are deemed to be active. >> """ >> How will the registries determine which issuers are active? >> > > Also a good point. I think this comes into the way that we detect and act > against servers act maliciously. The concept of an active issuer is > maintained to ensure that we only have a fixed number of issuers at any one > time. > > - It will be nice to also recommend a time for when servers can rotate >> their signing keys. >> > > Either we will want to consider fixed time periods, or the configuration > manager will need to monitor the times when updates have occurred and > decide whether to accept them or not. This is the approach that currently > exists, but I think this is something that it would also be useful to get a > broader consensus on. > > - It also seems to have some variable naming consistency issues that >> I'll fix in a PR if it is ok ;) >> > > Sure, by all means! > > Cheers, > Alex >
- [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Steven Valdez
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Steven Valdez
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Steven Valdez
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Sofía Celi
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Sofía Celi
- Re: [Privacy-pass] New drafts for IETF107 Mariana Raykova
- Re: [Privacy-pass] New drafts for IETF107 Alex Davidson
- Re: [Privacy-pass] New drafts for IETF107 Mariana Raykova
- Re: [Privacy-pass] New drafts for IETF107 Steven Valdez