[Privacy-pass] Re: WGLC for Rate-Limited Token Issuance

Watson Ladd <watsonbladd@gmail.com> Sat, 22 June 2024 02:11 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A628BC14F5FC for <privacy-pass@ietfa.amsl.com>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBaYCbO7atl6 for <privacy-pass@ietfa.amsl.com>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402DFC14F5E4 for <privacy-pass@ietf.org>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-421bb51d81aso22956245e9.3 for <privacy-pass@ietf.org>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719022308; x=1719627108; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=kvXRk0tyPkpNdu2LLIsvvpgNz0+qoh0+CBSuP8wKDoA=; b=l/tnqFIAmMrgxftqZtLM3xBglq0xjkePaQ935nA9DY410wwTDWtrYUqn7BuvYH6QYB 8eovkfo0IBIgV8Ha9LR+fqScKnloXVJ2gP4ecYSN46ltjZmh0niovg9HR2TN8djmrO79 K2PunuW915xtdNEDURJMf6OYzAKdahtN7ozmiUp8PPb+z2Uz4wbHNW3Gfl0uFl/fwg3i Fq4a5mSg0NulbqQcNIQSzP7c83XXtt6sbsbL6RnpV691eQofgtaCRewI/AjcrK/71sZI 4tgOZ1raqzdn2t0GfmVu91aPE+ai1CJApfEQ1aFLRaKlsfD1hPVNIeMKHauvJm1VS7NM z/SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719022308; x=1719627108; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kvXRk0tyPkpNdu2LLIsvvpgNz0+qoh0+CBSuP8wKDoA=; b=FWQkBHcGnWM0HzZWibAHKYoh4yl7rSWAdMcjekf4EpMQlxTxR+2kDnkvSIsUXKVmgd YARbmpG0fIh/8ZjGkF9EYPUP9D3jFckdQRWKo5/Wq9M1McvHPGsuTVMBXvDXkPei6TJJ ECzSEwPHPrZvIhvDLPF1jiEAmgMnj+k6nwK3nb5htiZb4h3lKjfbNneWohl+7PTYnU95 nTbB6HpXowFmL22DCgfZhyWkpqBH7oswl5YpVYoyN2+Er05r9cZq5pS7LfjXcua/etxy /mqwrr8ATDbLKny4bOTeF6rSIU9pf7UnSmRYVqSPKGU5Mgmp/hD43LVQrzpC9qTpe01v ftpA==
X-Gm-Message-State: AOJu0Yx8Iccvejp5PYkx914WN/l03jq/KqSajin4SNIbs0Hu6ljWiPtI n5xKanWpVXjSfuByWRDxOFLEATEG6q/lgcjGUldjCw9FR6ORCioFFkvw/KiqL83mujhnO3HYUJC 0FKcS+Ib20VwPD74CDIRGtIcLw9vEUQ==
X-Google-Smtp-Source: AGHT+IFAxUukjG3m7xYVgOajxGKpYT63BDu0WP25AttWn/xR1bhZiCX4+tyhKPMDlagjwKqwlhfFMsTl4pmTUXPVwWA=
X-Received: by 2002:a05:600c:45cf:b0:424:745d:f27f with SMTP id 5b1f17b1804b1-4247529ca74mr74003695e9.37.1719022307418; Fri, 21 Jun 2024 19:11:47 -0700 (PDT)
MIME-Version: 1.0
References: <SA1PR15MB4370846AC3E04AA70A0FE67DB3FC2@SA1PR15MB4370.namprd15.prod.outlook.com> <SA1PR15MB4370456540B1F05D1A17998EB3C82@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB4370456540B1F05D1A17998EB3C82@SA1PR15MB4370.namprd15.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 21 Jun 2024 19:11:36 -0700
Message-ID: <CACsn0cn7qXpsXnx5RB_qun62_LaCEJGr1+NYBq2Kt01bg8yxJw@mail.gmail.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: Q7WE63QH3YD6KPZ7EUQ24BJB6UDKGWLQ
X-Message-ID-Hash: Q7WE63QH3YD6KPZ7EUQ24BJB6UDKGWLQ
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Privacy-pass] Re: WGLC for Rate-Limited Token Issuance
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/KN-ui6UiBXm5BaHbgHUWTFmC2iw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Owner: <mailto:privacy-pass-owner@ietf.org>
List-Post: <mailto:privacy-pass@ietf.org>
List-Subscribe: <mailto:privacy-pass-join@ietf.org>
List-Unsubscribe: <mailto:privacy-pass-leave@ietf.org>

Dear Privacy pass participants,

I think this document unfortunately complicates the privacy and
centralization story. Origins must pick Issuers they trust, but the
client's privacy in the Origin  vis a vis the Attester depends on the
number of Origins that trust the Issuer. Attesters also need to be
trusted as they ultimately enforce the limits. This is in tension with
non-collusion requirements. There's some text here on that, but I'd
like a better understanding of why this is realistic, probably because
of some emails rather than more text.

Section 7 I had to puzzle over: it was not clear to me for a while how
the attestor learns sk_blind.  It's also not clear to me what F is
supposed to be in that section, or what security properties this dance
is supposed to have. F doesn't appear to be defined anywhere. In fact
after digging into this some more I'm confused. This seems like the
sort of thing where we need a clear statement of the properties being
looked for to have security, and unwinding the Key Blinding ID
references I don't think the properties are the ones analyzed by the
Tor proposal. There's some messiness around the wrapping of it, which
makes me wary. I think there's also assumptions about the commutivity
of blinding and unblinding that require looking into the Key Blinding
mechanism too much.

I think Section 10 should also recommend client origin alias rotation intervals.

Minor nit: in 5.1.1 I think "Attester will enforce if" should be
"Attester will decide if"

HTTP nit: I don't understand why headers are being used for some of
the per-request information conveyances vs adding to the data
structures in play.

The timing is a little unfortunate: we've been able to put together an
approach that gets a lot of the desirata for more features across
privacy pass applications with one token type, and will write it up
before IETF 120, but it would be some time before we could get it to
WGLC state. We can do real rate limits with client privacy, not just
the pseudonym approach from earlier.

I think this document needs some revision and more analysis: I don't
think its ready to proceed, mainly because of Section 7.

Sincerely,
Watson

--
Astra mortemque praestare gradatim