IETF Logo Mail Archive

Re: [Privacy-pass] Issuer directory representation (#369)

Tommy Pauly <tpauly@apple.com> Mon, 12 June 2023 19:43 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48D3BC13AE3A for <privacy-pass@ietfa.amsl.com>; Mon, 12 Jun 2023 12:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q43u7PsOcCzY for <privacy-pass@ietfa.amsl.com>; Mon, 12 Jun 2023 12:43:50 -0700 (PDT)
Received: from ma-mailsvcp-mx-lapp03.apple.com (ma-mailsvcp-mx-lapp03.apple.com [17.32.222.24]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DD7BC13AE37 for <privacy-pass@ietf.org>; Mon, 12 Jun 2023 12:43:50 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma-mailsvcp-mx-lapp03.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RW500KO1O4POK20@ma-mailsvcp-mx-lapp03.apple.com> for privacy-pass@ietf.org; Mon, 12 Jun 2023 12:43:49 -0700 (PDT)
X-Proofpoint-ORIG-GUID: fkZ-633Zqm79t0lkkjTl_EtcaK3NVWHs
X-Proofpoint-GUID: fkZ-633Zqm79t0lkkjTl_EtcaK3NVWHs
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.942 definitions=2023-05-10_04:2023-05-05, 2023-05-10 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 suspectscore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305100145
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=4AoG0ei6BXGun2oB2aZb0nu9YrPobov8rGg2kz3PjTE=; b=VkSxo4/8w3laxHrSZYW7bB7HpcU5S+V9lCaFORJ2nc3mtFMplL8AOOpem83bx6DIkS4Z N/MM2pSM2ZICz+vgE1rVW8Rf1Jw0MXn5ueGNHjBwfpt6VFFznRDBFynMQkprI1orw/7l /019BqchUfzp89kcxo/ZLVhv1cY6NayYrxebQDeVCFxWI6B9i//PZ08GKiOowDBM1EZj t2jNmgV5F5MKHcy2FRtHN5vuZBbF6O6K+d0kaa1uDcrJykrCJhJyA6KCplsY0ci1Woe9 pR7D25D4Oo0/ltInbnRoywNOSwy1OEinKJukn8ub1Vvbuo3EyXBHnCNdgynEsJpUGtlE gw==
Received: from rn-mailsvcp-policy-lapp01.rno.apple.com (rn-mailsvcp-policy-lapp01.rno.apple.com [17.179.253.18]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RW500S6TO4YEKN0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Mon, 12 Jun 2023 12:43:46 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-policy-lapp01.rno.apple.com by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0RW500200O03ZR00@rn-mailsvcp-policy-lapp01.rno.apple.com>; Mon, 12 Jun 2023 12:43:46 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 3f89ee02da3560bb76835ea28c99d9d8
X-Va-E-CD: c29734ee15cdc01e7cb901b41f6fe6ac
X-Va-R-CD: 2a172c508489116061067424f24478ab
X-Va-ID: e900abc3-6bbd-4f78-a7f7-9a1bf3e07410
X-Va-CD: 0
X-V-A:
X-V-T-CD: 3f89ee02da3560bb76835ea28c99d9d8
X-V-E-CD: c29734ee15cdc01e7cb901b41f6fe6ac
X-V-R-CD: 2a172c508489116061067424f24478ab
X-V-ID: fc5dca2f-145c-4768-9790-4401822af325
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.957 definitions=2023-06-12_14:2023-06-12, 2023-06-12 signatures=0
Received: from smtpclient.apple ([17.11.79.49]) by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0RW500H2NO4WYH10@rn-mailsvcp-policy-lapp01.rno.apple.com>; Mon, 12 Jun 2023 12:43:46 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <D8E127DF-17C0-45CE-9EA8-6A5C5CDCBBDC@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_521582D3-68E4-4B74-8AFC-374D01C9402D"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3762.100.4.1.11\))
Date: Mon, 12 Jun 2023 12:43:34 -0700
In-reply-to: <CAL12FVHpudbPcrn7Lrw=Nc_NJmOkt-+DtuZgnNF8kTv4_M3Smg@mail.gmail.com>
Cc: Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org>, privacy-pass@ietf.org
To: Colin Bendell <colin@bendell.ca>, Christopher Wood <caw@heapingbits.net>
References: <fa636aa2-d988-42b2-ad9c-fe0fb25bc960@app.fastmail.com> <CA+AE54cshctSyXsdPkNxcRk3Tn-WPRNzwnSsMvKiqouSdYe9+w@mail.gmail.com> <CAL12FVFPfKp-dC1NCrXmn0wMO2qnLBtW3wuwz2fMirWR-UKA_w@mail.gmail.com> <CAL12FVGR1G_D=3v0jXATD2bfFreYfR8GN9HAtzH0J2t_-ukeXQ@mail.gmail.com> <B408DBD5-983A-4B53-A98D-872499073615@apple.com> <CAL12FVHpudbPcrn7Lrw=Nc_NJmOkt-+DtuZgnNF8kTv4_M3Smg@mail.gmail.com>
X-Mailer: Apple Mail (2.3762.100.4.1.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/nQTUrIOA-rAAq4DFv4f0k88mvtA>
Subject: Re: [Privacy-pass] Issuer directory representation (#369)
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2023 19:43:54 -0000


