[Privacy-pass] Secdir last call review of draft-ietf-privacypass-protocol-12

Alexey Melnikov via Datatracker <noreply@ietf.org> Tue, 29 August 2023 09:26 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-privacypass-protocol.all@ietf.org, last-call@ietf.org, privacy-pass@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <169330119669.65226.17314389461019454257@ietfa.amsl.com>
Reply-To: Alexey Melnikov <aamelnikov@fastmail.fm>
Date: Tue, 29 Aug 2023 02:26:36 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/xz1uxQtAzlBLxXhpcq1BjecnfEY>
Subject: [Privacy-pass] Secdir last call review of draft-ietf-privacypass-protocol-12

Reviewer: Alexey Melnikov
Review result: Has Nits

Reviewer: Alexey Melnikov
Review result: Ready with nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written with the intent of improving
security requirements and considerations in IETF drafts. Comments
not addressed in last call may be included in AD reviews during the
IESG review. Document editors and WG chairs should treat these
comments just like any other last call comments.

The Privacy Pass protocol provides a privacy-preserving authorization
mechanism.  In essence, the protocol allows clients to provide
cryptographic tokens that prove nothing other than that they have
been created by a given server in the past
<https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture>.

This document describes the issuance protocol for Privacy Pass built
on HTTP.  It specifies two variants: one that is privately
verifiable using the issuance private key based on the oblivious
pseudorandom function from <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21>,
and one that is publicly verifiable using the issuance public key based on
the blind RSA signature scheme
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14>.

The document is well written and easy to understand. It relies on properties
of underlying mechanisms (OPRF/Blind RSA) and also references the PrivacyPass Architecture
draft. So assuming these properties hold there are no extra security or privacy
concerns to discuss in this document.

Nits:

Section 7 (Security considerations) says:
   In particular, Section 4 and
   Section 5 of [ARCHITECTURE] discuss relevant privacy considerations.

Do you really mean section 4 and 5?
In the Architecture document I see:

   4.  Deployment Models
   5.  Deployment Considerations
   6.  Privacy Considerations

So at least the reference to Section 6 seems to be missing.

In Sections 8.3.1-8.3.3 the media type registration template field
"Applications that use this media type" has the value "N/A".
This field should be describing intended use of these media types,
even if there is none at the moment. This field is intended to help
implementors decide whether or not they need to support a particular
media type, so having it as "N/A" is unhelpful.

[Privacy-pass] Secdir last call review of draft-i… Alexey Melnikov via Datatracker