[Privacy-pass] Re: WGLC for Rate-Limited Token Issuance

Christopher Wood <caw@heapingbits.net> Sat, 29 June 2024 10:35 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1EBC14F6F2 for <privacy-pass@ietfa.amsl.com>; Sat, 29 Jun 2024 03:35:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b="uEjJJVYD"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="f90lbK9D"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIpFgg-8ukjz for <privacy-pass@ietfa.amsl.com>; Sat, 29 Jun 2024 03:35:53 -0700 (PDT)
Received: from fhigh7-smtp.messagingengine.com (fhigh7-smtp.messagingengine.com [103.168.172.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06A1EC14F5EE for <privacy-pass@ietf.org>; Sat, 29 Jun 2024 03:35:53 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 546161140268; Sat, 29 Jun 2024 06:35:52 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sat, 29 Jun 2024 06:35:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm2; t=1719657352; x= 1719743752; bh=PoY/t+bP7eALdjlJJ20abonLQvDYoPo0TsbbEtdreto=; b=u EjJJVYDYHaP9OllByKHUGmVtineJroIDGf+oOn8+6IJhgEXyBLzAbIwvplEqAgLX mgr7VGQKXgFmqdIy3QZecHUQiTnBkcwkgpEgi/0sWeiNUZyNCcRKSP8Bwta480U1 uNKNhlk30VDOA9rK0Ql3XFnpZBGBQr2ygKFGdTxaaHMogWLosxFARxWa93PMoKn4 8OZyckZ8Gog2tEkCtqnghBP/PbT8PCgu8/km7+6zDX0s9gXAH8SdfWdqSZAcF+UZ MBd5wXlUVO/gUMLfnvPM19e1KOXGzgieAXnCbvtbdrBuYrwIVbd0W3LR8soRttXu BEwCPcG3ZxL45zDN4lslg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1719657352; x=1719743752; bh=PoY/t+bP7eALdjlJJ20abonLQvDY oPo0TsbbEtdreto=; b=f90lbK9DjTH29+3UuwLhL2F2kg1TbehtdttJKrdjr8nh IzR0hclSSYOV2d/yTytzro3hOGmkR+/eelxSrTScHvYhIDWPqY1wE5YYwHRHxT1m eIzIEtsWJA8N/A7C487BpQFFOg7nLW/KmqR0m/CJKL1wa5iL2w7FHt5Nhi5ClGWm f1i6RKsqlNWQ+vhpcjUlMGjmZQJqimwuCZK8T+/g+1CeUSILqmF2OYq3FvmEtMmI vMNaIafMSVzwUuK2X4nJ3IxSRWqgl2Y06+OF93fGAU72r6TLiLjUprlaP1nMZS35 pdJfRLQH/pYZIMVLJ0pgNBRdQq2tqe4jJlbrdKrfAg==
X-ME-Sender: <xms:iON_Zkk6Dj-kcQe1OeO_UzPuUvxUvqlyZEBrXNxvivfCBQLMQaHorg> <xme:iON_Zj2DrvLwqYI-AF9chQ3leijRqfimZKBQO4Xwv42bom2JGL_8AODPTD2w108mq MlD_YUlrzviB5vRbmw>
X-ME-Received: <xmr:iON_ZioH0_c9W_r3qzEzwC-647Nz4YodZ0bnK9Fk0l-qNlXUWBvll82HmzYvaR_rfGO6GA-U_AMQifQoxS3qYHTajqovXAs263uL8a77p2SupYO6>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrtdelgdefudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhkfgtggfuffgjvefvfhfosegrtdhmrehhtdejnecuhfhrohhmpeevhhhrihhs thhophhhvghrucghohhougcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqeenuc ggtffrrghtthgvrhhnpeeggfehheffueelteffveevffelheevledvuddvfeelhfeiuddu geethfdtteduheenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhirggtrhdrohhrgh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgif sehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:iON_Zgk15WhJ9YIslK1uVjF0wrF8YmQewxq5DNTbWRu-9A5KXYjk4Q> <xmx:iON_Zi1vzYX_tqXCzkjxyEGpYzEZXeUKDuBfGMUP5Nen3FvkoPDahw> <xmx:iON_ZntgvY7AuGQ-86gSLH9HGqO0SiD-MzxTg5WacgYofpm40qdxZQ> <xmx:iON_ZuUnUvmE1IU2N9qMXS1Owg9o0FnzZbdju9S4nc_M07XmgWv45Q> <xmx:iON_Znw6xUFwyzAX7bITymxqKN_v-OqvKtGG0vYV4lJhg7NikynEB-Zm>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 29 Jun 2024 06:35:51 -0400 (EDT)
From: Christopher Wood <caw@heapingbits.net>
Message-Id: <4A2114F0-7F01-4418-8EDF-A69F30702192@heapingbits.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_29CBFB1F-F5F0-4C5C-8B12-F36F43341773"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Sat, 29 Jun 2024 06:35:41 -0400
In-Reply-To: <CACsn0cnSxOHimn=CKPL5phj5YkAszg1bxD_h4665vJxRZXwsew@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
References: <SA1PR15MB4370846AC3E04AA70A0FE67DB3FC2@SA1PR15MB4370.namprd15.prod.outlook.com> <SA1PR15MB4370456540B1F05D1A17998EB3C82@SA1PR15MB4370.namprd15.prod.outlook.com> <CACsn0cn7qXpsXnx5RB_qun62_LaCEJGr1+NYBq2Kt01bg8yxJw@mail.gmail.com> <7A5B38E8-B7DF-4BF9-9D1D-EFBBC669328A@heapingbits.net> <CACsn0cnSxOHimn=CKPL5phj5YkAszg1bxD_h4665vJxRZXwsew@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Message-ID-Hash: SWQ3MDUF5M2SCEOSMRY6QHONZYUXKMBU
X-Message-ID-Hash: SWQ3MDUF5M2SCEOSMRY6QHONZYUXKMBU
X-MailFrom: caw@heapingbits.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Privacy-pass] Re: WGLC for Rate-Limited Token Issuance
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/tfpGcIZRiaVIkHFxQvKoTmiNzMA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Owner: <mailto:privacy-pass-owner@ietf.org>
List-Post: <mailto:privacy-pass@ietf.org>
List-Subscribe: <mailto:privacy-pass-join@ietf.org>
List-Unsubscribe: <mailto:privacy-pass-leave@ietf.org>

