[Privacy-pass] Re: WGLC for Rate-Limited Token Issuance

Christopher Wood <caw@heapingbits.net> Wed, 26 June 2024 19:38 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1584CC14F6E1 for <privacy-pass@ietfa.amsl.com>; Wed, 26 Jun 2024 12:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b="NpMw7QKB"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Aezxoif4"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVRwyFSDf08U for <privacy-pass@ietfa.amsl.com>; Wed, 26 Jun 2024 12:38:08 -0700 (PDT)
Received: from fhigh8-smtp.messagingengine.com (fhigh8-smtp.messagingengine.com [103.168.172.159]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45060C14F615 for <privacy-pass@ietf.org>; Wed, 26 Jun 2024 12:38:08 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 8CC971140107; Wed, 26 Jun 2024 15:38:07 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Wed, 26 Jun 2024 15:38:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm2; t=1719430687; x= 1719517087; bh=TiGhPlNmkwoJHrBxn1ygEGCz1IpWCyNnI8A8udn69Dw=; b=N pMw7QKBpz4KNURsTacfdzkjUlH1/3aDPzLbp8DXvw9tVOQvlNVoi4RstXDZnRAWk O5lhHZc2QG5lsN+XLVP666sXNP1//TlRnONqEGWlf5dHgt0dbtMeqK6mV5OsTjTg jeX8w04/Na3I6uo7ECv1eKvJ9g70ccHjGyVi0phP3cf39xV8VS4UJxRDezAPm61i uydH+BnM/Ltue1hKLIDGrATr7IDBxzcG70m5cGXbTh1HnVP4m110qgbFH2xOFxBs kkSENxE4rJAJGcB45aSGtcY42W7B11RjCzSsz64AD61MBN4LheB4KkakERnx4Sri ZJbHVSY5uiMW3+LpIFuzw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1719430687; x=1719517087; bh=TiGhPlNmkwoJHrBxn1ygEGCz1IpW CyNnI8A8udn69Dw=; b=Aezxoif4N8uRHeixRpBFeWHseZkpmeMWontUmF55RYI4 53ifhZx9MbwNY/yzZPAbdYHWmSdJXj0SdPZEdNrUMyFxgkUJQLjEQjZAfdesVSTd CcnFKMCA94hGOVIas1xYd8b3m6UZ/pLtDPhm32hyziD2mc/vmsXJF6zu6eVh5JD+ 1B6oWoDYBW8MsGMZ5e5/A4ux/5HIs0WhWqrkltCPX7iPwKD6pmx6rE9B1lMaZI1R DD77VwlU6gHf9pmpUE+PTX4G4fKCfUkFF8FJDyokStFWudjVmYlm9+0w/39gY9tQ JZWQeicoLeIOJDeLqCl2jwl7JVsyH2TS4ATIx0ffiA==
X-ME-Sender: <xms:H258Zm14vbmp114Dkpdbpo6zVwEmdNkLWXDRzSWh8vmL1k5BIPXRNA> <xme:H258ZpFQUCLEyTUeS8tVgvzHniurugti0rAwhf3XCeeyKz75q1gjwgpRmQ_Cu8i7l J1YlO2ISSMcCnyY5hY>
X-ME-Received: <xmr:H258Zu7roL8G1E3WmkfQXiPrYAJXkeXOIa48A71bgXvonDFL9RWGSAzaH36WOWjT2xVxksFhJDeIXHOmlVMfSdQgXd_zKR1Ahw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrtddvgddugeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffktgggufffjgevvfhfofesrgdtmherhhdtjeenucfhrhhomhepvehhrhhi shhtohhphhgvrhcuhghoohguuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvtheqne cuggftrfgrthhtvghrnhepheelveelieevjeejgeduteduieehkeeutdeuveekhfevjeet hfekkeekheevffejnecuffhomhgrihhnpehirggtrhdrohhrghenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghi thhsrdhnvght
X-ME-Proxy: <xmx:H258Zn20x1MRCFw5YcPbsW1t9p2JBI3mzU4m2f-Xa02C9D2TojLCTg> <xmx:H258ZpHrrx0cUD3PLOh1p6SUYPtszphRIVsluVN-aDonor4aGbx-Yg> <xmx:H258Zg8vHhofkZhJpWFZEBN_LmJCCaKNurX_aINZhefIwSZH3KS7ow> <xmx:H258ZukUkxOYcKk1xjkDj1KifDj3KDli3_0VdYGB4_b6AEkfoFCK1Q> <xmx:H258ZpDH8SAh7aJBPjG1vGL4KdR65Ydhh5wkSQZiMEcufY87mXdZHaM3>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 26 Jun 2024 15:38:07 -0400 (EDT)
From: Christopher Wood <caw@heapingbits.net>
Message-Id: <7A5B38E8-B7DF-4BF9-9D1D-EFBBC669328A@heapingbits.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_52621680-0574-49F5-925E-C6DB16B7ECEF"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Wed, 26 Jun 2024 15:37:56 -0400
In-Reply-To: <CACsn0cn7qXpsXnx5RB_qun62_LaCEJGr1+NYBq2Kt01bg8yxJw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
References: <SA1PR15MB4370846AC3E04AA70A0FE67DB3FC2@SA1PR15MB4370.namprd15.prod.outlook.com> <SA1PR15MB4370456540B1F05D1A17998EB3C82@SA1PR15MB4370.namprd15.prod.outlook.com> <CACsn0cn7qXpsXnx5RB_qun62_LaCEJGr1+NYBq2Kt01bg8yxJw@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Message-ID-Hash: DNGS7KVC2JM4H6GLO3ZKFIVPSGSOCETM
X-Message-ID-Hash: DNGS7KVC2JM4H6GLO3ZKFIVPSGSOCETM
X-MailFrom: caw@heapingbits.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Privacy-pass] Re: WGLC for Rate-Limited Token Issuance
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/nHOp-99_Ew9nUeBze6mkhbCdQ3Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Owner: <mailto:privacy-pass-owner@ietf.org>
List-Post: <mailto:privacy-pass@ietf.org>
List-Subscribe: <mailto:privacy-pass-join@ietf.org>
List-Unsubscribe: <mailto:privacy-pass-leave@ietf.org>