> On Jun 11, 2023, at 7:30 PM, Colin Bendell <colin@bendell.ca> wrote:
> 
> 
> 
> On Fri, 9 Jun 2023 at 23:15, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
>>> On Jun 9, 2023, at 1:14 PM, Colin Bendell <colin@bendell.ca <mailto:colin@bendell.ca>> wrote:
>>> For reference, I have a few examples using the publicly available keys.
>>> 
>>> Here is cloudflare's demo issuery directory:
>>> * https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json
>>> And the same in jwks format (nb: I've set "kid" to the "truncated_token_key_id" value instead of preserving "version")
>>> * https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json
>> I believe this link should be this, right?
>> https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.jwks.json
> 
> Yes. thanks for finding the correct link.
>  
>> Overall, while I’m not opposed to JWK being defined at some point, I don’t think it simplifies things for privacy pass, and this proposal is missing key pieces of information like the token type, and isn’t consistent with the formats clients would commonly see in HTTP auth challenges. Defining JWK formats in a new document where the details of how they should work and what clients might benefit from them — sure! Removing definitions for the simple JSON format — not so much.
> 
> The one thing that strikes me is if you look at even the cloudflare implementation, they have had to add all the standard kinds of things like 'version' and 'not-before'. While I agree that there are specific nuances that are unique for privacy-pass, it feels like all the other standard mechanics of key rotation would benefit from aligning to a common standard. There are many additional features I assume implementers will eventually also require (including: not-after, not-before, version, priority, revocation uri, cache policy, etc).
> 
> I proposed JWK because it has browser support in webcrypto. I wonder if there are other standards that have flushed these nuances out more completely?
> 
> At the very least Privacy Pass should define some of these common fields because as it stands the 'not-before' field is currently implementation specific. Is it in epoch seconds? milliseconds? Is it like PST and measured in microseconds? (madness!)

The document suggests that lifetime be controlled with the standard cache-control headers from HTTP. 

I’m not entirely sure on why the cloudflare dictionary includes the extra keys, or who is parsing them out — Chris can you comment on why those are there?

That said, I’d prefer to define more standard keys there than switch to a format that doesn’t have items like the token type.


>  
>> A couple comments inline below:
>>> On Fri, 9 Jun 2023 at 16:13, Colin Bendell <colin@bendell.ca <mailto:colin@bendell.ca>> wrote:
>>>> The argument for JWK is that it reduces the sprawl of directory syntaxes and allows the devs to lean on pre-existing tooling and documentation. JWKS does have extensibility built into the RFC to be adapted for this purpose.
>>>> 
>>>> The main advantages for using JWKS are:
>>>> 1. we don't need to introduce a new iana for algorithm types. issuer-type=2 is the same as alg="PS384". This will further allow for future expansion and key selection
>> 
>> Having JWK for the issuer dictionary would not mean we don’t need token type — token type is not just a cryptographic algorithm, it defines the issuance protocol. Type 2 and type 3 have the same format for the resulting token, but different properties throughout issuance.
>> 
>> Thus, a JWK format would need to also be paired with token types.
> 
> This is a good point. Right now EC/P384 and RSA/PS384 are convenient short hands for type 1 and type 2, As you say, it might not always be the case - particularly if the Type's are used as a stand-in for rfc versions where type=4 is the vNext of what is type=2 today. (I'm assuming that type won't include minor versions)
>  
>>>> 
>>>> 2. adopting a consistent standard leverages existing dev and infra tools around the jwk and jwks ecosystem. Particularly for key store loading, rotating and management. This is particularly important if aligning Private-State-Tokens is a goal of Privacy Pass. With PST, the UA is expected to consume these public key stores.
>> 
>> I think that aligning with Privacy Pass standards should be a goal of proposals like private state tokens. But clients already can directly consume public keys with existing deployments of privacy pass, and that doesn’t seem to be a burden. Also, privacy pass communicates keys in HTTP challenges, which are in the format that’s in the issuer dictionary, not a JWK.
> 
> To be fair, it's not a burden today only because there are only 2 issuers that are in use in production environments. And the issuer directory isn't available for one of them. 