> On Jun 26, 2024, at 7:52 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> 
> 
> On Wed, Jun 26, 2024 at 12:38 PM Christopher Wood <caw@heapingbits.net <mailto:caw@heapingbits.net>> wrote:
>> Hi Watson,
>> 
>> Please see inline below.
>> 
>>> On Jun 21, 2024, at 10:11 PM, Watson Ladd <watsonbladd@gmail.com <mailto:watsonbladd@gmail.com>> wrote:
>>> 
>>> Dear Privacy pass participants,
>>> 
>>> I think this document unfortunately complicates the privacy and
>>> centralization story. Origins must pick Issuers they trust, but the
>>> client's privacy in the Origin  vis a vis the Attester depends on the
>>> number of Origins that trust the Issuer. Attesters also need to be
>>> trusted as they ultimately enforce the limits. This is in tension with
>>> non-collusion requirements. There's some text here on that, but I'd
>>> like a better understanding of why this is realistic, probably because
>>> of some emails rather than more text.
>> 
>> This is true, but not a new trust assumption for Privacy Pass. I’m also not sure what you mean by this being in tension with non-collusion requirements. Where is the tension?
> 
> If I understand correctly, the Attester needs to be instructed by the Origin what the rate limits are, and the Issuer needs to maintain state based on the volume of requests from the Origin.

