IETF Logo Mail Archive

Re: [Privacy-pass] Issuer directory representation (#369)

Christopher Wood <caw@heapingbits.net> Tue, 13 June 2023 16:13 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5370DC151095 for <privacy-pass@ietfa.amsl.com>; Tue, 13 Jun 2023 09:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b="no0tjeZo"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Tn9g0g+d"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFsKlQ8RLP5r for <privacy-pass@ietfa.amsl.com>; Tue, 13 Jun 2023 09:13:52 -0700 (PDT)
Received: from wnew1-smtp.messagingengine.com (wnew1-smtp.messagingengine.com [64.147.123.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 376C1C14CE55 for <privacy-pass@ietf.org>; Tue, 13 Jun 2023 09:13:52 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailnew.west.internal (Postfix) with ESMTP id 00F422B00082; Tue, 13 Jun 2023 12:13:16 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 13 Jun 2023 12:13:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to; s=fm2; t=1686672795; x=1686679995; bh=fyH3pJyJFXyrf9O4V+tUPDptS JuPJvd3VXyxxUTV5cw=; b=no0tjeZomapHzUA+9flzP+tUF9rJ3vxM/s5hmDMdd dr6ElWfHRdouBoVYyheh/y7mAodDPjwuIpqu3Iar7p4LGdGL4HYgskrsBW6CCEYS nGBy1+/JptA4KJ/asGdSq9z/7eKLryZKf76Pn+Yu62GKOhQ0XR5MrgOptAIrGn/M wj6HrzYnoGDT4ZkVCu3J0EEfDAKZ0Rt0DQeT9YduP3FP7S046jzXmCkZ77VAuHjc /r/FLrkkEYmmxwRrRr3mSC8w2arO42K9NpZQd2hdTriNbu20Uz2BlmH+e86bkkA9 cooEyRd6HzOJxEjkIDHckvnGDM5oeQUO1oW4lL4wvEHKA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1686672795; x=1686679995; bh=fyH3pJyJFXyrf9O4V+tUPDptSJuPJvd3VXy xxUTV5cw=; b=Tn9g0g+dIr8kC9BZGUtcoWiGe0LEd7ytB1kKplPGBooR9pf+TJj Gdf+ZAwQ7uJ6M1PbGFuhnT/1cgBndk7bO+3j2RC/grhph4TY0P50m4b+QLbOigzU TikqJo22kLsal/hxZAtDOHSJ77FN7YLMp3z6uvzgRZwZ0ZGH5l6a+32LKiPw7PiS vgJGW30Jf/UZmU+1QuYpay/0NdqP1QU8zZNU8YbNXXmSfCcJ4A3YFqRbkzrnlkxL zHlhti0hBcieGjKtRAjVweRc2dY2AJ1RJ57YC1Etm/aZAMkU00fmTARJ8BuzXmFm 2gnX6PwbbzLwP9JXF2dn1Hf3Et9MZgz1/Sw==
X-ME-Sender: <xms:m5WIZIv4yCMNaVj6TuOzX8xkT0FZiQbEphn7oIm-n6TgbSu-yQCX7w> <xme:m5WIZFfR-L1yCqGOkRR8t1o_Uw4QgtVQkuRAUcgtyb5syAGqbakHm2KcXMcUz5mKs wazCej8uscexv1n578>
X-ME-Received: <xmr:m5WIZDykmdTvQ74F8SE1yDXou9gH_rNMV5fP8Smebpv2XywC5TgqNMPCyN8wOdl-eaAWTGBVf1Gya9hjKHNxJw4BmDzjJloZxK3qwxit-669HqsRvOI2zg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgedujedgleehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne govfgvgihtqfhnlhihqddqufhprghmsghothdqkgegvdehqddtheculdeftddtmdenucfj ughrpegtggfuhfgjffevgffkfhfvofesthhqmhdthhdtjeenucfhrhhomhepvehhrhhish htohhphhgvrhcuhghoohguuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvtheqnecu ggftrfgrthhtvghrnhepjeekhefgvdfhffeiteduteegvddvtdfgieeiffevhfettdetie fgjeeufefhjeefnecuffhomhgrihhnpehgihhthhhusgdrtghomhdphhhtthhprdhimhdp ihgvthhfrdhorhhgpdgtlhhouhgufhhlrghrvgdrtghomhdpihhsshhuvghrphhrohhtoh gtohhlrdhmugenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhr ohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:m5WIZLNBLEMzYOln_SsSn6s7OdzMIDXdFxDv2Ny4kGNd6oK_kCji1w> <xmx:m5WIZI-PJmSegTi-fpdvH03vscVLM8I28y4AS1-AIrXiZkhvX5XoXg> <xmx:m5WIZDU2ICQ7usyg_CUSEtx6Wu6MhVP09X7l1RSrXfq2Wm8rIxAmcg> <xmx:m5WIZKJfmClf5IMrM5RRzqwd-xFwnDUUfqUY_0g-5LPqI_INOlRqk74FQaU>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 13 Jun 2023 12:13:15 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <D8E127DF-17C0-45CE-9EA8-6A5C5CDCBBDC@apple.com>
Date: Tue, 13 Jun 2023 12:13:13 -0400
Cc: Colin Bendell <colin@bendell.ca>, Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org>, privacy-pass@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <32407E4B-C75C-454E-AAAF-AE20AD09BFC4@heapingbits.net>
References: <fa636aa2-d988-42b2-ad9c-fe0fb25bc960@app.fastmail.com> <CA+AE54cshctSyXsdPkNxcRk3Tn-WPRNzwnSsMvKiqouSdYe9+w@mail.gmail.com> <CAL12FVFPfKp-dC1NCrXmn0wMO2qnLBtW3wuwz2fMirWR-UKA_w@mail.gmail.com> <CAL12FVGR1G_D=3v0jXATD2bfFreYfR8GN9HAtzH0J2t_-ukeXQ@mail.gmail.com> <B408DBD5-983A-4B53-A98D-872499073615@apple.com> <CAL12FVHpudbPcrn7Lrw=Nc_NJmOkt-+DtuZgnNF8kTv4_M3Smg@mail.gmail.com> <D8E127DF-17C0-45CE-9EA8-6A5C5CDCBBDC@apple.com>
To: Tommy Pauly <tpauly@apple.com>
X-Mailer: Apple Mail (2.3696.120.41.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/vrhCH9cR2Ru1wUd6WJ5MC45lPqM>
Subject: Re: [Privacy-pass] Issuer directory representation (#369)
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2023 16:13:57 -0000

