IETF Logo Mail Archive

Re: [Privacy-pass] Updated WG charter text

Alex Davidson <adavidson@cloudflare.com> Tue, 28 April 2020 10:48 UTC

Return-Path: <adavidson@cloudflare.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B98B3A0909 for <privacy-pass@ietfa.amsl.com>; Tue, 28 Apr 2020 03:48:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIMeCWl7HPPh for <privacy-pass@ietfa.amsl.com>; Tue, 28 Apr 2020 03:48:12 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D0953A0905 for <privacy-pass@ietf.org>; Tue, 28 Apr 2020 03:48:12 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id x25so2216789wmc.0 for <privacy-pass@ietf.org>; Tue, 28 Apr 2020 03:48:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=+o/Sz3dkDXV2PmK51EUA64HmlJeVTrUB2KREvxtc9Gg=; b=rOUsJYPWEetDI8Xa3EBHo26KLCYXHVeBCZlwJUraTMFEQEyusNh3A+Pe6/Z4+8kVOL eQFKTTGvlm/kLk6V9gu/ttqagzOClaB+DvzjYV5YZ97Ig4W+HUeGRhm/HYE7gl9HnL8s 2EfQQoxtoANGzzexCvMFAbpfaJMCwIJozjP10=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=+o/Sz3dkDXV2PmK51EUA64HmlJeVTrUB2KREvxtc9Gg=; b=ouZk4mzTe97Y+FVCYVt/5X/n2h0sw6/FJRNurIh3rRHYDhkMT061/8HJNRGIZ3p/TB lf2w6Nkqs9ZpRfNgnjBiXvVddUf3/NY5VyMQQq5WlcTCCRd0BrxnZoqDzM6HCNU0YEdU G4R+r/GWwlW8B1iFdUFPTqyFxf11KiW1UFevEzoChKPT58+/V+SBRjVtPfGhR/ufvwGb KeHcPKbKl9yA5tkX3JzwoSubdq2RnLDIVlo05teA61iC5K/ZX8YCC+EEmv/ya64oEj9D lf4L3snOUjrjaN38p7FORglhj8StwOlalxL4y/dyIT+dII44XW61sQWAqXVwU2ZFCezr TAGA==
X-Gm-Message-State: AGi0PuYKmDe7hUFTtsHsWAolblUMA96m0zl0wWOxha3RHo/LDTcRPA0d yDdpW/wyBDYaLW2PBAzElnhk8/l1whQ=
X-Google-Smtp-Source: APiQypIxNn5SY3xDIYePFbXWyyBPTd9YN9gLddxMvlOsv1gZy98TZFnwA1n2IKsmCjk6dYNlHasSwQ==
X-Received: by 2002:a1c:8106:: with SMTP id c6mr3917116wmd.88.1588070857068; Tue, 28 Apr 2020 03:47:37 -0700 (PDT)
Received: from ?IPv6:2001:8a0:7ac8:f600:ddf3:de8a:432b:7ee4? ([2001:8a0:7ac8:f600:ddf3:de8a:432b:7ee4]) by smtp.gmail.com with ESMTPSA id z10sm25485005wrg.69.2020.04.28.03.47.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Apr 2020 03:47:36 -0700 (PDT)
From: Alex Davidson <adavidson@cloudflare.com>
Message-Id: <E574167C-92BD-48B1-8BE3-9BE67F401ECE@cloudflare.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1155B822-6041-4460-8010-5C1800D60EAC"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 28 Apr 2020 11:47:33 +0100
In-Reply-To: <a469cd36-dcae-4d15-8b7b-a86071ea6d3d@www.fastmail.com>
Cc: Christopher Wood <caw@heapingbits.net>
To: privacy-pass@ietf.org
References: <40600024-A6F1-41D7-B7A8-4B4D7D48201B@cloudflare.com> <4239f287-9a96-4700-ac32-8583ca451115@www.fastmail.com> <a469cd36-dcae-4d15-8b7b-a86071ea6d3d@www.fastmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/Uc8RM5jCfv-JSdtAeopGovH3zXI>
Subject: Re: [Privacy-pass] Updated WG charter text
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 10:48:16 -0000

Thanks all for the feedback! I’ve pushed updated wording to the GitHub PR (https://github.com/alxdavids/privacy-pass-ietf/pull/12/commits/e987d2ba60fa7b0ba986a65c29214ce893d7b667) and also added it at the bottom of this email. I’ve inlined some responses to the specific points explaining the changes below.

> On 23 Apr 2020, at 17:52, Christopher Wood <caw@heapingbits.net> wrote:
> 
> On Wed, Apr 22, 2020, at 5:32 PM, Martin Thomson wrote:
>>> First, specify an extensible protocol for creating and redeeming
>>> anonymous and transferrable tokens. The protocol should permit suitable
>>> cryptographic ciphersuites and security parameterization for
>>> cryptographic agility. Negotiation of cryptographic parameters is an
>>> application-specific property and thus out of scope for the Working
>>> Group. Specification of the underlying cryptographic algorithms or
>> 
>> This bit about choosing parameters seems to be in tension with the 
>> previous sentence.  One of the problems with a system like this is 
>> coordinating algorithm changes.  I think that we need a plan, not a big 
>> punt.
> 
> I'm thinking about this more like the DoH effort, which focused first and foremost on the protocol itself and punted other concerns such as discovery and whatnot. 

