[Privacy-pass] Re: WGLC for Rate-Limited Token Issuance
Watson Ladd <watsonbladd@gmail.com> Sat, 22 June 2024 02:11 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A628BC14F5FC for <privacy-pass@ietfa.amsl.com>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBaYCbO7atl6 for <privacy-pass@ietfa.amsl.com>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402DFC14F5E4 for <privacy-pass@ietf.org>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-421bb51d81aso22956245e9.3 for <privacy-pass@ietf.org>; Fri, 21 Jun 2024 19:11:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719022308; x=1719627108; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=kvXRk0tyPkpNdu2LLIsvvpgNz0+qoh0+CBSuP8wKDoA=; b=l/tnqFIAmMrgxftqZtLM3xBglq0xjkePaQ935nA9DY410wwTDWtrYUqn7BuvYH6QYB 8eovkfo0IBIgV8Ha9LR+fqScKnloXVJ2gP4ecYSN46ltjZmh0niovg9HR2TN8djmrO79 K2PunuW915xtdNEDURJMf6OYzAKdahtN7ozmiUp8PPb+z2Uz4wbHNW3Gfl0uFl/fwg3i Fq4a5mSg0NulbqQcNIQSzP7c83XXtt6sbsbL6RnpV691eQofgtaCRewI/AjcrK/71sZI 4tgOZ1raqzdn2t0GfmVu91aPE+ai1CJApfEQ1aFLRaKlsfD1hPVNIeMKHauvJm1VS7NM z/SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719022308; x=1719627108; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kvXRk0tyPkpNdu2LLIsvvpgNz0+qoh0+CBSuP8wKDoA=; b=FWQkBHcGnWM0HzZWibAHKYoh4yl7rSWAdMcjekf4EpMQlxTxR+2kDnkvSIsUXKVmgd YARbmpG0fIh/8ZjGkF9EYPUP9D3jFckdQRWKo5/Wq9M1McvHPGsuTVMBXvDXkPei6TJJ ECzSEwPHPrZvIhvDLPF1jiEAmgMnj+k6nwK3nb5htiZb4h3lKjfbNneWohl+7PTYnU95 nTbB6HpXowFmL22DCgfZhyWkpqBH7oswl5YpVYoyN2+Er05r9cZq5pS7LfjXcua/etxy /mqwrr8ATDbLKny4bOTeF6rSIU9pf7UnSmRYVqSPKGU5Mgmp/hD43LVQrzpC9qTpe01v ftpA==
X-Gm-Message-State: AOJu0Yx8Iccvejp5PYkx914WN/l03jq/KqSajin4SNIbs0Hu6ljWiPtI n5xKanWpVXjSfuByWRDxOFLEATEG6q/lgcjGUldjCw9FR6ORCioFFkvw/KiqL83mujhnO3HYUJC 0FKcS+Ib20VwPD74CDIRGtIcLw9vEUQ==
X-Google-Smtp-Source: AGHT+IFAxUukjG3m7xYVgOajxGKpYT63BDu0WP25AttWn/xR1bhZiCX4+tyhKPMDlagjwKqwlhfFMsTl4pmTUXPVwWA=
X-Received: by 2002:a05:600c:45cf:b0:424:745d:f27f with SMTP id 5b1f17b1804b1-4247529ca74mr74003695e9.37.1719022307418; Fri, 21 Jun 2024 19:11:47 -0700 (PDT)
MIME-Version: 1.0
References: <SA1PR15MB4370846AC3E04AA70A0FE67DB3FC2@SA1PR15MB4370.namprd15.prod.outlook.com> <SA1PR15MB4370456540B1F05D1A17998EB3C82@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB4370456540B1F05D1A17998EB3C82@SA1PR15MB4370.namprd15.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 21 Jun 2024 19:11:36 -0700
Message-ID: <CACsn0cn7qXpsXnx5RB_qun62_LaCEJGr1+NYBq2Kt01bg8yxJw@mail.gmail.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: Q7WE63QH3YD6KPZ7EUQ24BJB6UDKGWLQ
X-Message-ID-Hash: Q7WE63QH3YD6KPZ7EUQ24BJB6UDKGWLQ
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Privacy-pass] Re: WGLC for Rate-Limited Token Issuance
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/KN-ui6UiBXm5BaHbgHUWTFmC2iw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Owner: <mailto:privacy-pass-owner@ietf.org>
List-Post: <mailto:privacy-pass@ietf.org>
List-Subscribe: <mailto:privacy-pass-join@ietf.org>
List-Unsubscribe: <mailto:privacy-pass-leave@ietf.org>
Dear Privacy pass participants, I think this document unfortunately complicates the privacy and centralization story. Origins must pick Issuers they trust, but the client's privacy in the Origin vis a vis the Attester depends on the number of Origins that trust the Issuer. Attesters also need to be trusted as they ultimately enforce the limits. This is in tension with non-collusion requirements. There's some text here on that, but I'd like a better understanding of why this is realistic, probably because of some emails rather than more text. Section 7 I had to puzzle over: it was not clear to me for a while how the attestor learns sk_blind. It's also not clear to me what F is supposed to be in that section, or what security properties this dance is supposed to have. F doesn't appear to be defined anywhere. In fact after digging into this some more I'm confused. This seems like the sort of thing where we need a clear statement of the properties being looked for to have security, and unwinding the Key Blinding ID references I don't think the properties are the ones analyzed by the Tor proposal. There's some messiness around the wrapping of it, which makes me wary. I think there's also assumptions about the commutivity of blinding and unblinding that require looking into the Key Blinding mechanism too much. I think Section 10 should also recommend client origin alias rotation intervals. Minor nit: in 5.1.1 I think "Attester will enforce if" should be "Attester will decide if" HTTP nit: I don't understand why headers are being used for some of the per-request information conveyances vs adding to the data structures in play. The timing is a little unfortunate: we've been able to put together an approach that gets a lot of the desirata for more features across privacy pass applications with one token type, and will write it up before IETF 120, but it would be some time before we could get it to WGLC state. We can do real rate limits with client privacy, not just the pseudonym approach from earlier. I think this document needs some revision and more analysis: I don't think its ready to proceed, mainly because of Section 7. Sincerely, Watson -- Astra mortemque praestare gradatim
- [Privacy-pass] WGLC for Rate-Limited Token Issuan… Ben Schwartz
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Ben Schwartz
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Watson Ladd
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Martin Thomson
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Thibault Meunier
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Martin Thomson
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Christopher Wood
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Watson Ladd
- [Privacy-pass] Re: WGLC for Rate-Limited Token Is… Christopher Wood