IETF Logo Mail Archive

Re: [Privacy-pass] Issuer directory representation (#369)

Tommy Pauly <tpauly@apple.com> Sat, 10 June 2023 03:16 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B754C14EB19 for <privacy-pass@ietfa.amsl.com>; Fri, 9 Jun 2023 20:16:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnYT6qP7XQSQ for <privacy-pass@ietfa.amsl.com>; Fri, 9 Jun 2023 20:15:58 -0700 (PDT)
Received: from ma-mailsvcp-mx-lapp01.apple.com (ma-mailsvcp-mx-lapp01.apple.com [17.32.222.22]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC681C151B2E for <privacy-pass@ietf.org>; Fri, 9 Jun 2023 20:15:57 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma-mailsvcp-mx-lapp01.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RW000G8BP2KZ700@ma-mailsvcp-mx-lapp01.apple.com> for privacy-pass@ietf.org; Fri, 09 Jun 2023 20:15:57 -0700 (PDT)
X-Proofpoint-ORIG-GUID: NACWy1o65eiEcl5HhP3Ip_qnFpg2eRhz
X-Proofpoint-GUID: NACWy1o65eiEcl5HhP3Ip_qnFpg2eRhz
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.957 definitions=2023-06-09_18:2023-06-09, 2023-06-09 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 bulkscore=0 phishscore=0 adultscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306100026
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=NcBTuOzlQ/J6etFxvaq/Sd5NucoA7Jnj/u148YzcFmo=; b=kEkN50bgb5YAbXkg4spUh67LOjBvUvauVr2OgK0PC//R8kTxqAjnluYBOTt6eNyPE75V /Z4vq4tkll1h03BB7G6PO+Chadplmc3ElMXWSKdnjcdNLuXHTVh5EbVt2hNuDW460E+3 WtmsVUGJsf3NnVDJP50kEBCjqoCicdl7MWuYdIXZk7Y1gyBZ3DcPHsM+G+Zsj8z3Rc7e dfc6Ir77DkmwnnmQx4DJkH3a0J2d7LKH/f2T6RCf2s0Tq97EKd/969rrnt5UG08550VF YBTWBY+3KCk4z31JuZyB7PVoNrhhO7ElzIIPkN/j/FjKxnl1xWt4cJvj8f3FbXVJz2yC 5w==
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RW000N01P2JPV00@rn-mailsvcp-mta-lapp03.rno.apple.com>; Fri, 09 Jun 2023 20:15:56 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0RW000200OSZRN00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Fri, 09 Jun 2023 20:15:55 -0700 (PDT)
X-Va-A:
X-Va-T-CD: c9d324edc716231ddacf479473678aac
X-Va-E-CD: c29734ee15cdc01e7cb901b41f6fe6ac
X-Va-R-CD: 2a172c508489116061067424f24478ab
X-Va-ID: e1dcb6d0-d980-45ed-a142-d594b0f9e3a1
X-Va-CD: 0
X-V-A:
X-V-T-CD: c9d324edc716231ddacf479473678aac
X-V-E-CD: c29734ee15cdc01e7cb901b41f6fe6ac
X-V-R-CD: 2a172c508489116061067424f24478ab
X-V-ID: 20c93d8d-f97d-42b3-9949-1c524197f58a
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.957 definitions=2023-06-09_18:2023-06-09, 2023-06-09 signatures=0
Received: from smtpclient.apple ([17.11.221.29]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0RW0011BMP2IBG00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Fri, 09 Jun 2023 20:15:55 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <B408DBD5-983A-4B53-A98D-872499073615@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_E5B8C5E4-0C0A-4253-B3CE-228147FC40BD"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3762.100.4.1.11\))
Date: Fri, 09 Jun 2023 20:15:44 -0700
In-reply-to: <CAL12FVGR1G_D=3v0jXATD2bfFreYfR8GN9HAtzH0J2t_-ukeXQ@mail.gmail.com>
Cc: Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, privacy-pass@ietf.org
To: Colin Bendell <colin@bendell.ca>
References: <fa636aa2-d988-42b2-ad9c-fe0fb25bc960@app.fastmail.com> <CA+AE54cshctSyXsdPkNxcRk3Tn-WPRNzwnSsMvKiqouSdYe9+w@mail.gmail.com> <CAL12FVFPfKp-dC1NCrXmn0wMO2qnLBtW3wuwz2fMirWR-UKA_w@mail.gmail.com> <CAL12FVGR1G_D=3v0jXATD2bfFreYfR8GN9HAtzH0J2t_-ukeXQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3762.100.4.1.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/ynT-FoE2s5ozDb0KPi-VmXGT5BA>
Subject: Re: [Privacy-pass] Issuer directory representation (#369)
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2023 03:16:02 -0000


> On Jun 9, 2023, at 1:14 PM, Colin Bendell <colin@bendell.ca> wrote:
> 
> For reference, I have a few examples using the publicly available keys.
> 
> Here is cloudflare's demo issuery directory:
> * https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json
> 
> And the same in jwks format (nb: I've set "kid" to the "truncated_token_key_id" value instead of preserving "version")
> * https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.json

I believe this link should be this, right?

https://github.com/colinbendell/private-access-token/blob/main/demo-pat.issuer.cloudflare.com.jwks.json

Overall, while I’m not opposed to JWK being defined at some point, I don’t think it simplifies things for privacy pass, and this proposal is missing key pieces of information like the token type, and isn’t consistent with the formats clients would commonly see in HTTP auth challenges. Defining JWK formats in a new document where the details of how they should work and what clients might benefit from them — sure! Removing definitions for the simple JSON format — not so much.