That’s not quite true — there were two highlighted when iOS first added support last year, but several others are running now in large scale.

Tommy

> 
> If PST aligns with this spec, we should expect multiple orders of magnitude increase in the number of valid issuers and origins+clients that are consuming them. 
> 
> /colin
>  
>> 
>> Tommy
>> 
>>>> 
>>>> 3. Since it uses the expanded form, and not DER encoded, it sidesteps some of the awkwardness of the dev ecosystem for RSASSA-PSS. Most of the RSASSA-PSS implementations are spotty which is why WebCrypto has dropped support [1]. Converting between RSASSA-PSS and RSA is a bit messy [2] in the DER encoded form, it's much more straightforward with the JWK since the modulus and exponent are already expanded.
>>>> 
>>>> 4. The syntax for JWK already has extensions to pre-calculate the token-key-id (see: "x5t#S256" [3]). This is an optimization that can be done server side or on origin startup, having it available in a materialized form has some convenience advantages.
>>>> 
>>>> There are disadvantages as well, which are worth expanding:
>>>> 1. The syntax is terse. it does take a special decoder ring to decipher the fields. Likewise, the fields are in expanded form instead of encapsulating in DER format. (This is done so that you can very quickly sanitize a JWK and remove the secret key fields without having to re-encode.)
>>>> 
>>>> 2. We would still need to define the iana values to expand JWKS for fields like 'issuer-request-uri" or "issuer-name" (for PST), etc. Other fields that are already common in the public issuer identifiers [4], like 'not-before' and 'version' do have corrolories in JWKS.
>>>> 
>>>> 3. While convenient to have the components of the key in expanded form, we still need to convert it to the DER encoded form for the purposes of Privacy-Pass - specifically for token-key and token-key-id fields.
>>>> 
>>>> [1] https://github.com/w3c/webcrypto/pull/325
>>>> [2] https://github.com/colinbendell/private-access-token/blob/main/src/utils.js#L382-L395
>>>> [3] https://datatracker.ietf.org/doc/html/rfc7517#section-4.9
>>>> [4] https://demo-pat.issuer.cloudflare.com/.well-known/token-issuer-directory
>>>> 
>>>> On Fri, 9 Jun 2023 at 06:28, Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org <mailto:40intuitionmachines.com@dmarc.ietf.org>> wrote:
>>>>> I do not see a benefit to adopting JWKs at this stage. As you say, they are somewhat complex for the PP use case.
>>>>> 
>>>>> Eli
>>>>> 
>>>>> On Thu, Jun 8, 2023 at 5:30 PM Christopher Wood <caw@heapingbits.net <mailto:caw@heapingbits.net>> wrote:
>>>>>> Colin filed #369 [1] to discuss the current representation we are currently using for issuer directories. Basically, Privacy Pass chose to introduce a new representation that bears resemblance to that which is used in Private State Tokens [2] and is already specified in JSON Web Key Sets [3]. We should sort out what to do with this discrepancy.
>>>>>> 
>>>>>> Speaking for myself, neither a JWK or JWT expert, I think we should stick with what's currently in the draft because (1) all formats seem mostly isomorphic and (2) JWKS are, to my knowledge, meant primarily for JWTs. Moreover, the way that keys are represented seems unnecessarily complex. Why do we need to specify any of the "kty", "alg", or "kid" parameters when they can be inferred from the token type and public key?
>>>>>> 
>>>>>> Note that this is primarily relevant for origins that consume the directory and use it for the purposes of challenging clients, but it may in the future become relevant for clients that want to consume this resource for consistency checking purposes.
>>>>>> 
>>>>>> What do others think?
>>>>>> 
>>>>>> Best,
>>>>>> Chris
>>>>>> 
>>>>>> [1] https://github.com/ietf-wg-privacypass/base-drafts/issues/369
>>>>>> [2] https://github.com/WICG/trust-token-api/blob/main/ISSUER_PROTOCOL.md
>>>>>> [3] https://datatracker.ietf.org/doc/html/rfc7517
>>>>>> 
>>>>>> -- 
>>>>>> Privacy-pass mailing list
>>>>>> Privacy-pass@ietf.org <mailto:Privacy-pass@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>>>> -- 
>>>>> Privacy-pass mailing list
>>>>> Privacy-pass@ietf.org <mailto:Privacy-pass@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>> -- 
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org <mailto:Privacy-pass@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>> 
>>

v2.23.0 | Report a Bug | By Email