> On Jun 12, 2023, at 3:43 PM, Tommy Pauly <tpauly@apple.com> wrote:
> 
> 
> 
>> On Jun 11, 2023, at 7:30 PM, Colin Bendell <colin@bendell.ca> wrote:
>> 
>> 
>> 
>> On Fri, 9 Jun 2023 at 23:15, Tommy Pauly <tpauly@apple.com> wrote:
>>> On Jun 9, 2023, at 1:14 PM, Colin Bendell <colin@bendell.ca> wrote:
>>> For reference, I have a few examples using the publicly available keys.
>>> 
>>> Here is cloudflare's demo issuery directory:
>>> * https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json
>>> And the same in jwks format (nb: I've set "kid" to the "truncated_token_key_id" value instead of preserving "version")
>>> * https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json
>> I believe this link should be this, right?
>> https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.jwks.json
>> 
>> Yes. thanks for finding the correct link.
>>  
>> Overall, while I’m not opposed to JWK being defined at some point, I don’t think it simplifies things for privacy pass, and this proposal is missing key pieces of information like the token type, and isn’t consistent with the formats clients would commonly see in HTTP auth challenges. Defining JWK formats in a new document where the details of how they should work and what clients might benefit from them — sure! Removing definitions for the simple JSON format — not so much.
>> 
>> The one thing that strikes me is if you look at even the cloudflare implementation, they have had to add all the standard kinds of things like 'version' and 'not-before'. While I agree that there are specific nuances that are unique for privacy-pass, it feels like all the other standard mechanics of key rotation would benefit from aligning to a common standard. There are many additional features I assume implementers will eventually also require (including: not-after, not-before, version, priority, revocation uri, cache policy, etc).
>> 
>> I proposed JWK because it has browser support in webcrypto. I wonder if there are other standards that have flushed these nuances out more completely?
>> 
>> At the very least Privacy Pass should define some of these common fields because as it stands the 'not-before' field is currently implementation specific. Is it in epoch seconds? milliseconds? Is it like PST and measured in microseconds? (madness!)
> 
> The document suggests that lifetime be controlled with the standard cache-control headers from HTTP.
> 
> I’m not entirely sure on why the cloudflare dictionary includes the extra keys, or who is parsing them out — Chris can you comment on why those are there?

They’re specific to our deployment. Specifically, our origin uses them for key rotation purposes. These could be standardized, but since these are intentionally extensible objects they can be extended as needed for specific use cases. We might consider normalizing these types of parameters as part of the consistency work, since key rotation is highly relevant to key consistency mechanisms. In other words, I continue to think we should stick with what we have now and then either extend the existing format as needed for consistency or related purposes, or propose different representations (JWKS or whatever) for the directory as needed or desired for implementations. Would that work?