A couple comments inline below:

> 
> You can find others in the repo as well.
> 
> On Fri, 9 Jun 2023 at 16:13, Colin Bendell <colin@bendell.ca <mailto:colin@bendell.ca>> wrote:
>> The argument for JWK is that it reduces the sprawl of directory syntaxes and allows the devs to lean on pre-existing tooling and documentation. JWKS does have extensibility built into the RFC to be adapted for this purpose.
>> 
>> The main advantages for using JWKS are:
>> 1. we don't need to introduce a new iana for algorithm types. issuer-type=2 is the same as alg="PS384". This will further allow for future expansion and key selection

Having JWK for the issuer dictionary would not mean we don’t need token type — token type is not just a cryptographic algorithm, it defines the issuance protocol. Type 2 and type 3 have the same format for the resulting token, but different properties throughout issuance.

Thus, a JWK format would need to also be paired with token types.

>> 
>> 2. adopting a consistent standard leverages existing dev and infra tools around the jwk and jwks ecosystem. Particularly for key store loading, rotating and management. This is particularly important if aligning Private-State-Tokens is a goal of Privacy Pass. With PST, the UA is expected to consume these public key stores.

I think that aligning with Privacy Pass standards should be a goal of proposals like private state tokens. But clients already can directly consume public keys with existing deployments of privacy pass, and that doesn’t seem to be a burden. Also, privacy pass communicates keys in HTTP challenges, which are in the format that’s in the issuer dictionary, not a JWK.

Tommy

>> 
>> 3. Since it uses the expanded form, and not DER encoded, it sidesteps some of the awkwardness of the dev ecosystem for RSASSA-PSS. Most of the RSASSA-PSS implementations are spotty which is why WebCrypto has dropped support [1]. Converting between RSASSA-PSS and RSA is a bit messy [2] in the DER encoded form, it's much more straightforward with the JWK since the modulus and exponent are already expanded.
>> 
>> 4. The syntax for JWK already has extensions to pre-calculate the token-key-id (see: "x5t#S256" [3]). This is an optimization that can be done server side or on origin startup, having it available in a materialized form has some convenience advantages.
>> 
>> There are disadvantages as well, which are worth expanding:
>> 1. The syntax is terse. it does take a special decoder ring to decipher the fields. Likewise, the fields are in expanded form instead of encapsulating in DER format. (This is done so that you can very quickly sanitize a JWK and remove the secret key fields without having to re-encode.)
>> 
>> 2. We would still need to define the iana values to expand JWKS for fields like 'issuer-request-uri" or "issuer-name" (for PST), etc. Other fields that are already common in the public issuer identifiers [4], like 'not-before' and 'version' do have corrolories in JWKS.
>> 
>> 3. While convenient to have the components of the key in expanded form, we still need to convert it to the DER encoded form for the purposes of Privacy-Pass - specifically for token-key and token-key-id fields.
>> 
>> [1] https://github.com/w3c/webcrypto/pull/325
>> [2] https://github.com/colinbendell/private-access-token/blob/main/src/utils.js#L382-L395
>> [3] https://datatracker.ietf.org/doc/html/rfc7517#section-4.9
>> [4] https://demo-pat.issuer.cloudflare.com/.well-known/token-issuer-directory
>> 
>> On Fri, 9 Jun 2023 at 06:28, Eli-Shaoul Khedouri <eli=40intuitionmachines.com@dmarc.ietf.org <mailto:40intuitionmachines.com@dmarc.ietf.org>> wrote:
>>> I do not see a benefit to adopting JWKs at this stage. As you say, they are somewhat complex for the PP use case.
>>> 
>>> Eli
>>> 
>>> On Thu, Jun 8, 2023 at 5:30 PM Christopher Wood <caw@heapingbits.net <mailto:caw@heapingbits.net>> wrote:
>>>> Colin filed #369 [1] to discuss the current representation we are currently using for issuer directories. Basically, Privacy Pass chose to introduce a new representation that bears resemblance to that which is used in Private State Tokens [2] and is already specified in JSON Web Key Sets [3]. We should sort out what to do with this discrepancy.
>>>> 
>>>> Speaking for myself, neither a JWK or JWT expert, I think we should stick with what's currently in the draft because (1) all formats seem mostly isomorphic and (2) JWKS are, to my knowledge, meant primarily for JWTs. Moreover, the way that keys are represented seems unnecessarily complex. Why do we need to specify any of the "kty", "alg", or "kid" parameters when they can be inferred from the token type and public key?
>>>> 
>>>> Note that this is primarily relevant for origins that consume the directory and use it for the purposes of challenging clients, but it may in the future become relevant for clients that want to consume this resource for consistency checking purposes.
>>>> 
>>>> What do others think?
>>>> 
>>>> Best,
>>>> Chris
>>>> 
>>>> [1] https://github.com/ietf-wg-privacypass/base-drafts/issues/369
>>>> [2] https://github.com/WICG/trust-token-api/blob/main/ISSUER_PROTOCOL.md
>>>> [3] https://datatracker.ietf.org/doc/html/rfc7517
>>>> 
>>>> -- 
>>>> Privacy-pass mailing list
>>>> Privacy-pass@ietf.org <mailto:Privacy-pass@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>> -- 
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org <mailto:Privacy-pass@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
> -- 
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass

v2.23.0 | Report a Bug | By Email