Due to the restrictions on key material updates for client privacy, the ciphersuite is determined explicitly by the key that the server is currently using. Moreover, the supported ciphersuites should be specified by the underlying cryptographic protocol that is being used. Therefore, I think the choice of ciphersuite is a unilateral decision made by the server, and so the negotiation framework does not really belong to the protocol description.

>>> protocols is also out of scope. The Working Group will specify a
>>> preliminary set of extensions, including Issuer-supplied metadata and
>>> public verifiability, as well as any additional extensions that may
>> 
>> What does "public verifiability" mean here?
> 
> I think it means that someone beyond the party which issued the token (and holds the OPRF private key) can verify the authenticity of a token. As an example, blind signatures have this property. 

Yes, this is what we were alluding to. I’ve updated the wording to be more explicit on this.

> 
>>> 1. Describing use cases and interfaces that allow the protocol to be
>>> used for those use cases.
>>> 2. Defining the privacy goals for each Client during protocol execution,
>>> along with expectations placed on the Issuers and the ecosystem at
>>> large.
>>> 3. Describing parameterizations that control the Client privacy budget
>>> and Issuer security parameters.
>> 
>> What is a "privacy budget"?  To be clear, I think that I know, and my 
>> opinion is that it is not a good framing for this.  I also think that 
>> it is not a good reference model to use in general.

This makes sense, I’ve changed the wording to directly refer to the size of the client’s anonymity set, which is what we were implicitly referring to here and is also used elsewhere in the charter.

>>> 4. Describing verification mechanisms for sanctioning or trusting
>>> Issuers and their corresponding keying material.
>> 
>> Sanctioning implies punishment, which we can't write a protocol for.
> 
> That's a good point. Maybe we should just say, "Describing verification mechanisms for trusting Issuers and their corresponding keying material”?

Agree, incorporated this wording.

>> If this is about providing technical safeguards against the potential 
>> for issuers to abuse key management for a covert channel, then say that.
>> 
>>> 5. Describing where key material is stored and how it is accessed.
>> 
>> I don't think that we need this in a charter.

Removed this point.

>>> 6. Specifying mechanisms for ensuring that Issuers are not acting
>>> maliciously.
>> 
>> This seems a bit open-ended.  Will this extend to audits of their 
>> processes?  I don't think we have a protocol for that either.
> 
> Maybe we could refine this by specifying particular attacks we're concerned about, such as key tagging?

I removed this point as I think it is now covered by what is written in point 4. However, I mentioned specifically the attack surface that is being considered with the verification mechanisms that we will specify.

Thanks,
Alex

Updated Charter text
================

The Privacy Pass protocol provides a performant, application-layer
mechanism for anonymous token creation and redemption. Servers (Issuers)
create and later verify tokens that are redeemed by an ecosystem of
clients, such that:

- Any token granted by a given Issuer is unlinkable with all other
  tokens granted by the same Issuer.
- Clients can verify that a token granted by an Issuer corresponds to a
  committed keypair.
- Tokens are unforgeable.
- The token issuance and redemption mechanisms are efficient.

The primary purpose of the Privacy Pass Working Group is to develop and
standardize a protocol that meets these requirements, influenced by
applications that have arisen from the wider community. The aims of the
Working Group can be split into three distinct goals:

First, specify an extensible protocol for creating and redeeming
anonymous and transferrable tokens. The protocol should permit suitable
cryptographic ciphersuites and security parameterization for
cryptographic agility. Negotiation of cryptographic parameters during
the protocol is an application-specific property and thus out of scope
for the Working Group. Specification of the underlying cryptographic
algorithms or protocols is also out of scope. The Working Group will
specify a preliminary set of extensions, including Issuer-supplied
metadata and alternative cryptographic instantiations that support
public verifiability of Issued tokens, as well as any additional
extensions that may arise in the future. Security and privacy properties
of the protocol shall be well-documented.

Second, describe and develop protocol use cases and properties thereof.
This includes, though is not limited to:

1. Describing use cases and interfaces that allow the protocol to be
   used for those use cases.
2. Defining the privacy goals for each Client during protocol execution,
   along with expectations placed on the Issuers and the ecosystem at
   large.
3. Describing recommended parameterizations of variables associated with
   the protocol ecosystem that control the size of the anonymity set
   that the client belongs to.
4. Describing verification mechanisms for trusting Issuers and their
   corresponding keying material. Such mechanisms should prevent Issuers
   from presenting any key material that could be used to deanonymize
   clients.
5. Describing the procedure for including small amounts of metadata with
   Issued tokens, as well as the associated impacts on privacy.
6. Describing the risk and possible ramifications of Issuer
   centralization, and exploring possible mechanisms to mitigate these
   risks.

Third, and finally, specify a HTTP-layer API for the protocol. This
includes a common understanding of how Privacy Pass is integrated with
HTTP requests and responses for web-based applications.

Note that the specifications developed by this working group will be
informed by the following initial drafts:

- draft-davidson-pp-protocol-00;
- draft-davidson-pp-architecture-00;
- draft-svaldez-pp-http-api-00.

These existing drafts may be further developed into the core
deliverables of the working group, supplemented by any additional
extensions. Alternatively, they may contribute indirectly to a future
set of documents that meet the core goals of the working group.

v2.23.0 | Report a Bug | By Email