Hi Watson,

Please see inline below.

> On Jun 21, 2024, at 10:11 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> Dear Privacy pass participants,
> 
> I think this document unfortunately complicates the privacy and
> centralization story. Origins must pick Issuers they trust, but the
> client's privacy in the Origin  vis a vis the Attester depends on the
> number of Origins that trust the Issuer. Attesters also need to be
> trusted as they ultimately enforce the limits. This is in tension with
> non-collusion requirements. There's some text here on that, but I'd
> like a better understanding of why this is realistic, probably because
> of some emails rather than more text.

This is true, but not a new trust assumption for Privacy Pass. I’m also not sure what you mean by this being in tension with non-collusion requirements. Where is the tension?

> Section 7 I had to puzzle over: it was not clear to me for a while how
> the attestor learns sk_blind.  It's also not clear to me what F is
> supposed to be in that section, or what security properties this dance
> is supposed to have. F doesn't appear to be defined anywhere. In fact
> after digging into this some more I'm confused. This seems like the
> sort of thing where we need a clear statement of the properties being
> looked for to have security, and unwinding the Key Blinding ID
> references I don't think the properties are the ones analyzed by the
> Tor proposal. There's some messiness around the wrapping of it, which
> makes me wary. I think there's also assumptions about the commutivity
> of blinding and unblinding that require looking into the Key Blinding
> mechanism too much.

F is effectively a PRF, computed like an OPRF. It computes H(g^x, g^k) for client secret x and origin secret k. This is not quite the same as the 2HashDH OPRF, though we can certainly add more details and a proof (sketch) for why we believe this holds if that would be helpful.

> 
> I think Section 10 should also recommend client origin alias rotation intervals.
> 
> Minor nit: in 5.1.1 I think "Attester will enforce if" should be
> "Attester will decide if"
> 
> HTTP nit: I don't understand why headers are being used for some of
> the per-request information conveyances vs adding to the data
> structures in play.
> 
> The timing is a little unfortunate: we've been able to put together an
> approach that gets a lot of the desirata for more features across
> privacy pass applications with one token type, and will write it up
> before IETF 120, but it would be some time before we could get it to
> WGLC state. We can do real rate limits with client privacy, not just
> the pseudonym approach from earlier.

It’s great to see that there are alternative proposals! Fortunately, we don’t need to choose one or the other. In fact, we opted to downgrade this specification to experimental on the basis that there might be different ways to solve the problem with a more palatable set of tradeoffs. However, we feel as though the protocol is fine to ship as-is (document edits notwithstanding), given implementation interop that’s been achieved and the complementary security analysis [1,2] on its constituent parts.

[1] https://eprint.iacr.org/2023/1805.pdf
[2] https://eprint.iacr.org/2023/380.pdf

> I think this document needs some revision and more analysis: I don't
> think its ready to proceed, mainly because of Section 7.

As above, we can add this analysis for section 7 if the WG believes that’s essential.

Best,
Chris