Best,
Chris

> That said, I’d prefer to define more standard keys there than switch to a format that doesn’t have items like the token type.
> 
> 
>>  
>> A couple comments inline below:
>>> On Fri, 9 Jun 2023 at 16:13, Colin Bendell <colin@bendell.ca> wrote:
>>> The argument for JWK is that it reduces the sprawl of directory syntaxes and allows the devs to lean on pre-existing tooling and documentation. JWKS does have extensibility built into the RFC to be adapted for this purpose.
>>> 
>>> The main advantages for using JWKS are:
>>> 1. we don't need to introduce a new iana for algorithm types. issuer-type=2 is the same as alg="PS384". This will further allow for future expansion and key selection
>> 
>> Having JWK for the issuer dictionary would not mean we don’t need token type — token type is not just a cryptographic algorithm, it defines the issuance protocol. Type 2 and type 3 have the same format for the resulting token, but different properties throughout issuance.
>> 
>> Thus, a JWK format would need to also be paired with token types.
>> 
>> This is a good point. Right now EC/P384 and RSA/PS384 are convenient short hands for type 1 and type 2, As you say, it might not always be the case - particularly if the Type's are used as a stand-in for rfc versions where type=4 is the vNext of what is type=2 today. (I'm assuming that type won't include minor versions)
>>  
>>> 
>>> 2. adopting a consistent standard leverages existing dev and infra tools around the jwk and jwks ecosystem. Particularly for key store loading, rotating and management. This is particularly important if aligning Private-State-Tokens is a goal of Privacy Pass. With PST, the UA is expected to consume these public key stores.
>> 
>> I think that aligning with Privacy Pass standards should be a goal of proposals like private state tokens. But clients already can directly consume public keys with existing deployments of privacy pass, and that doesn’t seem to be a burden. Also, privacy pass communicates keys in HTTP challenges, which are in the format that’s in the issuer dictionary, not a JWK.
>> 
>> To be fair, it's not a burden today only because there are only 2 issuers that are in use in production environments. And the issuer directory isn't available for one of them. 
> 
> That’s not quite true — there were two highlighted when iOS first added support last year, but several others are running now in large scale.
> 
> Tommy
> 
>> 
>> If PST aligns with this spec, we should expect multiple orders of magnitude increase in the number of valid issuers and origins+clients that are consuming them. 
>> 
>> /colin
>>  
>> 
>> Tommy
>> 
>>> 
>>> 3. Since it uses the expanded form, and not DER encoded, it sidesteps some of the awkwardness of the dev ecosystem for RSASSA-PSS. Most of the RSASSA-PSS implementations are spotty which is why WebCrypto has dropped support [1]. Converting between RSASSA-PSS and RSA is a bit messy [2] in the DER encoded form, it's much more straightforward with the JWK since the modulus and exponent are already expanded.
>>> 
>>> 4. The syntax for JWK already has extensions to pre-calculate the token-key-id (see: "x5t#S256" [3]). This is an optimization that can be done server side or on origin startup, having it available in a materialized form has some convenience advantages.
>>> 
>>> There are disadvantages as well, which are worth expanding:
>>> 1. The syntax is terse. it does take a special decoder ring to decipher the fields. Likewise, the fields are in expanded form instead of encapsulating in DER format. (This is done so that you can very quickly sanitize a JWK and remove the secret key fields without having to re-encode.)
>>> 
>>> 2. We would still need to define the iana values to expand JWKS for fields like 'issuer-request-uri" or "issuer-name" (for PST), etc. Other fields that are already common in the public issuer identifiers [4], like 'not-before' and 'version' do have corrolories in JWKS.
>>> 
>>> 3. While convenient to have the components of the key in expanded form, we still need to convert it to the DER encoded form for the purposes of Privacy-Pass - specifically for token-key and token-key-id fields.
>>> 
>>> [1] https://github.com/w3c/webcrypto/pull/325
>>> [2] https://github.com/colinbendell/private-access-token/blob/main/src/utils.js#L382-L395
>>> [3] https://datatracker.ietf.org/doc/html/rfc7517#section-4.9
>>> [4] https://demo-pat.issuer.cloudflare.com/.well-known/token-issuer-directory
>>> 
>>> On Fri, 9 Jun 2023 at 06:28, Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org> wrote:
>>> I do not see a benefit to adopting JWKs at this stage. As you say, they are somewhat complex for the PP use case.
>>> 
>>> Eli
>>> 
>>> On Thu, Jun 8, 2023 at 5:30 PM Christopher Wood <caw@heapingbits.net> wrote:
>>> Colin filed #369 [1] to discuss the current representation we are currently using for issuer directories. Basically, Privacy Pass chose to introduce a new representation that bears resemblance to that which is used in Private State Tokens [2] and is already specified in JSON Web Key Sets [3]. We should sort out what to do with this discrepancy.
>>> 
>>> Speaking for myself, neither a JWK or JWT expert, I think we should stick with what's currently in the draft because (1) all formats seem mostly isomorphic and (2) JWKS are, to my knowledge, meant primarily for JWTs. Moreover, the way that keys are represented seems unnecessarily complex. Why do we need to specify any of the "kty", "alg", or "kid" parameters when they can be inferred from the token type and public key?
>>> 
>>> Note that this is primarily relevant for origins that consume the directory and use it for the purposes of challenging clients, but it may in the future become relevant for clients that want to consume this resource for consistency checking purposes.
>>> 
>>> What do others think?
>>> 
>>> Best,
>>> Chris
>>> 
>>> [1] https://github.com/ietf-wg-privacypass/base-drafts/issues/369
>>> [2] https://github.com/WICG/trust-token-api/blob/main/ISSUER_PROTOCOL.md
>>> [3] https://datatracker.ietf.org/doc/html/rfc7517
>>> 
>>> -- 
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>> -- 
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>> -- 
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacy-pass

v2.23.0 | Report a Bug | By Email