Both of these are incorrect (and point to things we should clarify in the document!). The Origin tells the Issuer what the rate limit is out-of-band, and the Issuer relays this to the Attester during the issuance flow. The Issuer is stateless. The Attester keeps state for enforcing rate limits across all (client, origin) tuples. I filed this issue <https://github.com/ietf-wg-privacypass/draft-ietf-privacypass-rate-limit-tokens/issues/32> to track clarifying these points.

> Both the Issuer and Attester know why they are incurring these costs and who benefits, and need some way to pay for it. He who pays the piper calls the tune. In the baseline privacy pass protocol privacy exists even when Origin, Issuer, Attester are the same. This isn't new, it's been discussed in RFC 9576, but I think that the more the origin needs to interact with both parties, and the less observable collusive behavior is the harder it is to justify actual separateness.

Agreed, which is why I feel this protocol isn’t meant for web use cases. It would take a lot of work to make it scale and has been pointed out it’s not clear that can be done safely. I filed this issue <https://github.com/ietf-wg-privacypass/draft-ietf-privacypass-rate-limit-tokens/issues/33> to track documenting the protocol’s limitations.

> 
>> 
>>> Section 7 I had to puzzle over: it was not clear to me for a while how
>>> the attestor learns sk_blind.  It's also not clear to me what F is
>>> supposed to be in that section, or what security properties this dance
>>> is supposed to have. F doesn't appear to be defined anywhere. In fact
>>> after digging into this some more I'm confused. This seems like the
>>> sort of thing where we need a clear statement of the properties being
>>> looked for to have security, and unwinding the Key Blinding ID
>>> references I don't think the properties are the ones analyzed by the
>>> Tor proposal. There's some messiness around the wrapping of it, which
>>> makes me wary. I think there's also assumptions about the commutivity
>>> of blinding and unblinding that require looking into the Key Blinding
>>> mechanism too much.
>> 
>> F is effectively a PRF, computed like an OPRF. It computes H(g^x, g^k) for client secret x and origin secret k. This is not quite the same as the 2HashDH OPRF, though we can certainly add more details and a proof (sketch) for why we believe this holds if that would be helpful.
>> 
>>> 
>>> I think Section 10 should also recommend client origin alias rotation intervals.
>>> 
>>> Minor nit: in 5.1.1 I think "Attester will enforce if" should be
>>> "Attester will decide if"
>>> 
>>> HTTP nit: I don't understand why headers are being used for some of
>>> the per-request information conveyances vs adding to the data
>>> structures in play.
>>> 
>>> The timing is a little unfortunate: we've been able to put together an
>>> approach that gets a lot of the desirata for more features across
>>> privacy pass applications with one token type, and will write it up
>>> before IETF 120, but it would be some time before we could get it to
>>> WGLC state. We can do real rate limits with client privacy, not just
>>> the pseudonym approach from earlier.
>> 
>> It’s great to see that there are alternative proposals! Fortunately, we don’t need to choose one or the other. In fact, we opted to downgrade this specification to experimental on the basis that there might be different ways to solve the problem with a more palatable set of tradeoffs. However, we feel as though the protocol is fine to ship as-is (document edits notwithstanding), given implementation interop that’s been achieved and the complementary security analysis [1,2] on its constituent parts.
>> 
>> [1] https://eprint.iacr.org/2023/1805.pdf
>> [2] https://eprint.iacr.org/2023/380.pdf
>> 
>>> I think this document needs some revision and more analysis: I don't
>>> think its ready to proceed, mainly because of Section 7.
>> 
>> As above, we can add this analysis for section 7 if the WG believes that’s essential.
> 
> I'll let other people weigh in: I personally think it would help as right now section 7 is pretty confusing. But once that's cleared up I think it's ready.

Sounds good. Would you be willing to review PRs that clarify section 7? I filed this issue <https://github.com/ietf-wg-privacypass/draft-ietf-privacypass-rate-limit-tokens/issues/34> to track section 7 improvements.

Best,
Chris